budgetpixels.nl

What is this?

Port 21 is used by FTP (File Transfer Protocol), which lets you upload and download files to your server. FTP was designed in the early internet era before encryption existed.

Why does it matter?

FTP sends your username, password, and all transferred files in complete plaintext over the network. Anyone intercepting the connection — on the same network or via a man-in-the-middle attack — can read your credentials and every file you transfer.

How to fix it

Disable FTP and switch to SFTP (SSH File Transfer Protocol), which uses the same SSH encryption as terminal access: For FileZilla: connect using protocol SFTP and your SSH credentials. To disable pure FTP (Ubuntu): sudo systemctl stop vsftpd sudo systemctl disable vsftpd If FTP is absolutely required, use FTPS (FTP over TLS) instead of plain FTP.

What is this?

Port 22 is used by SSH (Secure Shell), the standard encrypted protocol for remote server access. It lets administrators log in to the server and run commands remotely.

Why does it matter?

SSH itself is secure, but an open SSH port is a constant target for brute-force attacks — bots continuously try thousands of username/password combinations. If password authentication is enabled, a weak password can lead to full server compromise.

How to fix it

Disable password authentication and use SSH keys only: Edit /etc/ssh/sshd_config: PasswordAuthentication no PubkeyAuthentication yes Then restart SSH: sudo systemctl restart sshd Optional: move SSH to a non-standard port (e.g. 2222) to reduce bot noise: Port 2222 Optional: use fail2ban to automatically block IPs with too many failed attempts: sudo apt install fail2ban

What is this?

Port 23 is used by Telnet, a very old remote access protocol from the 1960s. Like FTP, it was designed before encryption existed.

Why does it matter?

Telnet transmits everything — including your login credentials and every command you run — in complete plaintext. Anyone intercepting the connection sees exactly what you type. There is no situation where Telnet is preferable over SSH on a modern server.

How to fix it

Disable and remove Telnet: sudo systemctl stop telnet sudo systemctl disable telnet sudo apt remove telnetd # Ubuntu/Debian If port 23 is still open after removing Telnet, check what process is using it: sudo ss -tlnp | grep :23 Use SSH for all remote access. SSH provides the same functionality with full encryption.

What is this?

Port 3306 is the default port for MySQL (and MariaDB), the database server that stores your website's content, user accounts, orders, and all other data.

Why does it matter?

Exposing the MySQL port to the internet allows attackers to directly attempt to log in to your database using brute force or stolen credentials. If they succeed, they have full access to all your data without needing to compromise the website itself.

How to fix it

Block the port with a firewall (UFW on Ubuntu): sudo ufw deny 3306/tcp Or restrict to only your app server IP: sudo ufw allow from YOUR_APP_IP to any port 3306 Also bind MySQL to localhost in /etc/mysql/mysql.conf.d/mysqld.cnf: bind-address = 127.0.0.1 Then restart MySQL: sudo systemctl restart mysql For remote DB management, use an SSH tunnel instead: ssh -L 3306:127.0.0.1:3306 user@yourserver

What is this?

Port 5432 is the default port for PostgreSQL, an advanced open-source relational database. Like MySQL, it stores all application data.

Why does it matter?

A publicly reachable PostgreSQL port exposes the database directly to brute-force attacks. PostgreSQL also has a history of being exploited when authentication is misconfigured (e.g. trust authentication).

How to fix it

Block with UFW: sudo ufw deny 5432/tcp Bind PostgreSQL to localhost in /etc/postgresql/*/main/postgresql.conf: listen_addresses = 'localhost' Restart PostgreSQL: sudo systemctl restart postgresql For remote access, use an SSH tunnel: ssh -L 5432:127.0.0.1:5432 user@yourserver

What is this?

Port 6379 is the default port for Redis, an in-memory data store commonly used for caching, session storage, and queues. Redis has no authentication by default.

Why does it matter?

