How to Run a Vulnerability Scan on Your Server in 2026
Attackers scan your server every day looking for weaknesses. Here is how to run the same kind of scans against your own infrastructure — find the holes before they do, and fix them.
Important: Never scan a server you do not own. Running vulnerability scans against machines without written authorisation is illegal in most jurisdictions. This guide is for scanning your own infrastructure only.
Why You Need to Scan Your Own Server
Every day, automated bots and malicious actors probe your server for open ports, outdated software, misconfigured services, and known CVEs. A typical internet-connected server receives hundreds of probes per day from Shodan crawlers, exploit bots, and AI-powered reconnaissance tools. The only way to stay ahead is to scan yourself before they do.
Vulnerability scanning finds:
- Open ports that should be closed or firewalled
- Outdated software with known security vulnerabilities
- Weak TLS/SSL configurations that expose you to downgrade attacks
- Missing security headers on web applications
- Default credentials on databases and admin panels
- SQL injection and XSS flaws in web applications
What You Will Need
All tools in this guide are free and open-source. To follow along, you need:
- A Linux server (local machine or remote) running Ubuntu, Debian, or similar
- Root or sudo access to install packages
- Basic familiarity with the Linux command line
- An external machine to run some scans from (for an outside-in perspective)
Pro tip: Run scans from a separate machine, not from the server itself. Scanning from the target can give false confidence because the firewall may treat local traffic differently than external traffic.
1. Port Scanning with Nmap
Nmap is the industry standard for port scanning and service discovery. It tells you exactly which ports are open, what services are running on them, and sometimes the software version.
Install Nmap
sudo apt update && sudo apt install nmap -y
Basic port scan
The most common scan type is a TCP SYN scan, which is fast and relatively stealthy:
nmap -sS -sV -O your-server-ip
This performs a SYN scan (-sS), detects service versions (-sV), and attempts OS fingerprinting (-O). The output shows each open port, the service running on it, and the software version if detectable.
Scan all 65535 ports
By default Nmap scans only the 1000 most common ports. Attackers often run services on high-numbered ports to avoid detection:
nmap -p- -sV your-server-ip
This scans all 65,535 TCP ports. It takes longer (10-30 minutes depending on network conditions) but never misses a listening service.
Scan for common vulnerabilities
Nmap includes scripting engine (NSE) scripts for vulnerability detection. The vuln category runs all available vulnerability checks:
nmap --script vuln your-server-ip
This tests for known CVEs affecting the services running on your server. It checks for Heartbleed, Shellshock, SMB vulnerabilities, and dozens of other known exploits.
Key takeaway: Run nmap -p- -sV at least weekly. Any port you do not recognise that is listening on a public IP is a potential attack surface. Close it or firewall it immediately.
2. Web Server Scanning with Nikto
If your server runs a web server (Apache, Nginx, Caddy), Nikto scans it for misconfigurations, insecure files, outdated software, and common web vulnerabilities.
Install Nikto
sudo apt install nikto -y
Basic web scan
nikto -h https://your-server.com
Nikto checks for over 6,700 potentially dangerous files or CGIs, outdated server software, missing security headers, and configuration issues. It also checks for HTTP methods that should be disabled (PUT, DELETE, TRACE).
What Nikto finds
- Missing
X-Content-Type-OptionsandX-Frame-Optionsheaders - Exposed configuration files (
/phpinfo.php,/config.php.bak) - Outdated web server or PHP versions
- Default installation files that should be removed
- Directory listing enabled on sensitive paths
Key takeaway: Run Nikto after every deployment. A single misconfiguration — like directory listing on your admin directory — can leak your entire application structure to an attacker.
3. Full CVE Scanning with OpenVAS
OpenVAS (Greenbone Vulnerability Management) is the most comprehensive free vulnerability scanner. It maintains a database of over 100,000 CVEs and runs authenticated scans that can check your system from the inside.
Install OpenVAS
sudo apt install openvas -y
sudo gvm-setup
sudo gvm-start
The initial setup downloads the full CVE feed (several GB) and configures the Greenbone web interface on port 9392.
Run a basic authenticated scan
- Log into the web interface at
https://your-server:9392 - Go to Scans > Tasks and create a new task
- Select Full and Fast as the scan config
- Provide SSH credentials for an authenticated scan
- Start the scan — it takes 30-60 minutes for a typical server
An authenticated scan has SSH access to the server and can check local configuration files, installed package versions, and user permissions. This catches vulnerabilities that external scans miss.
