Free tool · Scans public hosts

VPS Security Scanner

Enter a domain or public IP and get a graded security report in seconds. The scanner checks for exposed ports and databases, weak or expiring TLS, missing HTTP security headers, insecure cookies, information disclosure, and email-spoofing gaps in SPF, DMARC, and DKIM. Every finding is ranked by severity with a clear fix. We only scan public hosts, block private and reserved addresses, and store nothing.

We only scan public hosts - private and reserved addresses are blocked. The scan runs from CtrlOps servers over standard TCP, checks a curated set of high-risk ports plus TLS, headers, and email records, and stores nothing. Only scan servers you own or are authorized to test.

Enter a domain (example.com) or a public IP. Protocol and path are ignored.
Try:

What the scanner checks, and how the grade works

The scan runs from CtrlOps servers and looks at your host from the outside, the same way an attacker would. It groups the results into four areas: exposed services (a targeted TCP scan of the high-risk ports above - databases, container APIs, remote desktop, admin panels), transport security (the SSL certificate and the TLS version your server negotiates), web hardening (HTTP security headers, cookie flags, and whether plain HTTP redirects to HTTPS), and email authentication (SPF, DMARC, and DKIM in your DNS).

Each check returns pass, warning, or fail and carries a severity from critical to low. The overall score starts at 100 and subtracts a weighted penalty for every problem, then maps to a letter grade from A to F. A critical failure - an exposed database, for example - costs far more than a missing low-priority header, so the grade reflects real risk, not a checklist count.

Open ports and exposed databases: the checks that matter most

The single most common serious misconfiguration is a database or internal service bound to 0.0.0.0 instead of 127.0.0.1, leaving it reachable from the whole internet. MongoDB, Redis, Elasticsearch, and Memcached have historically shipped with no authentication by default, and mass-scanning bots find an exposed instance within minutes. The scanner probes a curated set of these ports and flags any that accept a connection.

If a port shows as exposed, the fix is almost always the same: bind the service to localhost, put it behind a firewall or security group, and reach it over an SSH tunnel rather than a public port. When you need to reason about which addresses are public versus private in the first place, the CIDR / subnet calculator breaks down any range.

TLS and certificates: expiry, self-signed, and legacy protocols

The scanner performs a live TLS handshake and reads the certificate your server actually presents. It flags a certificate that has expired, is self-signed (and therefore untrusted by browsers), does not cover the hostname you entered, or is close to expiry - the silent outage that takes a site down at 2am. To inspect a certificate in full - SANs, chain order, fingerprints - paste it into the SSL certificate decoder.

It also checks which TLS version the server negotiates and probes whether it still accepts deprecated TLS 1.0 and 1.1. Those versions are formally deprecated and enable downgrade attacks; modern servers should offer TLS 1.2 at minimum and TLS 1.3 ideally. A green result here means the transport layer is current.

HTTP security headers and cookie flags

A handful of response headers meaningfully reduce your attack surface, and most servers ship without them. The scanner checks for HSTS (forces HTTPS), Content-Security-Policy (contains cross-site scripting), X-Frame-Options (blocks clickjacking), X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. It also inspects Set-Cookie for the Secure, HttpOnly, and SameSite flags, and warns when a Server or X-Powered-By header leaks your exact software version - free reconnaissance for an attacker.

These are usually a few lines in your web server config. If you run nginx, the nginx config generator produces a server block with the right headers and SSL settings already in place.

Email spoofing: SPF, DMARC, and DKIM

Server security is not only about the box - a domain with weak email authentication can be spoofed, letting attackers send phishing that looks like it came from you. The scanner audits your DNS for SPF (which servers may send mail), DMARC (what to do with mail that fails), and DKIM (the signing key), and flags the common gaps: a missing record, a permissive +all, or a DMARC policy stuck on p=none that monitors but never blocks.

These checks run from your browser over DNS-over-HTTPS - the domain is all that is sent, and never to a CtrlOps server. For a deeper email audit, including the SPF 10-lookup limit and DKIM selector probing, use the dedicated DNS lookup + SPF/DMARC/DKIM checker.

What this scan is - and what it is not

This is a fast, external surface check: a TCP-connect scan of common high-risk ports from a single region, plus TLS, header, and DNS inspection. It is designed to catch the misconfigurations that expose most servers, and to do so safely. It is not a full penetration test - it does not scan all 65,535 ports, brute-force credentials, or test application logic, and a high grade is not a guarantee that a host is secure.