An exposed Redis instance is one of the most dangerous vulnerabilities a server can have. Attackers can read all cached data (including user sessions), write arbitrary data, use Redis's replication feature to write SSH keys to the server and gain root access, or abuse it for DDoS amplification.

How to fix it

Block with UFW immediately: sudo ufw deny 6379/tcp Bind Redis to localhost in /etc/redis/redis.conf: bind 127.0.0.1 Enable a strong password: requirepass YourStrongPasswordHere Restart Redis: sudo systemctl restart redis If Redis must be reachable from another server, use an SSH tunnel or VPN — never expose it directly.

What is this?

Port 27017 is the default port for MongoDB, a NoSQL document database. MongoDB stores data as JSON-like documents and is popular for modern web applications.

Why does it matter?

Hundreds of thousands of MongoDB databases have been wiped by automated attacks — attackers delete all data and leave a ransom note demanding Bitcoin. This happened because many MongoDB installations were publicly accessible with no authentication enabled.

How to fix it

Block with UFW: sudo ufw deny 27017/tcp Bind to localhost in /etc/mongod.conf: net: bindIp: 127.0.0.1 Enable authentication: security: authorization: enabled Restart MongoDB: sudo systemctl restart mongod

What is this?

Port 9200 is the default HTTP API port for Elasticsearch, a search and analytics engine. It provides a full REST API for querying and managing data.

Why does it matter?

Elasticsearch has no authentication by default. An exposed port gives anyone full read/write access to all indexed data via simple HTTP requests. Exposed Elasticsearch has caused massive data breaches affecting billions of records (medical data, voter records, financial data).

How to fix it

Block with UFW: sudo ufw deny 9200/tcp sudo ufw deny 9300/tcp # cluster port Bind to localhost in elasticsearch.yml: network.host: 127.0.0.1 If using Elastic Cloud or a paid licence, enable X-Pack security: xpack.security.enabled: true Restart Elasticsearch: sudo systemctl restart elasticsearch

What is this?

Port 11211 is the default port for Memcached, an in-memory caching system used to speed up web applications by storing frequently accessed data.

Why does it matter?

Memcached has no authentication. An exposed instance lets anyone read or manipulate your cache. It is also heavily abused for DDoS amplification attacks — attackers send small spoofed requests to Memcached which generates much larger responses, overwhelming the victim.

How to fix it

Block with UFW: sudo ufw deny 11211/tcp Bind to localhost when starting Memcached (in /etc/memcached.conf): -l 127.0.0.1 Restart Memcached: sudo systemctl restart memcached

What is this?

Port 25 is used by SMTP (Simple Mail Transfer Protocol), the standard protocol for sending email between mail servers. It is expected to be open on dedicated mail servers.

Why does it matter?

If this server is not a mail server, an open SMTP port may indicate an unauthorised mail relay or spam-sending software. Open relays — SMTP servers that accept and forward email from anyone — are exploited by spammers to send bulk email through your server, leading to IP blacklisting.

How to fix it

If this server does not send email: sudo ufw deny 25/tcp If this server runs a mail server (Postfix, Exim, Sendmail): 1. Verify it is not configured as an open relay: telnet localhost 25 EHLO test MAIL FROM: test@external.com RCPT TO: test@another-external.com (should be rejected) 2. Keep your MTA updated and monitor /var/log/mail.log for unusual sending patterns.

What is this?

Port 2375 is the Docker daemon's unencrypted TCP API port. When enabled, it allows remote control of all Docker containers on the server without any authentication.

Why does it matter?

Access to the Docker API without TLS is equivalent to root access to the entire server. An attacker can create a privileged container that mounts the host filesystem, read and modify any file on the server, install backdoors, exfiltrate all data, or pivot to other systems on the network. This is one of the most critical misconfigurations possible.

