{"id":6258,"date":"2025-10-29T10:36:42","date_gmt":"2025-10-29T10:36:42","guid":{"rendered":"https:\/\/www.hostinger.com\/support\/?p=6258"},"modified":"2026-03-05T16:42:49","modified_gmt":"2026-03-05T16:42:49","slug":"securing-publicly-accessible-services-on-your-vps","status":"publish","type":"post","link":"https:\/\/www.hostinger.com\/support\/securing-publicly-accessible-services-on-your-vps\/","title":{"rendered":"Securing Publicly Accessible Services on Your VPS"},"content":{"rendered":"

Overview<\/h3>

This guide covers how to secure services and fix common vulnerabilities detected on your VPS. Services like MySQL, PostgreSQL, Redis, and web servers may be configured to accept connections from any IP address, creating security risks.<\/p>

Database Vulnerabilities<\/h2>

MySQL<\/h3>

Issue:<\/strong> MySQL is accepting connections from all IP addresses (0.0.0.0)<\/p>

Solution:<\/strong><\/p>

1. Open the MySQL configuration file:<\/p>

sudo nano \/etc\/mysql\/mysql.conf.d\/mysqld.cnf<\/code><\/pre>
2. Update the bind address:<\/p>
bind-address = 127.0.0.1<\/code><\/pre>
3. Restart the service:<\/p>
sudo systemctl restart mysql<\/code><\/pre>
PostgreSQL<\/h3>
Issue:<\/strong> PostgreSQL is listening on all network interfaces<\/p>
Solution:<\/strong><\/p>
1. Edit the PostgreSQL configuration:<\/p>
sudo nano \/etc\/postgresql\/*\/main\/postgresql.conf<\/code><\/pre>
2. Update the listen addresses:<\/p>
listen_addresses = 'localhost'<\/code><\/pre>
3. Restart the service:<\/p>
sudo systemctl restart postgresql<\/code><\/pre>
MongoDB<\/h3>
Issue:<\/strong> MongoDB is publicly accessible<\/p>
Solution:<\/strong><\/p>
1. Edit the MongoDB configuration:<\/p>
sudo nano \/etc\/mongod.conf<\/code><\/pre>
2. Update the network binding:<\/p>
net:\r\n  bindIp: 127.0.0.1<\/code><\/pre>
3. Restart the service:<\/p>
sudo systemctl restart mongod<\/code><\/pre>
Redis<\/h3>
Issue:<\/strong> Redis is bound to all interfaces<\/p>
Solution:<\/strong><\/p>
1. Open the Redis configuration:<\/p>
sudo nano \/etc\/redis\/redis.conf<\/code><\/pre>
2. Update the bind address:<\/p>
bind 127.0.0.1<\/code><\/pre>
3. Ensure protected mode is enabled:<\/p>
protected-mode yes<\/code><\/pre>
4. Restart the service:<\/p>
sudo systemctl restart redis<\/code><\/pre>
Search and Caching Services<\/h2>
Elasticsearch<\/h3>
Issue:<\/strong> Elasticsearch is accepting external connections<\/p>
Solution:<\/strong><\/p>
1. Edit the Elasticsearch configuration:<\/p>
sudo nano \/etc\/elasticsearch\/elasticsearch.yml<\/code><\/pre>
2. Set the network host:<\/p>
network.host: 127.0.0.1<\/code><\/pre>
3. Restart the service:<\/p>
sudo systemctl restart elasticsearch<\/code><\/pre>
Memcached<\/h3>
Issue:<\/strong> Memcached is listening on all interfaces<\/p>
Solution:<\/strong><\/p>
1. Edit the Memcached configuration:<\/p>
sudo nano \/etc\/memcached.conf<\/code><\/pre>
2. Update the listen address:<\/p>
-l 127.0.0.1<\/code><\/pre>
3. Restart the service:<\/p>
sudo systemctl restart memcached<\/code><\/pre>
Web Server Vulnerabilities<\/h2>
HTTP Server Information Disclosure<\/h3>
Issue:<\/strong> Web server is exposing version information and sensitive details<\/p>
Apache<\/h4>
1. Edit the security configuration:<\/p>
sudo nano \/etc\/apache2\/conf-available\/security.conf<\/code><\/pre>
2. Add or update:<\/p>
ServerTokens Prod\r\nServerSignature Off<\/code><\/pre>
3. Disable directory listing:<\/p>
<Directory \/var\/www\/>\r\n    Options -Indexes\r\n<\/Directory><\/code><\/pre>
4. Restart Apache:<\/p>
sudo systemctl restart apache2<\/code><\/pre>
Nginx<\/h4>
1. Edit the Nginx configuration:<\/p>
sudo nano \/etc\/nginx\/nginx.conf<\/code><\/pre>
2. Add inside the http block:<\/p>
server_tokens off;<\/code><\/pre>
3. Restart Nginx:<\/p>
sudo systemctl restart nginx<\/code><\/pre>
<h2″>SSL\/TLS Vulnerabilities<\/p>
POODLE Vulnerability (SSLv3)<\/h3>
Issue:<\/strong> Server allows vulnerable SSLv3 protocol<\/p>
Apache<\/h4>
1. Edit SSL configuration:<\/p>
sudo nano \/etc\/apache2\/mods-available\/ssl.conf<\/code><\/pre>
2. Update SSL protocols:<\/p>
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1<\/code><\/pre>
3. Restart Apache:<\/p>
sudo systemctl restart apache2<\/code><\/pre>
Nginx<\/h4>
1. Edit site configuration:<\/p>
sudo nano \/etc\/nginx\/sites-available\/default<\/code><\/pre>
2. Add or update in server block:<\/p>
ssl_protocols TLSv1.2 TLSv1.3;<\/code><\/pre>
3. Restart Nginx:<\/p>
sudo systemctl restart nginx<\/code><\/pre>
FREAK Vulnerability (Weak Ciphers)<\/h3>
Issue:<\/strong> Server allows weak export-grade cipher suites<\/p>
Apache<\/h4>
1. Edit SSL configuration:<\/p>
sudo nano \/etc\/apache2\/mods-available\/ssl.conf<\/code><\/pre>
2. Update cipher suite:<\/p>
SSLCipherSuite HIGH:!aNULL:!MD5:!EXP:!LOW:!MEDIUM<\/code><\/pre>
3. Restart Apache:<\/p>
sudo systemctl restart apache2<\/code><\/pre>
Nginx<\/h4>
1. Edit site configuration:<\/p>
sudo nano \/etc\/nginx\/sites-available\/default<\/code><\/pre>
2. Add or update:<\/p>
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';\r\nssl_prefer_server_ciphers on;<\/code><\/pre>
3. Restart Nginx:<\/p>
sudo systemctl restart nginx<\/code><\/pre>
Authentication and Secrets<\/h2>
Bad Secrets \/ Weak Credentials<\/h3>
Issue:<\/strong> Default credentials, weak passwords, or exposed secrets detected<\/p>
Database Credentials<\/h4>
Change MySQL user password:<\/p>
mysql -u root -p<\/code><\/pre>
ALTER USER 'username'@'localhost' IDENTIFIED BY 'NewStrongPassword123!';\r\nFLUSH PRIVILEGES;<\/code><\/pre>
Environment Files<\/h4>
1. Find exposed .env files:<\/p>
sudo find \/var\/www -name \".env\" -type f<\/code><\/pre>
2. Secure permissions:<\/p>
sudo chmod 600 \/var\/www\/your-site\/.env<\/code><\/pre>
Best Practices<\/h4>