WampServer

While I understand it wasn't designed to be a 'production server' it seems like that is just an excuse to say "we told you so" in case anything goes wrong... Understandable since no one involved with this should be in any way liable should a website be hacked/comprimised... But what is so inherently un-secure about WAMP as opposed to a regular Apache2 / PHP/ MySQL install on Windows? I have 1 server of each (1 I setup manually before finding WAMP, and one I use for local/personal access with WAMP) and I don't see what the difference is, at all... Obviously there is no 'perfect' security but unless someone programed in a deliberate 'back door' why would WAMP not be at least as secure as a manual install of each PHP/Apache/MySQL ?



-Joe D

Well the saying goes like this ( Do it at your own risk ! ) i think thats all there trying to say, see in the USA you dont want to be reliable for any damages so there just protecting themselves more then anything else !

wamp does not come with any real security in place at all. any 10 year old with access to the internet could hack your box. wamp uses the latest versions of apache, php, and mysql. since these are very new versions, they have not been tried and tested for production environments. this causes serious problems since anyone who knows of a possible exploite or bug could take advantage of that and hack your server. for example cpanel stills uses apache 1.x, even though apache 1.x is no longer being developed because it is still more secure that apache 2.x.

also, windows/apache does not offer any kind off file permission settings like chmod for linux/apache, or windows/iis. this means there is no protection in place to hide and protect configuration files like your phpmyadmin's config.ini.php file that contains your mysql server address, mysql user id, and mysql password. with that information a hacker could connect to your mysql server and steal all your customers user id's password, addresses and credit cards. another example is if you have a forum. a hacker could login to your users table, delete your info, and put their info in. now when you try to login to your forum it wont work because your user id and password have been changed by the hacker.

and if you where stupid enough to use your root user's user id and password in your phpmyadmin's config.ini.php file, then you just granted any hacker root (admin) level access to your mysql server. with that kind of access they can do anything, including deleting your mysql tables.

there are tons more ways to get hacked then just insecure apache, php and mysql configurations. for example, to handle php forms, you need to be an experienced php developer to protect your script from sql injections, and cross site scripting.

spam-bots, dos attacks... the list goes on and on...

after you install wamp, there is no security in place to protect your server. it is up to you to know what you are doing to secure apache, php and mysql.

since wamp is freeware, there are no guarantees of any kind protecting anyone from getting hacked, just like no one can sue apache when an apache server gets hacked.



CyberSpatium
----------------------
WAMP English Forum Admin

Need help? Check out my WAMP User Manual/Guide here!


Please visit my latest website Clarify Loans:
clarifyloans.com

Is there anything us "wamp5" users can do to put some security in place?



Post Edited (04-10-07 04:41)

the best tip I have is not to use wamp as a production server, ever. windows and apache are a terrible combination for security. since windows was not really setup to run apache, there are absolutely no security settings or file permission settings you can use to help protect your server and files on your server. if you need to use windows as your server OS, then use iis for the server, since it was made to work with iis, not apache. windows/iis has great security, where windows/apache has pretty much none. if you want to use apache as your webserver, then find any linux distro and use that, as linux and apache are an excellent combination.

however, even when using windows/iis, or linux/apache there are still many things you need know to protect your server. my number one tip is to not use your personal computer as a server. if a hacker gets in he could get access to your whole computer.

I suggest you use linux and apache. since they are freeware, you dont have to pay outrageous prices to use them compared to windows and iis (and fatten bill gates wallet in the process). If you are not an expreienced linux administator, then you should hire a third party to administer your server for you. they can keep your software update, install patches and security updates, kernel upgrades, and more. some will even install scripts for you.

you can find more information and third party companies that handle administering a server at my favorite forum webhostingtalk.com. this forum is pretty much the techical hangout for webmasters, web hosts, and web security pro's.
www.webhostingtalk.com

you can also find over info on over 100 different linux distros at one of my favorite linux sites:
www.distrowatch.com

I suggest you install freebsd or centos as your server OS, as they are the most secure linux distros. freebsd is based off of bsd, and centos is based off of redhat linux. they are also all open-source (free)



CyberSpatium
----------------------
WAMP English Forum Admin

Need help? Check out my WAMP User Manual/Guide here!


Please visit my latest website Clarify Loans:
clarifyloans.com



Post Edited (04-10-07 18:59)

CyberSpatium
----------------------
WAMP Forum Admin

Web Development for Newbie's Blog - Check out my new blog. It is for web developers, and especially tailored for the web development newbie. If you are not fluent in “geek speak”, then this incredible resource is just you. And even if you are a web development pro, this is a great resource to check out some of the latest web development tips, news, tutorials, codes and more.

