Provide configuration restrictions on what ports can be scanned

[claudijd]

Currently, the prod API allows the scanning of really any TCP port. We should probably provide some controls around this that limit it's exposure so people can make their own choices about what ports are acceptable. I say this because some orgs have conventions of splitting say SCM services into SCM + MGMT ssh services, which require alternative ports.

[floatingatoll]

To offer a tidbit of use case scenario from the HTTP Observatory, Webops deals with this scenario by simply checking out the scanner and running it ourselves. I encourage providing clear and specific directions for how users can run their own scanner without a database, as that will meet the needs of 95% of your "custom port" scenarios for users who are willing to invest time in securing their port-customized SSH instances.

On Mon, Jun 19, 2017 at 1:48 PM, Jonathan Claudius <notifications@github.com

wrote:

Currently, the prod API allows the scanning of really any TCP port. We should probably provide some controls around this that limit it's exposure so people can make their own choices about what ports are acceptable. I say this because some orgs have conventions of splitting say SCM services into SCM + MGMT ssh services, which require alternative ports.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/mozilla/ssh_scan_api/issues/81, or mute the thread https://github.com/notifications/unsubscribe-auth/AAFqDM-7MsIelL9ORhaGoJ1rpDRtOh9Mks5sFt6mgaJpZM4N-xXo .