Interpreting results
OpenVAS classifies findings by severity (Critical, High, Medium, Low). Focus on Critical and High items first:
- Critical: Remote code execution, unauthenticated SQL injection — patch immediately
- High: Privilege escalation, sensitive data exposure — fix within days
- Medium: Information disclosure, weak TLS ciphers — fix within a sprint cycle
- Low: Best practice recommendations — address when convenient
Key takeaway: Authenticated scans are significantly more thorough than unauthenticated ones. Set up SSH key-based access for OpenVAS to get the full picture of your server's vulnerability surface.
4. Continuous Automated Scanning with RootCrak
Periodic manual scans are essential, but they have a critical limitation — the gap between scans. A new CVE published the day after your weekly scan leaves you exposed for up to seven days. In 2026, with AI-powered exploit tools accelerating the window between disclosure and exploitation, that gap is too large.
RootCrak provides continuous vulnerability monitoring that runs in real-time:
- 24/7 port monitoring — detects new open ports within seconds
- Automated CVE matching — cross-references your software stack against the latest CVE database
- Web application scanning — OWASP ZAP-based DAST for SQL injection, XSS, and CSRF
- Malware detection — ClamAV-based agent scanning for known malicious binaries
- Instant alerts — email and dashboard notifications the moment a vulnerability is found
Scanning Checklist
Run through this checklist every week to maintain your security posture:
- Nmap port scan —
nmap -p- -sV your-server-ip - Nmap vulnerability scan —
nmap --script vuln your-server-ip - Nikto web scan —
nikto -h https://your-server.com - Check for new CVEs — review
https://nvd.nist.govfor software you use - Review firewall rules —
sudo ufw status verboseorsudo iptables -L -n - Check for unneeded services —
sudo systemctl list-units --type=service --state=running - Full OpenVAS authenticated scan — run weekly, review results
Common Mistakes to Avoid
Scanning from inside the firewall
Running scans from the server itself or from inside your network gives a false picture. Attackers are outside. Always run some scans from an external machine.
Ignoring low-severity findings
Low-severity findings today become medium or critical when combined with other vulnerabilities. A missing HTTP-only flag on a cookie is low risk alone, but combined with an XSS flaw, it becomes credential theft.
Not scanning after updates
Software updates can introduce new vulnerabilities or change configurations. Always run a full scan after applying patches or upgrading packages.
Assuming one scan is enough
Vulnerability scanning is not a one-time activity. New CVEs are published daily. Your server's attack surface changes every time you deploy code, add a service, or change a firewall rule.
The bottom line: You cannot patch what you do not know about. Regular vulnerability scanning — combined with continuous monitoring — is the foundation of server security. The question is not whether to scan, but how often.
Frequently Asked Questions
How do I run a vulnerability scan on my Linux server?
You can run a vulnerability scan using free open-source tools like Nmap for port scanning, Nikto for web server checks, and OpenVAS for a full CVE-based audit. Install them via your package manager and run targeted scans against your server's IP or domain. For continuous automated scanning, services like RootCrak provide real-time monitoring with instant alerts.
What is the best free vulnerability scanner for servers?
The best free vulnerability scanner depends on your needs. Nmap is essential for port and service discovery. OpenVAS (Greenbone) offers the most comprehensive CVE database for authenticated scans. Nikto specialises in web server vulnerabilities. For production servers, a combination of scheduled OpenVAS scans plus continuous real-time monitoring provides the best coverage.
How often should I scan my server for vulnerabilities?
You should run a full vulnerability scan at least weekly, and immediately after any software updates, configuration changes, or new deployments. Critical infrastructure should be scanned daily. For the best security posture, pair periodic full scans with continuous real-time monitoring that detects new vulnerabilities, open ports, and configuration drifts as they happen.
Can vulnerability scanning damage my server?
Aggressive vulnerability scans can cause service disruptions. Scans that test for denial-of-service vulnerabilities, attempt brute-force logins, or send malformed packets may crash poorly-coded applications. Always start with safe scans (Nmap -sS, Nikto -Tuning), run scans during maintenance windows on production servers, and never scan infrastructure you do not own without written permission.
What types of vulnerabilities can a scanner detect?
Vulnerability scanners detect open ports and exposed services, outdated software with known CVEs, weak SSL/TLS configurations, missing security headers, SQL injection and XSS flaws in web apps, default credentials, misconfigured firewalls, and exposed sensitive information. The depth depends on whether the scan is authenticated (has login credentials) or unauthenticated.
Know what attackers see when they scan your server
RootCrak runs continuous vulnerability scans on your infrastructure and alerts you the moment something changes. Get a free audit and find out what your server looks like from the outside.
Start Free Audit