← Back to Blog
Vulnerability Scanning · 18 min read · July 08, 2026

How to Run a Vulnerability Scan on Your Server in 2026

Attackers scan your server every day looking for weaknesses. Here is how to run the same kind of scans against your own infrastructure — find the holes before they do, and fix them.

Important: Never scan a server you do not own. Running vulnerability scans against machines without written authorisation is illegal in most jurisdictions. This guide is for scanning your own infrastructure only.

Why You Need to Scan Your Own Server

Every day, automated bots and malicious actors probe your server for open ports, outdated software, misconfigured services, and known CVEs. A typical internet-connected server receives hundreds of probes per day from Shodan crawlers, exploit bots, and AI-powered reconnaissance tools. The only way to stay ahead is to scan yourself before they do.

Vulnerability scanning finds:

What You Will Need

All tools in this guide are free and open-source. To follow along, you need:

Pro tip: Run scans from a separate machine, not from the server itself. Scanning from the target can give false confidence because the firewall may treat local traffic differently than external traffic.

1. Port Scanning with Nmap

Nmap is the industry standard for port scanning and service discovery. It tells you exactly which ports are open, what services are running on them, and sometimes the software version.

Install Nmap

sudo apt update && sudo apt install nmap -y

Basic port scan

The most common scan type is a TCP SYN scan, which is fast and relatively stealthy:

nmap -sS -sV -O your-server-ip

This performs a SYN scan (-sS), detects service versions (-sV), and attempts OS fingerprinting (-O). The output shows each open port, the service running on it, and the software version if detectable.

Scan all 65535 ports

By default Nmap scans only the 1000 most common ports. Attackers often run services on high-numbered ports to avoid detection:

nmap -p- -sV your-server-ip

This scans all 65,535 TCP ports. It takes longer (10-30 minutes depending on network conditions) but never misses a listening service.

Scan for common vulnerabilities

Nmap includes scripting engine (NSE) scripts for vulnerability detection. The vuln category runs all available vulnerability checks:

nmap --script vuln your-server-ip

This tests for known CVEs affecting the services running on your server. It checks for Heartbleed, Shellshock, SMB vulnerabilities, and dozens of other known exploits.

Key takeaway: Run nmap -p- -sV at least weekly. Any port you do not recognise that is listening on a public IP is a potential attack surface. Close it or firewall it immediately.

2. Web Server Scanning with Nikto

If your server runs a web server (Apache, Nginx, Caddy), Nikto scans it for misconfigurations, insecure files, outdated software, and common web vulnerabilities.

Install Nikto

sudo apt install nikto -y

Basic web scan

nikto -h https://your-server.com

Nikto checks for over 6,700 potentially dangerous files or CGIs, outdated server software, missing security headers, and configuration issues. It also checks for HTTP methods that should be disabled (PUT, DELETE, TRACE).

What Nikto finds

Key takeaway: Run Nikto after every deployment. A single misconfiguration — like directory listing on your admin directory — can leak your entire application structure to an attacker.

3. Full CVE Scanning with OpenVAS

OpenVAS (Greenbone Vulnerability Management) is the most comprehensive free vulnerability scanner. It maintains a database of over 100,000 CVEs and runs authenticated scans that can check your system from the inside.

Install OpenVAS

sudo apt install openvas -y
sudo gvm-setup
sudo gvm-start

The initial setup downloads the full CVE feed (several GB) and configures the Greenbone web interface on port 9392.

Run a basic authenticated scan

  1. Log into the web interface at https://your-server:9392
  2. Go to Scans > Tasks and create a new task
  3. Select Full and Fast as the scan config
  4. Provide SSH credentials for an authenticated scan
  5. Start the scan — it takes 30-60 minutes for a typical server

An authenticated scan has SSH access to the server and can check local configuration files, installed package versions, and user permissions. This catches vulnerabilities that external scans miss.

