Exposed services are often compromised through weak logins, default accounts, guest access, or overly broad administrative permissions. This page focuses on who can authenticate and what they can reach or change after authenticating.
SSH
Configuration file:
/etc/ssh/sshd_config
Common issues:
- Root login enabled
- Password authentication enabled when keys would be safer
- Empty passwords permitted
- Too many login attempts allowed
- No restriction on which users may log in
Fixes:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
PermitEmptyPasswords no
MaxAuthTries 3
LoginGraceTime 30
AllowUsers adminuser
If password authentication must remain enabled, add brute-force protection such as fail2ban:
sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
Restart SSH:
sudo systemctl restart ssh
Databases
MySQL / MariaDB
Default or anonymous database accounts are a common foothold.
Run:
sudo mysql_secure_installation
This removes anonymous users, disables remote root login, removes the test database, and tightens authentication defaults.
Microsoft SQL Server
If the database only serves a local application, remote connections may be unnecessarily broad.
Fix in SQL Server Management Studio:
- Connect to the server.
- Right-click the server and open Properties.
- Select Connections.
- Disable Allow remote connections if it is not required.
Restart the SQL Server service after changes.
File Sharing Services
Samba
Configuration file:
/etc/samba/smb.conf
Common issues:
guest ok = yesread only = noon shares that do not need write access
Fixes:
guest ok = no
read only = yes
Restart Samba:
sudo systemctl restart smbd
NFS
Configuration file:
/etc/exports
Common issue:
- Shares exported to too many hosts or with unsafe privilege handling
Fix:
/shared 192.168.1.10(rw,sync,root_squash)
Restart NFS:
sudo systemctl restart nfs-server
Windows SMB
Check shares:
Get-SmbShare
Fixes:
- Remove unnecessary shares.
- Open
secpol.msc. - Navigate to Local Policies -> Security Options.
- Disable Accounts: Guest account status.
- Restrict share access using NTFS permissions.
Mail Systems
Postfix
Configuration file:
/etc/postfix/main.cf
Common issue:
- Open relay behavior
Fix:
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
Restart Postfix:
sudo systemctl restart postfix
Microsoft Exchange
Common issues:
- Overly broad administrative access
- Unused connectors left enabled
- Excessive mailbox permissions
Fixes:
- Restrict admin panel access.
- Disable unused connectors.
- Review mailbox permissions.
Quick Review Checklist
When reviewing authentication and access control, check for:
- root or administrator logins allowed directly
- default, anonymous, or guest accounts still enabled
- public or overly broad write access
- unnecessary remote administration or database access
- no limits on login attempts
- no restriction on which users can access the service