Thanks CyberSpatium!

I have alot of reading to do now, hehe. Gonna try to setup a linux server on one of my boxes, see if I can do it. First I am going to read many pages on those links you sent me. Security issues kind of bug me a bit. I want a secure server, but viewable over the net,hehe.

Jason

I recommend you use a linux disto as your regular os instead of windows. it is way more secure. you are much safer surfing the internet since almost all trojan's and virus's are for windows based os. with the latest versions of kde and gnome, using a linux distro (especially for newbies) has never been easier.

I recommend opensuse. it is a killer distro. it is the only distro when I install it i dont have to do any configurations to get to to recognize and read from my windows partition, as well as read and write files to my usb drive. You can also install apache, php, mysql, perl, ruby, python, etc. and use it as a testing server. there are also tons of opensource web editors, php editors, code editors, etc. opensuse is also the easiest linux distro to install.

the only time i boot windows now is when i need to use adobe photoshop and dreamweaver or to play a game I can only play on windows os.

www.opensuse.org

I just happen to have a book called "Beginning SUSE Linux 2nd Edition" from APress, the best tech book publisher out there

more info:
http://apress.com/book/bookDisplay.html?bID=10132

download here:
http://rapidshare.com/files/25323432/Apress.Beginning.SUSE.Linux.2nd.Edition.Nov.2006.pdf



CyberSpatium
----------------------
WAMP English Forum Admin

Need help? Check out my WAMP User Manual/Guide here!


Please visit my latest website Clarify Loans:
clarifyloans.com

He he... he he.... ;-)

*nix is good, no question ask. I have to use it when I was in school. I HAD TO because my university using it, but after I've got my degree, it seems all *nix I learned going back to school. he he... he he.... ;-)

If you're type of like challenge like me, and especially when your server is not a real live production server, there are a lot of mod out there for you to try out; for example, mod_ssl for authentication, mod_security for intruders or mysql injection prevention, mod_private for files / folders / member area protection, so on, and of course the most important is how you setup your server. One thing for sure is a lot of hosting services out there still using windows+apache and yes they're still security as a rock. It's just my 2-cent.

Have fun,

[www.jlbn.com] (testing WAMPS on Vista)
[test.jlbn.com] (testing codes on Vista)

Win Vista Business
Apache 2.2.4
MySQL 5.2.3 F-A
PHP 5.2.1
SSL 0.9.8D

phpMyAdmin 2.10.0.2

there are no hosting companies out there that offer windows/apache hosting. if you have a windows based os there is no reason to use apache as your server when you can use iis which as made for windows. also there is no way they could be "secure as a rock" with windows/apache hosting. if that was the case then every webhost out there would host exclusively with windows/apache over linux/apache because pretty much everyone knows how to use a windows pc, virsus not many who know linux.

let me just make this point. this is not to just yfastud, but to everyone reading this post. there is no case anyone could make that windows/apache hosting is in any way a secure hosting solution.

if you want to host with windows/apache that is your own prerogative. just beware especially if you will be storing personal data like social security numbers, credit card numbers, etc in your mysql databases. if you fail to protect your customers private data, you could be liable for damages incurred by your customers from getting their personal info stolen. you could also be sued by one or all of you customers whos personal data was used for fraudulent uses. I just dont think people understand just how easy it is for someone to hack your server if you do not know what you are doing. you need to learn how to program your scripts to keep out sql injections, cross site scripting, session.cookie hijackers, spam-bots, etc.

about 4-5 years ago i learned my lesson about security the hard way. some wackjob found a config file on my webserver for the program phpAdsNew (config.ini.php). i was using a red hat linux server with apache 1.x. Stupid me, I had used the same user id and password for my database as I used when any site asks for a user id and password. since i did not have the proper chmod file permissions for this file, he was able to access it and read the contents of the file, which contained my user id and password. he was then able to hack in to my godaddy account and transfered all 12 of my domain names to his account. he also logged in to many of the sponsors i used to promote to make some money on my website. he changed all the accounts to send all the money i had made to him, and then he changed the user id and passwords for the accounts so I could not access them to get my money back. he then used a website copying program and copied all the files on my webserver. he then uploaded all my website files to his server, and he set the nameservers for all my domain names his nameservers. so, now when you typed my domain name in your browser you see my webpage, but the site was no longer owned by me.

fortunately for me, i did not have any personal data in my database. if i had, my lackadaisical attitude toward security would have cost my precious customers their personal info. I lost 12 domains, 5 websites, and my entire business. you do not know what it feels like to have 5+ years of work taken away in a manner of a few hours. i lost everything and had to start over again.

