nba.com

What is this?

Port 21 is used by FTP (File Transfer Protocol), which lets you upload and download files to your server. FTP was designed in the early internet era before encryption existed.

Why does it matter?

FTP sends your username, password, and all transferred files in complete plaintext over the network. Anyone intercepting the connection — on the same network or via a man-in-the-middle attack — can read your credentials and every file you transfer.

How to fix it

Disable FTP and switch to SFTP (SSH File Transfer Protocol), which uses the same SSH encryption as terminal access: For FileZilla: connect using protocol SFTP and your SSH credentials. To disable pure FTP (Ubuntu): sudo systemctl stop vsftpd sudo systemctl disable vsftpd If FTP is absolutely required, use FTPS (FTP over TLS) instead of plain FTP.

What is this?

Port 22 is used by SSH (Secure Shell), the standard encrypted protocol for remote server access. It lets administrators log in to the server and run commands remotely.

Why does it matter?

SSH itself is secure, but an open SSH port is a constant target for brute-force attacks — bots continuously try thousands of username/password combinations. If password authentication is enabled, a weak password can lead to full server compromise.

How to fix it

Disable password authentication and use SSH keys only: Edit /etc/ssh/sshd_config: PasswordAuthentication no PubkeyAuthentication yes Then restart SSH: sudo systemctl restart sshd Optional: move SSH to a non-standard port (e.g. 2222) to reduce bot noise: Port 2222 Optional: use fail2ban to automatically block IPs with too many failed attempts: sudo apt install fail2ban

What is this?

Port 23 is used by Telnet, a very old remote access protocol from the 1960s. Like FTP, it was designed before encryption existed.

Why does it matter?

Telnet transmits everything — including your login credentials and every command you run — in complete plaintext. Anyone intercepting the connection sees exactly what you type. There is no situation where Telnet is preferable over SSH on a modern server.

How to fix it

Disable and remove Telnet: sudo systemctl stop telnet sudo systemctl disable telnet sudo apt remove telnetd # Ubuntu/Debian If port 23 is still open after removing Telnet, check what process is using it: sudo ss -tlnp | grep :23 Use SSH for all remote access. SSH provides the same functionality with full encryption.

What is this?

Port 3306 is the default port for MySQL (and MariaDB), the database server that stores your website's content, user accounts, orders, and all other data.

Why does it matter?

Exposing the MySQL port to the internet allows attackers to directly attempt to log in to your database using brute force or stolen credentials. If they succeed, they have full access to all your data without needing to compromise the website itself.

How to fix it

Block the port with a firewall (UFW on Ubuntu): sudo ufw deny 3306/tcp Or restrict to only your app server IP: sudo ufw allow from YOUR_APP_IP to any port 3306 Also bind MySQL to localhost in /etc/mysql/mysql.conf.d/mysqld.cnf: bind-address = 127.0.0.1 Then restart MySQL: sudo systemctl restart mysql For remote DB management, use an SSH tunnel instead: ssh -L 3306:127.0.0.1:3306 user@yourserver

What is this?

Port 5432 is the default port for PostgreSQL, an advanced open-source relational database. Like MySQL, it stores all application data.

Why does it matter?

A publicly reachable PostgreSQL port exposes the database directly to brute-force attacks. PostgreSQL also has a history of being exploited when authentication is misconfigured (e.g. trust authentication).

How to fix it

Block with UFW: sudo ufw deny 5432/tcp Bind PostgreSQL to localhost in /etc/postgresql/*/main/postgresql.conf: listen_addresses = 'localhost' Restart PostgreSQL: sudo systemctl restart postgresql For remote access, use an SSH tunnel: ssh -L 5432:127.0.0.1:5432 user@yourserver

What is this?

Port 6379 is the default port for Redis, an in-memory data store commonly used for caching, session storage, and queues. Redis has no authentication by default.

Why does it matter?

An exposed Redis instance is one of the most dangerous vulnerabilities a server can have. Attackers can read all cached data (including user sessions), write arbitrary data, use Redis's replication feature to write SSH keys to the server and gain root access, or abuse it for DDoS amplification.

How to fix it

Block with UFW immediately: sudo ufw deny 6379/tcp Bind Redis to localhost in /etc/redis/redis.conf: bind 127.0.0.1 Enable a strong password: requirepass YourStrongPasswordHere Restart Redis: sudo systemctl restart redis If Redis must be reachable from another server, use an SSH tunnel or VPN — never expose it directly.

