Skip to main content

Free 30-min security demo  — We'll scan your real code and show live findings, no commitment Book Now

Offensive360
Academy Server Misconfiguration
Intermediate · 20 min

Server Misconfiguration

Cover common web server misconfigurations including default pages, unnecessary services, and permissive file permissions.

1 Default Pages, Unnecessary Services, and File Permissions

Server misconfiguration is consistently one of the most common findings in security assessments. Many issues stem from not removing default configurations after installation.

Default pages:

GET /  → "Welcome to Apache HTTP Server!" (still using default page)
GET /server-status  → Apache server status page exposed (shows all connections, load, version)
GET /phpinfo.php  → PHP configuration dump (shows all settings, extensions, paths)

Unnecessary services:

  • FTP on port 21 (use SFTP instead)
  • Telnet on port 23 (use SSH)
  • SMTP open relay on port 25
  • Database ports (3306, 5432, 27017) exposed to the internet
  • Redis on default port 6379 without auth (publicly writable!)

File permission issues:

-rw-rw-rw- 1 www-data www-data 4096 /var/www/html/config.php
# World-writable — any user on the system can modify config!

chmod 640 /var/www/html/config.php  # Owner read/write, group read only
chown root:www-data /var/www/html/config.php

2 Hardening Checklist and CIS Benchmarks

Server hardening follows a systematic process of removing unnecessary components and applying least-privilege principles.

Essential hardening steps:

# Remove default content
rm -rf /var/www/html/index.html  # Apache default page
sudo a2dismod status  # Disable server-status module (Apache)

# Disable unnecessary services
systemctl disable --now telnet
systemctl disable --now vsftpd  # FTP

# Firewall: only expose required ports
ufw default deny incoming
ufw allow 22/tcp   # SSH
ufw allow 80/tcp   # HTTP
ufw allow 443/tcp  # HTTPS
ufw enable

# File permissions
find /var/www -type f -exec chmod 640 {} \;
find /var/www -type d -exec chmod 750 {} \;
chown -R www-data:www-data /var/www/

CIS Benchmarks: The Center for Internet Security provides free hardening benchmarks for every major OS, web server, and database. Use them as your baseline.

Defense checklist:

  • Remove or replace all default pages with custom content
  • Disable management endpoints (server-status, phpinfo)
  • Close all ports not required for the application
  • Apply least-privilege file permissions (640 for files, 750 for dirs)
  • Run regular vulnerability scans and CIS benchmark checks

Knowledge Check

0/3 correct
Q1

What does a publicly accessible phpinfo() page reveal?

Q2

What is the principle of least privilege applied to file permissions?

Q3

Why should database ports (3306, 5432) never be exposed to the public internet?

Code Exercise

Restrict Server Status Endpoint

The Nginx config exposes the server status page to all visitors. Restrict it to only be accessible from localhost (127.0.0.1).

nginx