Documentation menu

Docs

Monitoring, Alerts & Allowed Ports

How endpoints are scanned, how findings become alerts, what the severity levels mean, and how Allowed Ports keep the noise down.

Endpoints and groups

An endpoint is one monitored server, identified by IP address (hostnames are resolved when added). Endpoints belong to a customer, can be paused and resumed individually or in bulk, and can be organized into groups with one-click scan-all. Scan history per endpoint exports to CSV.

How scanning works

SourceWhat it does
nmapActive scans across the full port range, run by the platform's scanning service on demand and on schedule.
shodanPassive internet-wide exposure data and continuous monitor alerts per IP.

Scanning is continuous: background discovery runs on a schedule that scales with the customer's plan, and full scans verify findings. Customers (and you) can also trigger an on-demand scan per endpoint, subject to a per-endpoint cooldown.

From open port to alert

  1. A scan finds the endpoint's open ports.
  2. Each open port is checked against the customer's Allowed Ports rules.
  3. Every open port with no matching rule raises an alert (duplicates are suppressed: an existing open alert is updated, not repeated).
  4. When a later scan shows the port closed, the alert resolves itself.

Severity levels

Severity comes from what the exposed port implies, escalated further when banners reveal outdated software:

SeverityTriggered by
CriticalExposed data stores and remote access: ports 3306 (MySQL), 5432 (PostgreSQL), 27017 (MongoDB), 6379 (Redis), 3389 (RDP), 5900 (VNC), 23 (Telnet), 445 (SMB), 139 (NetBIOS).
HighUnencrypted or commonly attacked services: ports 22 (SSH (assume no key auth)), 21 (FTP), 25 (SMTP), 110 (POP3), 143 (IMAP), 8080 (HTTP Alt), 8443 (HTTPS Alt).
MediumApplication and development servers: ports 8000 (Common dev port), 3000 (Node.js), 5000 (Flask), 9000 (PHP-FPM), 4000 (Development), 5001 (Development).
LowStandard web ports (80, 443) and anything not in a higher tier.

Alerts move through the statuses openacknowledgedresolved (or false_positive), and every alert carries a plain-language explanation plus copy-paste remediation commands for common firewalls.

Allowed Ports

Allowed Ports rules declare which ports are supposed to be open, so expected services never alert. A rule covers a port or range plus protocol, applies to one endpoint or globally, requires a written justification, and can expire. Creating a rule that matches an open alert resolves that alert automatically; rules can be bulk-imported and exported as CSV.

Alert emails include one-click links to view, allow the port, or acknowledge. Customers can act without signing in first.

The firewall map

For each customer you can visualize firewall connectivity as an interactive map: which endpoints accept what, focus views per endpoint, and reachability analysis. Feed it by pasting firewall rules in the portal, or install the collector script (downloadable from the portal) which submits iptables/nftables/ufw/firewalld dumps on a schedule via the Firewall Ingest API.

Compiled from the AegisWhite platform (build 6bffe04, module v1.7.3, 2026-07-14).