Docs

Security & Threats

Continuous CVE scanning, DNS hygiene, port surface checks, and live threat detection.

All Documentation

Read-Only by Design

Every security check Optimux runs is read-only. The platform never installs packages, edits configuration files, opens ports, or modifies users on its own. It inspects, reports, and hands you the information; any change to the system happens only when you explicitly click "Run Update" for OS patches. This separation is what makes it safe to connect production servers.

Three-Phase CVE Detection

Vulnerability scanning works in three passes to keep noise low. First, Optimux collects the installed package list and versions. Second, it matches those against public CVE databases (OSV.dev among them). Third, and this is the important step, each match is cross-referenced with your distribution's own security tracker, so backported fixes in stable repositories stop showing up as false positives. The result is a short, actionable list instead of a thousand-entry scan report.

Application Dependency CVEs

Beyond the operating system, Optimux scans the dependencies your applications ship. It reads lock files already on the server - package-lock.json, yarn.lock, pnpm-lock.yaml and bun.lock for Node, composer.lock for PHP, and Python dependency files - then matches the exact installed versions against the OSV.dev advisory database. Findings appear in a dedicated App CVE view per server, labelled with the lock-file path so you know which application is affected, and use the same severity filtering and detail popups as the OS-level scan. It runs as part of the normal security scan, with nothing extra to configure.

Server Audit

The server audit bundles dozens of hardening checks - SSH configuration, firewall posture, open ports, sensitive file permissions, kernel parameters, password policy, and more - into a single scoreable report. Every check returns pass, warning, or fail with a remediation note, and the overall score is visible on the server detail page and in the Overview widget so you can track improvement week over week.

DNS Scan

DNS Scan (inside the Optimux menu) validates the DNS hygiene of your domains. It checks SPF, DMARC and DKIM records, counts SPF DNS lookups against the RFC 7208 limit of 10, validates CAA records, measures TTLs, checks nameserver responsiveness, verifies MX reachability, and detects record changes since the last scan. IPs are checked against major RBL blacklists. Domains without MX records skip the email-specific checks automatically.

Ports, Exposure & Threats

Port Monitoring watches declared TCP and UDP ports per server and recognizes more than a hundred well-known services. An external probe also connects from outside your infrastructure to verify whether sensitive ports (MySQL, PostgreSQL, MongoDB, Redis, and the like) are actually reachable from the public internet, and fires an "exposed port" alert if they are. Live threat detection additionally looks for reverse shells, crypto miners, suspicious processes, unexpected cron entries, and outbound connections to known bad destinations.