Interpreting results

OpenVAS classifies findings by severity (Critical, High, Medium, Low). Focus on Critical and High items first:

Key takeaway: Authenticated scans are significantly more thorough than unauthenticated ones. Set up SSH key-based access for OpenVAS to get the full picture of your server's vulnerability surface.

4. Continuous Automated Scanning with RootCrak

Periodic manual scans are essential, but they have a critical limitation — the gap between scans. A new CVE published the day after your weekly scan leaves you exposed for up to seven days. In 2026, with AI-powered exploit tools accelerating the window between disclosure and exploitation, that gap is too large.

RootCrak provides continuous vulnerability monitoring that runs in real-time:

Scanning Checklist

Run through this checklist every week to maintain your security posture:

  1. Nmap port scannmap -p- -sV your-server-ip
  2. Nmap vulnerability scannmap --script vuln your-server-ip
  3. Nikto web scannikto -h https://your-server.com
  4. Check for new CVEs — review https://nvd.nist.gov for software you use
  5. Review firewall rulessudo ufw status verbose or sudo iptables -L -n
  6. Check for unneeded servicessudo systemctl list-units --type=service --state=running
  7. Full OpenVAS authenticated scan — run weekly, review results

Common Mistakes to Avoid

Scanning from inside the firewall

Running scans from the server itself or from inside your network gives a false picture. Attackers are outside. Always run some scans from an external machine.

Ignoring low-severity findings

Low-severity findings today become medium or critical when combined with other vulnerabilities. A missing HTTP-only flag on a cookie is low risk alone, but combined with an XSS flaw, it becomes credential theft.

Not scanning after updates

Software updates can introduce new vulnerabilities or change configurations. Always run a full scan after applying patches or upgrading packages.

Assuming one scan is enough

Vulnerability scanning is not a one-time activity. New CVEs are published daily. Your server's attack surface changes every time you deploy code, add a service, or change a firewall rule.

The bottom line: You cannot patch what you do not know about. Regular vulnerability scanning — combined with continuous monitoring — is the foundation of server security. The question is not whether to scan, but how often.

Frequently Asked Questions

How do I run a vulnerability scan on my Linux server?

You can run a vulnerability scan using free open-source tools like Nmap for port scanning, Nikto for web server checks, and OpenVAS for a full CVE-based audit. Install them via your package manager and run targeted scans against your server's IP or domain. For continuous automated scanning, services like RootCrak provide real-time monitoring with instant alerts.

What is the best free vulnerability scanner for servers?

The best free vulnerability scanner depends on your needs. Nmap is essential for port and service discovery. OpenVAS (Greenbone) offers the most comprehensive CVE database for authenticated scans. Nikto specialises in web server vulnerabilities. For production servers, a combination of scheduled OpenVAS scans plus continuous real-time monitoring provides the best coverage.

How often should I scan my server for vulnerabilities?

You should run a full vulnerability scan at least weekly, and immediately after any software updates, configuration changes, or new deployments. Critical infrastructure should be scanned daily. For the best security posture, pair periodic full scans with continuous real-time monitoring that detects new vulnerabilities, open ports, and configuration drifts as they happen.

Can vulnerability scanning damage my server?

Aggressive vulnerability scans can cause service disruptions. Scans that test for denial-of-service vulnerabilities, attempt brute-force logins, or send malformed packets may crash poorly-coded applications. Always start with safe scans (Nmap -sS, Nikto -Tuning), run scans during maintenance windows on production servers, and never scan infrastructure you do not own without written permission.

What types of vulnerabilities can a scanner detect?

Vulnerability scanners detect open ports and exposed services, outdated software with known CVEs, weak SSL/TLS configurations, missing security headers, SQL injection and XSS flaws in web apps, default credentials, misconfigured firewalls, and exposed sensitive information. The depth depends on whether the scan is authenticated (has login credentials) or unauthenticated.

Know what attackers see when they scan your server

RootCrak runs continuous vulnerability scans on your infrastructure and alerts you the moment something changes. Get a free audit and find out what your server looks like from the outside.

Start Free Audit