Why does my OpenVAS subnet scan finish in 1 second with zero hosts found?

This is almost always caused by a Layer 2 vs. Layer 3 routing mismatch. By default, OpenVAS uses an ARP ping to discover active hosts. Because ARP is a Layer 2 broadcast protocol, these packets cannot cross your router or firewall into an isolated VLAN (like an IoT network). To fix this, edit your Target configuration in the Greenbone UI and change the Alive Test setting to Consider Alive. This forces the engine to bypass the ping check and immediately begin TCP/UDP port discovery.

Can I run OpenVAS on a Raspberry Pi or low-powered mini PC?

No, it is highly discouraged. OpenVAS (Greenbone Community Edition) is an enterprise-grade security framework. Compiling, unpacking, and indexing tens of thousands of vulnerability feed signatures into its PostgreSQL database will exhaust system resources on low-tier hardware. The stack requires a minimum of 4 vCPU cores and 8GB of RAM to prevent out-of-memory (OOM) crashes during operation. For lightweight scanning, use standard Nmap sweeps instead.

Will running an internal vulnerability scan crash my smart home and IoT devices?

It can. Consumer IoT firmware stacks (found in smart plugs, IP cameras, and connected kitchen appliances) are notoriously fragile. Subjecting them to an aggressive vulnerability scan with heavy web-application fuzzing can overwhelm their lightweight Wi-Fi microcontrollers, causing them to freeze or drop off the network entirely. When auditing IoT subnets, always use the System Discovery or Host Discovery scan configurations rather than a 'Full and Fast' vulnerability exploit sweep.

Why does CrowdSec keep banning my Docker host when I start an OpenVAS scan?

A vulnerability scanner looks exactly like an automated botnet executing a port-scanning or aggressive crawling attack. CrowdSec’s heuristics will instantly flag the thousands of rapid connection requests generated by OpenVAS and drop a local firewall ban. To fix this, you must explicitly add your OpenVAS/Docker host IP address to a local whitelist parser (located in /etc/crowdsec/parsers/s02-enrich/) using a strict YAML array format, then restart the CrowdSec service.

How often should I run a security audit on my homelab?

For a typical homelab environment, running a comprehensive perimeter and internal scan once per quarter is an industry best practice. However, you should run localized image scans using tools like Trivy or network scans via Nmap whenever you deploy a major architecture change, introduce a new third-party container, or modify your core OPNsense firewall rules.

Home
Cybersecurity
🛡️ Auditing the Castle: How to Scan and Pen-Test Your Homelab (2026 Guide)

16 Jun 2026 16 min read Cybersecurity

🛡️ Auditing the Castle: How to Scan and Pen-Test Your Homelab (2026 Guide)

Stop guessing if your self-hosted infrastructure is secure. Use Shodan, Greenbone OpenVAS in Docker, and Trivy to audit your homelab like a professional.

Shodan.io map view of Toronto & area, Canada showing detected IPV4 & IPV6 addresses.

So let's say you worked hard setting up your environment, you are happy you finally have things humming along... You locked it down a reasonable amount. You’ve deployed the SWAG reverse proxy. You've even got CrowdSec watching the perimeter. But in the world of technical network defense, there is one golden rule: If you aren't actively scanning your own network, someone else is.

A truly hardened homelab isn't defined by what you think you secured - it’s defined by what an aggressive, automated subnet scan actually uncovers.

Here's how to see what the bots & script kiddies see, easily.

This post is for paying subscribers only

You might also like...

New from Core Lab: Linux Gaming Showcas, 1 Year of Running A Tech Blog, more to come

🎮 Gaming on CachyOS: Why I Ditched Legacy Distros for Bleeding-Edge FPS (2026)

Fighting the AI Slop: Year 1 Metrics, Costs, and Lessons Self-Hosting a Ghost Tech Blog

When Power Outages Break Everything: Recovering an OMV8 NAS After Filesystem Corruption, Kernel Drift, and DKMS Failure

SSD-Deaths & NAS Upgrades, Ghost CMS Home Assistant and Massive Real-Debrid shock & awe!