High
ISO 27001 A.8.20
CIS Controls CIS 4
NIST CSF PR.AA
Close exposed ports and admin services
Databases, caches and admin panels (3306, 6379, 27017, SSH) should never be reachable from the public internet.
Why it matters
An exposed database or admin service is a direct path in — brute-forced, exploited, or simply left with default credentials. Every open port is attack surface that needs a reason to exist.
How to fix it
Bind internal services to localhost or a private network, put a firewall in front, and expose only 80/443. Reach admin services through a VPN or SSH tunnel, not the open internet.
# Bind MySQL to localhost only (my.cnf)
bind-address = 127.0.0.1
# Firewall: allow only web + SSH from your IP
ufw default deny incoming
ufw allow 443/tcp
Is your domain affected?
Prove ownership and run a scan for a graded, verifiable report.
Related guides
- Set up SPF, DKIM and DMARC to stop email spoofing
- Add the HTTP security headers every site should send
- Fix TLS: valid certificate and modern protocols only
- Remove exposed .git, .env and backup files
Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.