One important note: if your domain sits behind a CDN or proxy such as Cloudflare or CloudFront, the port scan reaches the CDN edge, not your origin server. The scanner detects this and tells you, so a clean port result is not mistaken for a locked-down origin. To audit the machine itself, scan its origin IP directly. And only ever scan hosts you own or are explicitly authorized to test - scanning third parties without permission may be illegal.

High-risk ports the scanner checks - and why an open one matters

ServicePortWhy exposure is dangerous
MySQL / PostgreSQL3306 / 5432Direct database access - brute force, data theft, and ransom if reachable from the internet
MongoDB / Redis27017 / 6379Frequently ship with no auth by default - a wide-open door to your data
Docker API2375Unauthenticated Docker socket equals full root on the host
Kubernetes API6443Cluster control plane - a misconfigured one hands over every workload
RDP / VNC3389 / 5900Remote desktop exposed to the internet is a top ransomware entry point
Telnet / FTP23 / 21Plaintext protocols - credentials travel unencrypted and are trivially sniffed
SSH22Reachable by default - harden with keys-only auth and a non-default port
VPS security FAQ

Frequently asked questions

Enter your server domain or public IP above and run the scan. It checks for exposed ports and databases, the SSL certificate and TLS version, HTTP security headers and cookie flags, HTTP-to-HTTPS redirects, information disclosure, and email authentication (SPF, DMARC, DKIM), then grades the result from A to F with a specific fix for each finding.
Yes. The scan is a lightweight external check - a TCP-connect probe of common ports plus a TLS handshake and an HTTP header read. It does not log in, change anything, or store your results. It only scans public, internet-facing hosts; private and reserved addresses (such as 10.x, 192.168.x, 127.0.0.1, and cloud metadata endpoints) are blocked.
A curated set of the highest-risk ports rather than a full sweep: databases (MySQL, PostgreSQL, MongoDB, Redis, Elasticsearch, Memcached, CouchDB, Cassandra), container and orchestration APIs (Docker, etcd, Kubernetes), remote access (SSH, RDP, VNC, Telnet, FTP), and common admin panels (Webmin, cPanel, RabbitMQ, Kibana, Portainer). Web ports are covered by the TLS and header checks.
You can scan any public host, but you should only scan servers you own or are explicitly authorized to test. Port-scanning systems you do not control may violate acceptable-use policies or local law. Private and reserved IP ranges are blocked outright for safety.
If your domain uses Cloudflare, CloudFront, Fastly, or a similar CDN, the address it resolves to belongs to the CDN, not your server. The scanner detects this and notes that the port results reflect the CDN edge. To audit your actual server, scan its origin IP directly.
No. A high grade means the common external misconfigurations this tool checks are in good shape. It is a surface check, not a penetration test - it does not scan every port, test authentication, or review application logic. Treat a good grade as a solid baseline, not a guarantee.
Not necessarily. SSH reachable on the default port 22 is flagged as a low-priority hardening suggestion, not a failure. Moving SSH to a non-default port reduces automated noise, and the bigger wins are disabling password authentication in favour of keys and limiting access with a firewall.
No. Scans run on demand and results are returned to your browser without being stored with identifying information. The email-authentication checks run entirely in your browser over DNS-over-HTTPS, so only the domain reaches the public resolver.
TLS 1.2 at a minimum, and TLS 1.3 ideally. The scanner passes a server on 1.2, rewards 1.3, and fails a server that still accepts the deprecated TLS 1.0 or 1.1, which enable downgrade attacks. Disable the old versions in your web server or load balancer configuration.
Every check has a severity from critical to low. The score starts at 100 and subtracts a weighted penalty for each warning or failure - a critical failure like an exposed database costs far more than a missing low-priority header - then maps to a letter grade: A is 85 or above, B is 70+, C is 55+, D is 40+, and F is below 40.
You scanned the server

Find a problem here, fix it on the box.

CtrlOps is a modern SSH workspace for the servers behind your domains - organized hosts, secure key management, and instant terminals. Run the scan, then jump onto the machine in one click to close the port, renew the certificate, or add the headers.

Start instantly· No credit card· No sneaky autorenewals