Offering Free Website Security Scans for HestiaCP Users

1

Hi everyone,

I’ve recently set up Greenbone (GVM/OpenVAS) in my homelab environment, alongside Wazuh for real-time threat detection and Ansible for automation and patch management. I’m currently using this stack to monitor and secure my own servers and services, and it has proven very helpful.

I’d like to offer free security scans (Greenbone) for websites hosted by fellow HestiaCP users here in the forum. These scans can help identify potential vulnerabilities like outdated software, misconfigurations, or exposed services. The results will not be posted publicly—I’ll share the reports privately via DM.

This is a completely free offer, as I’m doing this both for practice and to contribute something useful to the community.

Before proceeding, I’d be interested in your thoughts:

  • Do you find this kind of offer valuable?
  • Would you consider letting someone externally scan your site if the results are kept confidential?
  • Are there any concerns or recommendations you would have?

I’m not trying to advertise a service—just aiming to support others while sharpening my own skills.

Looking forward to your feedback!

Best regards

3 Likes
2

Hi again everyone,

Following my initial offer, I’ve received several messages and some great feedback. A few users also asked for a sample report—so I’d like to give you a brief overview of what such a scan reveals.

A typical Greenbone (OpenVAS) security report includes:

  • Which services are running on your server
  • Which domains and open ports are exposed
  • Known vulnerabilities associated with the discovered services, including relevant CVEs
  • Risk levels and recommendations for remediation

These insights can help you significantly improve your server’s security posture and detect misconfigurations early.

To run a scan, I only need the domain or IP address of your server. No sensitive data is collected, and no intrusive actions are performed—only standard checks that any external actor (including malicious ones) could also run without your permission. The only difference is: I’ll share the results with you, privately and for free, so you can fix issues before they’re exploited.

If your server is publicly reachable anyway, there’s no additional risk in letting a scan like this take place—but potentially a lot to gain in terms of insight and security. A bit of trust is required, of course, but I’m doing this transparently and strictly for community benefit and learning.

Thanks again for your interest—and feel free to DM me if you’d like your site reviewed or have further questions.

Best regards

grafik
grafik794×885 42.2 KB

grafik
grafik788×888 68.7 KB

grafik
grafik790×887 103 KB

grafik
grafik792×887 92.8 KB

grafik
grafik793×887 83.2 KB

3

One of the point here is: Since you are offering it for free, suggest to provide the source code and for people a frontend for them to do these tests themselves.

FYI: Good to see you offering this out.
Note: Not sure how long will you provide for free.
Thought: Doing it for your data gathering and analysis/AI maybe?

4

Hi and thanks for your thoughts,

  1. I clearly mentioned which tool I’m using—Greenbone/OpenVAS—and why I’m doing it: to improve my own skills and help others. Just like many people in this forum or on the HestiaCP GitHub do—some people simply enjoy contributing to the community. That’s what open source is about.

  2. I’ve never made a secret out of the tool. Everyone is free to run it themselves. The only difference is: I hold a commercial license, which I’m offering to use for others completely free of charge.

    If you’re interested in a license yourself, here’s the official site:
    :backhand_index_pointing_right: https://www.greenbone.net/produktanfrage/

    Or, for community scans:
    :backhand_index_pointing_right: https://www.greenbone.net/greenbone-basic/

    You can also set up the Community Edition via Docker:
    :backhand_index_pointing_right: https://greenbone.github.io/docs/latest/22.4/container/index.html

Regarding how long I’ll continue to offer this—honestly, I don’t think that matters too much. The point is: I’m doing it now, I’m enjoying it, and several people seem to find it helpful.

Lastly, I strongly recommend Wazuh for anyone managing servers. I’ve shared a full guide in this forum that explains how to securely connect your internet-facing server to a local Wazuh instance using WireGuard.

Best regards

2 Likes
5

So automated port scanning.. Not worth the time for me personally…

1 Like
6

If you want to perform port scans, your better choice is Nmap. Greenbone offers much more than that.

If you’d like, I can explain the tool to you — it’s an industry standard and essential for thoroughly assessing your own infrastructure.

If you’re comparing it to a simple port scan, you’ve missed its full potential, and it would be a shame if you continued to believe it’s just a port scanner.

7

Feel free to scan 157.90.27.100 / demo.hestiacp.com

And feel free to publish it publicly..

2 Likes
8

Clarification Regarding My Offer to Help with Security Scans

Hi everyone,

I’d like to clarify a few things regarding my recent offer to perform free security scans for HestiaCP users.

My only intention from the very beginning was to help others.

Not everyone has the time, expertise, or technical background to ensure their web servers are secure. Many users turn to HestiaCP and similar frameworks because they are looking for a straightforward way to manage their websites — and that’s perfectly okay. But this simplicity doesn’t necessarily mean their SSH configuration, FTP settings, or CMS (e.g., WordPress) are hardened or correctly set up. Important security measures can easily be overlooked.

The goal of my offer was never to debate whether I am a “professional” or not. I never claimed to be one. I offered my time, experience, and tools to help others — in the same spirit that many people in the open-source and Hestia communities contribute and support one another.

Let me be very clear:
This was not a sales pitch, not a data collection campaign, and not an attempt to show off. It was a genuine, friendly gesture aimed at growing together as a community and preventing common and often costly mistakes before they happen.

If someone asks me to scan their system, it takes real time, energy, and computing resources. I put thought into every scan and its results. But I won’t keep offering my effort just to become a source of amusement or be met with dismissiveness. That’s not fair — and frankly, it’s disrespectful.

If this offer is not appreciated or is taken as a joke, that’s okay — no hard feelings. But let’s keep the discourse constructive and supportive. Security is a serious matter, and helping each other should always be welcomed, not mocked.

Thank you to those who took the offer seriously and engaged respectfully. I remain available to those who genuinely wish to strengthen their setups — not for entertainment, but to build safer systems together.

Best regards,
eXe

5 Likes