What is this?

Port 27017 is the default port for MongoDB, a NoSQL document database. MongoDB stores data as JSON-like documents and is popular for modern web applications.

Why does it matter?

Hundreds of thousands of MongoDB databases have been wiped by automated attacks — attackers delete all data and leave a ransom note demanding Bitcoin. This happened because many MongoDB installations were publicly accessible with no authentication enabled.

How to fix it

Block with UFW: sudo ufw deny 27017/tcp Bind to localhost in /etc/mongod.conf: net: bindIp: 127.0.0.1 Enable authentication: security: authorization: enabled Restart MongoDB: sudo systemctl restart mongod

What is this?

Port 9200 is the default HTTP API port for Elasticsearch, a search and analytics engine. It provides a full REST API for querying and managing data.

Why does it matter?

Elasticsearch has no authentication by default. An exposed port gives anyone full read/write access to all indexed data via simple HTTP requests. Exposed Elasticsearch has caused massive data breaches affecting billions of records (medical data, voter records, financial data).

How to fix it

Block with UFW: sudo ufw deny 9200/tcp sudo ufw deny 9300/tcp # cluster port Bind to localhost in elasticsearch.yml: network.host: 127.0.0.1 If using Elastic Cloud or a paid licence, enable X-Pack security: xpack.security.enabled: true Restart Elasticsearch: sudo systemctl restart elasticsearch

What is this?

Port 11211 is the default port for Memcached, an in-memory caching system used to speed up web applications by storing frequently accessed data.

Why does it matter?

Memcached has no authentication. An exposed instance lets anyone read or manipulate your cache. It is also heavily abused for DDoS amplification attacks — attackers send small spoofed requests to Memcached which generates much larger responses, overwhelming the victim.

How to fix it

Block with UFW: sudo ufw deny 11211/tcp Bind to localhost when starting Memcached (in /etc/memcached.conf): -l 127.0.0.1 Restart Memcached: sudo systemctl restart memcached

What is this?

A cookie consent banner is a notice that informs visitors about cookie usage and asks for their consent before non-essential cookies (analytics, marketing, advertising) are set. Under GDPR (EU), PECR (UK), and similar laws, this consent must be freely given, specific, and informed.

Why does it matter?

The GDPR (General Data Protection Regulation) requires explicit consent before setting non-essential cookies. Violations can result in fines of up to €20 million or 4% of global annual turnover. Beyond legal requirements, it builds user trust and demonstrates transparency.

How to fix it

Use a consent management platform (CMP): Free options: - CookieYes (cookieyes.com) — free tier available - Osano (osano.com) — free for small sites - Cookie Consent by Osano (open source) Premium/advanced: - Cookiebot - OneTrust - Usercentrics For WordPress: install a GDPR consent plugin (e.g. Complianz, CookieYes plugin) Ensure your banner: - Does NOT pre-tick consent boxes - Makes 'Reject all' as easy as 'Accept all' - Lists exactly which cookies are used and why

What is this?

A privacy policy is a legal document that explains what personal data you collect from users, why you collect it, how it is used, who it is shared with, and how users can request deletion or access to their data.

Why does it matter?

A privacy policy is legally required in most jurisdictions: GDPR (EU/EEA), CCPA (California), LGPD (Brazil), PIPEDA (Canada), and more. Without one, you risk regulatory fines, loss of payment processor accounts (Stripe/PayPal require it), removal from ad platforms, and loss of user trust.

How to fix it

Create a privacy policy and link to it in your footer. Free generators: - TermsFeed (termsfeed.com) - Iubenda (iubenda.com) — free tier - GetTerms (getterms.io) Your policy must cover: 1. What data you collect (name, email, IP, cookies, etc.) 2. Why you collect it (legal basis under GDPR) 3. Who you share it with (hosting, analytics, payment processors) 4. How long you keep it 5. User rights (access, deletion, portability) 6. Contact information for a data protection officer or contact Update it whenever you add new services or change data practices.

What is this?

Tracking scripts are third-party JavaScript snippets embedded in your website that collect data about visitor behaviour — pages visited, time spent, clicks, demographics, purchases, and more. Common examples are Google Analytics, Meta Pixel (Facebook), and Hotjar.

