All guides
High ISO 27001 A.8.20 CIS Controls CIS 4 NIST CSF PR.AA

Close exposed ports and admin services

Databases, caches and admin panels (3306, 6379, 27017, SSH) should never be reachable from the public internet.

Why it matters

An exposed database or admin service is a direct path in — brute-forced, exploited, or simply left with default credentials. Every open port is attack surface that needs a reason to exist.

How to fix it

Bind internal services to localhost or a private network, put a firewall in front, and expose only 80/443. Reach admin services through a VPN or SSH tunnel, not the open internet.

# Bind MySQL to localhost only (my.cnf)
bind-address = 127.0.0.1

# Firewall: allow only web + SSH from your IP
ufw default deny incoming
ufw allow 443/tcp

Is your domain affected?

Prove ownership and run a scan for a graded, verifiable report.

Related guides

Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.