How to fix it

Close port 2375 immediately: sudo ufw deny 2375/tcp Do NOT expose the Docker daemon over TCP without mutual TLS. Use the Unix socket instead for local access: /var/run/docker.sock If remote Docker API access is needed, use SSH tunneling: ssh -L 2375:localhost:2375 user@server Or configure Docker with TLS client certificates (docker --tlsverify). Check if it was intentionally opened: sudo systemctl cat docker | grep -i tcp

What is this?

Port 8080 is a common alternative HTTP port, often used for development servers, admin panels, reverse proxies (Nginx/Apache behind an app server), or Java application servers like Tomcat.

Why does it matter?

An open port 8080 may expose an admin interface, development build, or staging server that was not intended to be publicly accessible. Development environments often have weaker security settings, disabled authentication, or verbose error messages that reveal internal architecture.

How to fix it

Identify what is running on port 8080: sudo ss -tlnp | grep :8080 If it is a development server or admin panel, restrict access to trusted IPs: sudo ufw allow from YOUR_IP to any port 8080 sudo ufw deny 8080/tcp If it is a legitimate proxy or app server, ensure it has authentication enabled and is not exposing internal diagnostic pages.

What is this?

Port 8443 is a common alternative HTTPS port. It is frequently used for admin panels, development environments, application servers, or services that cannot use the standard port 443.

Why does it matter?

Like port 8080, an open 8443 may expose admin interfaces or staging environments. Even with HTTPS, a self-signed certificate or misconfigured service on this port can be a security concern if it provides access to sensitive functionality without proper authentication.

How to fix it

Identify what is running on port 8443: sudo ss -tlnp | grep :8443 If it is an admin panel or dev interface, restrict to trusted IPs: sudo ufw allow from YOUR_IP to any port 8443 sudo ufw deny 8443/tcp Ensure any service on this port uses a valid SSL certificate and has proper authentication enabled.

What is this?

A cookie consent banner is a notice that informs visitors about cookie usage and asks for their consent before non-essential cookies (analytics, marketing, advertising) are set. Under GDPR (EU), PECR (UK), and similar laws, this consent must be freely given, specific, and informed.

Why does it matter?

The GDPR (General Data Protection Regulation) requires explicit consent before setting non-essential cookies. Violations can result in fines of up to €20 million or 4% of global annual turnover. Beyond legal requirements, it builds user trust and demonstrates transparency.

How to fix it

Use a consent management platform (CMP): Free options: - CookieYes (cookieyes.com) — free tier available - Osano (osano.com) — free for small sites - Cookie Consent by Osano (open source) Premium/advanced: - Cookiebot - OneTrust - Usercentrics For WordPress: install a GDPR consent plugin (e.g. Complianz, CookieYes plugin) Ensure your banner: - Does NOT pre-tick consent boxes - Makes 'Reject all' as easy as 'Accept all' - Lists exactly which cookies are used and why

What is this?

A privacy policy is a legal document that explains what personal data you collect from users, why you collect it, how it is used, who it is shared with, and how users can request deletion or access to their data.

Why does it matter?

A privacy policy is legally required in most jurisdictions: GDPR (EU/EEA), CCPA (California), LGPD (Brazil), PIPEDA (Canada), and more. Without one, you risk regulatory fines, loss of payment processor accounts (Stripe/PayPal require it), removal from ad platforms, and loss of user trust.

How to fix it

Create a privacy policy and link to it in your footer. Free generators: - TermsFeed (termsfeed.com) - Iubenda (iubenda.com) — free tier - GetTerms (getterms.io) Your policy must cover: 1. What data you collect (name, email, IP, cookies, etc.) 2. Why you collect it (legal basis under GDPR) 3. Who you share it with (hosting, analytics, payment processors) 4. How long you keep it 5. User rights (access, deletion, portability) 6. Contact information for a data protection officer or contact Update it whenever you add new services or change data practices.

What is this?

Tracking scripts are third-party JavaScript snippets embedded in your website that collect data about visitor behaviour — pages visited, time spent, clicks, demographics, purchases, and more. Common examples are Google Analytics, Meta Pixel (Facebook), and Hotjar.