Why does it matter?

Under GDPR, tracking scripts that process personal data (IP addresses, device fingerprints, cookies) require a legal basis — usually explicit consent. Loading tracking scripts before consent is obtained is a GDPR violation. Data Protection Authorities across Europe have issued fines specifically for this.

How to fix it

Only load tracking scripts after the user has given consent: 1. Use a tag manager (Google Tag Manager) that is controlled by your consent platform — the CMP fires the tag only after consent 2. Or use a consent-aware loading approach: if (userHasConsented()) { // load analytics script } 3. Consider privacy-friendly analytics that do not require consent: - Plausible Analytics (EU-hosted, no cookies) - Fathom Analytics - Matomo (self-hosted, can be cookie-free) 4. For Facebook Pixel specifically: only fire events after consent and enable 'Limited Data Use' mode for California users

What is this?

The .env file is a configuration file used by Laravel, Node.js, and many other frameworks to store environment-specific settings such as database credentials, API keys, secret tokens, and application configuration.

Why does it matter?

Exposing .env gives attackers your database password, secret keys, and API credentials in a single file. This allows immediate database access, session forgery, and abuse of third-party services billed to you. It is one of the most critical vulnerabilities a web server can have.

How to fix it

Nginx — add to your server block: location ~ /\.env { deny all; return 404; } Apache — add to .htaccess: <Files ".env"> Order allow,deny Deny from all </Files> Also rotate all credentials immediately: database password, API keys, APP_KEY, etc. Assume they are already compromised.

What is this?

The .git directory is the repository created by Git to track version history, branches, commits, and file contents. When exposed via a web server, attackers can reconstruct the entire source code by downloading the repository files.

Why does it matter?

A publicly accessible .git directory gives attackers your complete source code including every past commit — even if you deleted sensitive files, they remain in the commit history. Attackers can find hardcoded credentials, API keys, business logic, and vulnerability patterns in the code.

How to fix it

Nginx — block access to .git: location ~ /\.git { deny all; return 404; } Apache — add to .htaccess: RedirectMatch 404 /\.git Alternatively, deploy from a build artifact rather than cloning directly to the web root. The .git directory should never exist in a production web root.

What is this?

phpinfo() is a built-in PHP function that outputs a detailed page showing the PHP version, configuration directives, loaded extensions, environment variables, server paths, and build information.

Why does it matter?

The phpinfo output gives attackers a detailed map of your server: exact PHP version (for CVE targeting), enabled extensions, file paths, and environment variables (which may include credentials). This is an information disclosure vulnerability that makes all other attacks easier to tailor.

How to fix it

Delete phpinfo.php (and any similar files like info.php, test.php, i.php) from your web root immediately: rm /var/www/html/phpinfo.php Search for any others: find /var/www -name 'phpinfo.php' -o -name 'info.php' Never create diagnostic files on production servers. Use staging environments for diagnostics.

What is this?

SQL backup files (backup.sql, dump.sql, database.sql, etc.) are plain-text exports of database content produced by tools like mysqldump. When accessible via HTTP, the entire database can be downloaded.

Why does it matter?

A publicly downloadable database backup gives attackers all user data, emails, password hashes (or worse, plaintext passwords), order records, and any other data your application stores. This is a direct GDPR/privacy law violation and gives attackers everything needed to impersonate or contact your users.

How to fix it

Move backups outside the web root: mv /var/www/html/backup.sql /var/backups/ Search for other SQL files: find /var/www -name '*.sql' Store backups in a non-public location or use encrypted cloud storage (S3 with private ACL). Never store backup files in any publicly accessible directory.

What is this?

wp-config.php.bak is a backup copy of the WordPress configuration file. WordPress itself protects wp-config.php but backup files with .bak, .old, or .orig extensions are served as plain text by most web servers.

Why does it matter?

This file contains the MySQL database credentials (DB_NAME, DB_USER, DB_PASSWORD, DB_HOST), authentication secret keys, and the database table prefix. With these credentials an attacker can access your entire WordPress database directly.

How to fix it

Delete the backup file immediately: rm /var/www/html/wp-config.php.bak Search for other wp-config variants: find /var/www -name 'wp-config*' To protect against accidental future exposure, add to .htaccess: <Files "wp-config.php"> Order deny,allow Deny from all </Files>