Vulnerability Scanning

A Debian-first guide to identifying broad automated scanning, reviewing exposed services and applications, and reducing exploitable surface area.

What this is

Vulnerability scanning is automated probing designed to identify known weaknesses in exposed services, applications, frameworks, and software versions. It is broader than simple port scanning and often includes checks for known paths, headers, versions, error messages, and protocol behavior.

Scanners may be benign in some contexts, but on public systems they are often the first step toward exploitation.

What it looks like

Multiple probes across different services and paths from the same source
Requests that look structured, repetitive, and tool-driven
Attempts against known framework, admin, backup, and version-specific endpoints
Rapid hits across SSH, web, database, and service ports

Detect

Review blocked connection attempts in firewall logs

sudo grep "UFW BLOCK" /var/log/ufw.log | tail -n 100

Check which ports and services are exposed

sudo ss -tulnp
sudo ufw status numbered

Review recent web activity for broad probing patterns

sudo journalctl -u caddy --since "1 hour ago"

Count repeated source IPs in blocked traffic

sudo grep "UFW BLOCK" /var/log/ufw.log | awk '{
  for(i=1;i<=NF;i++){
    if($i ~ /^SRC=/){
      split($i,a,"=");
      print a[2];
    }
  }
}' | sort | uniq -c | sort -nr | head

Review installed packages and running services

sudo apt list --installed
sudo systemctl list-units --type=service --state=running

Contain

Block a clearly abusive source IP

sudo ufw deny from <IP_ADDRESS>

Close ports you do not need

sudo ufw deny 8080
sudo ufw deny 3306
sudo ufw deny 5432

Stop unnecessary services

sudo systemctl stop <service_name>
sudo systemctl disable <service_name>

Recover

Compare what is exposed with what is actually needed

sudo ss -tulnp
sudo systemctl list-units --type=service --state=running

Review software for outdated or forgotten components

sudo apt update
sudo apt upgrade

Check whether the scan led to successful access attempts

sudo grep "Accepted" /var/log/auth.log
sudo grep -Ei "admin|login|api" /var/log/caddy/*.log 2>/dev/null | tail -n 100

Recovery here means reducing exposed software, updating what remains, and confirming that scanning did not progress into deeper activity.

Prevent

Option 1 — Keep software updated

sudo apt update
sudo apt upgrade

Option 2 — Remove unnecessary services and packages

sudo apt list --installed
sudo systemctl list-units --type=service --state=running

Option 3 — Restrict admin access to trusted IPs

sudo ufw allow from <trusted_ip> to any port 22
sudo ufw deny 22

Option 4 — Review logs regularly

sudo journalctl --since "24 hours ago"

Option 5 — Minimize version and path exposure

# Review application configuration to reduce unnecessary public details

Optional Tools & Hosting

Manual exposure review should come first. Future recommendations may include low-cost infrastructure or monitoring options that improve visibility, but the best defense is still a smaller, cleaner attack surface.

Notes

Vulnerability scanning is normal on internet-exposed systems.
The most important question is what the scanner can actually see and reach.
Old software, forgotten services, and unnecessary ports create the most avoidable risk.

Environment Note

All commands shown are based on Debian-based systems unless otherwise noted.