i then tried to get my domain names back, but when i tried to contact godaddy support they said it looked like a legitimate transaction to them. i then thought about using WIPO to get my domain names back, but it would have cost $50,000-60,000 USD in court costs and lawyer fees to get the domain names back (WIPO charges $1000-3000 USD per domain to have each domain name presented to a judge).

for gods sake dont use windows/apache to host a website. i was running linux/apache ans still got hacked.

identity theft is multi-billion dollar business these days, and hackers a coming up with brighter and more brazen hacking tools everyday. it is not an easy job to keep a server secure. and there is no way to secure you server 100% of the time. but you have to do something.

more info about WIPO:
www.wipo.int



CyberSpatium
----------------------
WAMP English Forum Admin

Need help? Check out my WAMP User Manual/Guide here!


Please visit my latest website Clarify Loans:
clarifyloans.com

Hey cyber, I didn't know that you've had experienced that big lost, but read my post again, you can see that I DID mention "especially when your server is not a real live production server"; anyway, no pain no gain, if you don't dare to do it, you never know how difficult it is, and never learn a thing or two.

Have fun,

[www.jlbn.net] (testing WAMPS)
[test.jlbn.net] (testing codes)



Post Edited (04-11-07 14:55)

Have fun,

FREE One A Day
FREE Photo
FREE Games
FREE Websites
FREE Portable GPS
FREE WAMP Guides

Thank you for the info... I see that it isn't WAMP itself that is not secure, but the Apache-Windows combo to begin with.



-Joe D

I don't quite understand the issue here!

I can set file permissions (Read/Write/Execute/List/Modify/Control) for any user and/or group in Windows, so what's the problem with Apache under Windows as compared to Apache under Linux concerning the config files????

Or am I missing something?

windows/apache does not support user:group privileges like linux/apache does. this means even if a file is readonly in windows/apache, it can be read by anyone. where as in linux/apache i can set who can access my readonly file.

I still don't understand. Exactly what you describe "i can set who can access my readonly file" is absolutely no problem in Windows, at least not in Win2K3...

I mean, how on earth could I otherwise prevent UserX from accessing files from UserY or grant write access to an Administrator and read-only or even no-access to a Guest ?

Or is it the combination of Windows and Apache that has problems that I appearantly don't understand at all?

I hope you can explain a bit more as we are using WAMP on production servers without any hesitation of the security group

yah i have to agree
if you think of it, from our side
you have to grant certain permissions to the database,so thats why i also had questions to how someone can hack you if they dont have grantted permissions,
then i saw a staement about windows and apche.........but
i read another forum and they said nothing is secure enough today to stop hackers no matter what kind of security you got, so i dont understand
if a hacker wants it he will get it even if you got 20 firewalls they will still come in!



Post Edited (04-16-07 21:46)

if you have windows 2k3, you should use iis as your webserver since it comes with win2k3 and was developed to work with it, not apache. it is the much more secure way to go.

you can install php and mysql for win2k3, so why do you need apache?

CyberSpatium
----------------------
WAMP English Forum Admin

Need help? Check out my WAMP User Manual/Guide here!

Please visit my latest website Clarify Loans:
clarifyloans.com

well i got apache installed on windows 2003 ENTEPRISE
whats wrong with that ??

techno_man wrote:

> you have to grant certain permissions to the database,so thats
> why i also had questions to how someone can hack you if they
> dont have grantted permissions,

if they hack your mysql root users account, they dont need permissions since the root account already has root privileges to access all databases. the root user can also access, search, alter, and delete and data in any database.

> nothing is secure enough
> today to stop hackers no matter what kind of security you got,
> so i dont understand
> if a hacker wants it he will get it even if you got 20
> firewalls they will still come in!
>

true, there is no such things as a 100% hacker proof setup. but why would you want to make their job easier by using an insecure web server. basiclly, you a playing russian roulette with a fully loaded weapon.



CyberSpatium
----------------------
WAMP English Forum Admin

Need help? Check out my WAMP User Manual/Guide here!

Please visit my latest website Clarify Loans:
clarifyloans.com

techno_man wrote:

> well i got apache installed on windows 2003 ENTEPRISE
> whats wrong with that ??

read this post and you will see why


CyberSpatium
----------------------
WAMP English Forum Admin

Need help? Check out my WAMP User Manual/Guide here!

Please visit my latest website Clarify Loans:
clarifyloans.com

Yah i hear what your saying * cyber *

you want to make it harder for them, but if they cant hack into the database---->
they will try to hack threw ur ports or msn or yahoo or email provider so thats what im trying to say, but i totally understand your point !