Why does it matter?

Under GDPR, tracking scripts that process personal data (IP addresses, device fingerprints, cookies) require a legal basis — usually explicit consent. Loading tracking scripts before consent is obtained is a GDPR violation. Data Protection Authorities across Europe have issued fines specifically for this.

How to fix it

Only load tracking scripts after the user has given consent: 1. Use a tag manager (Google Tag Manager) that is controlled by your consent platform — the CMP fires the tag only after consent 2. Or use a consent-aware loading approach: if (userHasConsented()) { // load analytics script } 3. Consider privacy-friendly analytics that do not require consent: - Plausible Analytics (EU-hosted, no cookies) - Fathom Analytics - Matomo (self-hosted, can be cookie-free) 4. For Facebook Pixel specifically: only fire events after consent and enable 'Limited Data Use' mode for California users

What is this?

The .env file is a configuration file used by Laravel, Node.js, and many other frameworks to store environment-specific settings such as database credentials, API keys, secret tokens, and application configuration.

Why does it matter?

Exposing .env gives attackers your database password, secret keys, and API credentials in a single file. This allows immediate database access, session forgery, and abuse of third-party services billed to you. It is one of the most critical vulnerabilities a web server can have.

How to fix it

Nginx — add to your server block: location ~ /\.env { deny all; return 404; } Apache — add to .htaccess: <Files ".env"> Order allow,deny Deny from all </Files> Also rotate all credentials immediately: database password, API keys, APP_KEY, etc. Assume they are already compromised.

What is this?

The .git directory is the repository created by Git to track version history, branches, commits, and file contents. When exposed via a web server, attackers can reconstruct the entire source code by downloading the repository files.

Why does it matter?

A publicly accessible .git directory gives attackers your complete source code including every past commit — even if you deleted sensitive files, they remain in the commit history. Attackers can find hardcoded credentials, API keys, business logic, and vulnerability patterns in the code.

How to fix it

Nginx — block access to .git: location ~ /\.git { deny all; return 404; } Apache — add to .htaccess: RedirectMatch 404 /\.git Alternatively, deploy from a build artifact rather than cloning directly to the web root. The .git directory should never exist in a production web root.

What is this?

phpinfo() is a built-in PHP function that outputs a detailed page showing the PHP version, configuration directives, loaded extensions, environment variables, server paths, and build information.

Why does it matter?

The phpinfo output gives attackers a detailed map of your server: exact PHP version (for CVE targeting), enabled extensions, file paths, and environment variables (which may include credentials). This is an information disclosure vulnerability that makes all other attacks easier to tailor.

How to fix it

Delete phpinfo.php (and any similar files like info.php, test.php, i.php) from your web root immediately: rm /var/www/html/phpinfo.php Search for any others: find /var/www -name 'phpinfo.php' -o -name 'info.php' Never create diagnostic files on production servers. Use staging environments for diagnostics.

What is this?

SQL backup files (backup.sql, dump.sql, database.sql, etc.) are plain-text exports of database content produced by tools like mysqldump. When accessible via HTTP, the entire database can be downloaded.

Why does it matter?

A publicly downloadable database backup gives attackers all user data, emails, password hashes (or worse, plaintext passwords), order records, and any other data your application stores. This is a direct GDPR/privacy law violation and gives attackers everything needed to impersonate or contact your users.

How to fix it

Move backups outside the web root: mv /var/www/html/backup.sql /var/backups/ Search for other SQL files: find /var/www -name '*.sql' Store backups in a non-public location or use encrypted cloud storage (S3 with private ACL). Never store backup files in any publicly accessible directory.

What is this?

wp-config.php.bak is a backup copy of the WordPress configuration file. WordPress itself protects wp-config.php but backup files with .bak, .old, or .orig extensions are served as plain text by most web servers.

Why does it matter?

This file contains the MySQL database credentials (DB_NAME, DB_USER, DB_PASSWORD, DB_HOST), authentication secret keys, and the database table prefix. With these credentials an attacker can access your entire WordPress database directly.

