Misconfigurations

Back to Securing a Machine

Many exposed-service issues come from unsafe settings, not unpatched software. This page focuses on service configuration problems such as unnecessary features, overly broad network exposure, and information disclosure.

Web Servers

Apache

Configuration files:

/etc/apache2/apache2.conf
/etc/httpd/conf/httpd.conf

Common issues:

• Directory listing enabled
• Version information exposed in headers or error pages

Fixes:

Options -Indexes
ServerTokens Prod
ServerSignature Off

Restart Apache:

sudo systemctl restart apache2

Nginx

Configuration file:

/etc/nginx/nginx.conf

Common issues:

• autoindex on;
• server_tokens on;

Fixes:

autoindex off;
server_tokens off;

Restart Nginx:

sudo systemctl restart nginx

IIS

Open IIS Manager:

inetmgr

Common issues:

• Directory browsing enabled
• Server header disclosure

Fixes:

• Open Directory Browsing and click Disable.
• Open HTTP Response Headers and remove or suppress the Server header if supported.

Restart IIS:

iisreset

Web Applications

Common locations:

Linux:

/var/www/
/var/www/html/
/srv/www/

Windows:

C:\inetpub\wwwroot

Common issues:

• Weak file ownership or permissions in the web root
• Suspicious files such as dropped web shells
• Upload directories that allow script execution
• Unused extensions or plugins left installed

Fixes:

sudo chown -R www-data:www-data /var/www
sudo chmod -R 755 /var/www
find /var/www -type f

Investigate files such as:

shell.php
cmd.php
upload.php

Disable execution in upload paths whenever possible and remove unused extensions or plugins.

Databases

MySQL / MariaDB

Configuration file:

/etc/mysql/mysql.conf.d/mysqld.cnf

Common issue:

• bind-address = 0.0.0.0

Fix:

bind-address = 127.0.0.1

Restart MySQL:

sudo systemctl restart mysql

PostgreSQL

Configuration files:

/etc/postgresql/*/main/postgresql.conf
/etc/postgresql/*/main/pg_hba.conf

Common issue:

• listen_addresses = '*'

Fix:

listen_addresses = 'localhost'

Restart PostgreSQL:

sudo systemctl restart postgresql

Containers

Docker

Common issues:

• Unnecessary containers left running
• Unexpected published ports

Checks:

docker ps
docker inspect container_id
docker port container_id

Fixes:

docker stop container_id
docker rm container_id

Remove or reconfigure containers exposing unnecessary services or ports.

Quick Review Checklist

When reviewing configurations, check for:

• services listening on all interfaces when they only need localhost or an internal IP
• directory listing enabled
• verbose banners or version disclosure
• upload paths that allow script execution
• unnecessary modules, plugins, containers, or connectors
• unnecessary exposed ports

If any of these appear, disable or restrict them wherever possible.

Back to Securing a Machine