How to fix it

Delete the backup file immediately: rm /var/www/html/wp-config.php.bak Search for other wp-config variants: find /var/www -name 'wp-config*' To protect against accidental future exposure, add to .htaccess: <Files "wp-config.php"> Order deny,allow Deny from all </Files>

What is this?

.htpasswd is the file used by Apache to store usernames and hashed passwords for HTTP Basic Authentication. It normally sits above the web root or is protected by Apache configuration.

Why does it matter?

Even though passwords are hashed, exposing this file gives attackers a list of valid usernames and hashes to crack offline. Using tools like Hashcat, weak passwords (under 10 characters) can be cracked in minutes on modern hardware.

How to fix it

Apache normally protects .htpasswd files automatically via a built-in rule. If yours is accessible, your server config may have overridden this protection. Check your VirtualHost config and .htaccess for anything that might be serving the file. Add an explicit deny: <Files ".htpasswd"> Order allow,deny Deny from all </Files> Best practice: store .htpasswd above the web root entirely, not inside it.

What is this?

web.config is the IIS (Internet Information Services) configuration file, equivalent to Apache's .htaccess. It controls URL routing, authentication, custom errors, and application settings.

Why does it matter?

Exposed web.config files frequently contain database connection strings (including passwords), application secrets, custom error paths that reveal server internals, and authentication configurations. This is sensitive infrastructure information.

How to fix it

IIS should not serve web.config by default, but misconfigurations can expose it. Add a URL rewrite rule to block direct access: <rule name="Block web.config"> <match url="web\.config" /> <action type="CustomResponse" statusCode="404" /> </rule> Verify the IIS request filtering module is active and blocks config files.

What is this?

.git/config is the Git configuration file for your repository. It contains the remote repository URL, branch tracking settings, and sometimes embedded credentials.

Why does it matter?

Exposing .git/config lets attackers discover your private Git repository URL (GitHub, GitLab, Bitbucket). If credentials are embedded in the remote URL (e.g. https://username:token@github.com/...), they are directly exposed. The repository URL itself enables cloning your entire codebase.

How to fix it

Block all .git access at the web server level: Nginx: location ~ /\.git { deny all; return 404; } Apache (.htaccess): RedirectMatch 404 /\.git Or: never deploy .git directories to production servers. Use a CI/CD pipeline that only copies compiled/built files to the server, not the full git repository.

What is this?

composer.lock records the exact version of every PHP dependency installed in your project. It's created by Composer when you run `composer install`.

Why does it matter?

Exposing composer.lock gives attackers a precise inventory of every library in your application, including its exact version number. They can cross-reference this against CVE databases (cve.mitre.org, packagist advisories) to find unpatched vulnerabilities in your specific versions and craft targeted exploits.

How to fix it

Store composer.json and composer.lock above the web root: For Laravel: these files should be in the project root, with only the public/ subdirectory as the web root. Most Forge/Vapor deployments do this correctly by default. If your web root is the project root, block access: Nginx: location ~ /composer\.(json|lock) { deny all; } Apache: <FilesMatch "composer\.(json|lock)"> Deny from all </FilesMatch> Then run: composer audit To check for known vulnerabilities in your current dependencies.

What is this?

Apache's mod_status provides a /server-status page that shows real-time server statistics: active requests, client IP addresses, URLs being requested, server version, and performance metrics.

Why does it matter?

Exposing server-status leaks live visitor data (IPs, pages they're visiting), your exact Apache version, loaded modules, and server performance data. Attackers can use this to identify high-value endpoints, confirm server software, and monitor traffic patterns.

How to fix it

Restrict server-status to localhost only: <Location /server-status> Require local </Location> Or disable mod_status entirely if you don't need it: sudo a2dismod status sudo systemctl restart apache2 If you need remote monitoring access, restrict it to specific trusted IPs: Require ip 192.168.1.0/24