WampServer
Apache, PHP, MySQL
on Windows
Security
Posted by:
patrickvalmont
(---.intelvision.net)
Date: March 14, 2008 07:09AM
Ok i think i will need this some time soon, i will expose a wamp server on the net. how do i secure it ?
the OS will be win server 2003, can you guys help to secure this..before i get wacked..lol
thanks
and oh, if there's a good security guide on here, please link me to it..thanks
the OS will be win server 2003, can you guys help to secure this..before i get wacked..lol
thanks
and oh, if there's a good security guide on here, please link me to it..thanks
Re: Security
Posted by:
toivo
(203.19.130.---)
Date: March 14, 2008 10:35AM
Hi,
Your first level of defence is a properly configured firewall appliance which limits the access to your network to the ports which are allowed to be accessed by users from the internet. Ideally the firewall supports a DMZ (Demilitarized Zone) interface so that your webserver is in a separate subnet.
Run only the essential services in your webserver. The user under which the Apache server runs can be set up to have access only to the minimum of folders and resources, should the server be broken into. Here is a page explaining how to
jail Apache on Windows: [www.modsecurity.org]
Because you are running a webserver, you do not have to apply all the security updates to the operating system, as long as your Apache is reasonably uptodate.
However, check the Apache access log and error log regularly to see if there are any anomalies.
The forms your web applications publish may have vulnerabilities unless the developer or the CMS you are running has used safety measures and standard practices to sanitize the data that the public is entering into the forms available on the site. Do a search on 'SQL injection' and 'mail injection' to find out how to prevent both types of attacks.
When you install applications to the webserver, always check the security section of the installation instructions and release notes. Add yourself to the mailing lists of the support forum for the applications to receive early announcements about vulnerabilities and bug fixes.
Do not let the whole world knock on the door of your engineroom, meaning the control panel or the Admin interface. Social engineering (see [en.wikipedia.org]) can reveal identities and make it easier to guess passwords used by the administrator. In Apache you can use the .htaccess file to limit the access to particular folders to particular IP addresses. Allow access to the critical admin resources only from workstations or subnets you can trust.
Similar restriction should apply to the MySQL usernames. Create a user for each application and allow it to access that particular database schema from 'localhost'. The administrator username should be limited to a particular host or subnet.
Do not install beta versions of extensions and plugins into your production server. Maintain a separate test environment where bugs can be ironed out.
Regards,
toivo
Sydney, Australia
Edited 1 time(s). Last edit at 03/14/2008 10:38AM by toivo.
Your first level of defence is a properly configured firewall appliance which limits the access to your network to the ports which are allowed to be accessed by users from the internet. Ideally the firewall supports a DMZ (Demilitarized Zone) interface so that your webserver is in a separate subnet.
Run only the essential services in your webserver. The user under which the Apache server runs can be set up to have access only to the minimum of folders and resources, should the server be broken into. Here is a page explaining how to
jail Apache on Windows: [www.modsecurity.org]
Because you are running a webserver, you do not have to apply all the security updates to the operating system, as long as your Apache is reasonably uptodate.
However, check the Apache access log and error log regularly to see if there are any anomalies.
The forms your web applications publish may have vulnerabilities unless the developer or the CMS you are running has used safety measures and standard practices to sanitize the data that the public is entering into the forms available on the site. Do a search on 'SQL injection' and 'mail injection' to find out how to prevent both types of attacks.
When you install applications to the webserver, always check the security section of the installation instructions and release notes. Add yourself to the mailing lists of the support forum for the applications to receive early announcements about vulnerabilities and bug fixes.
Do not let the whole world knock on the door of your engineroom, meaning the control panel or the Admin interface. Social engineering (see [en.wikipedia.org]) can reveal identities and make it easier to guess passwords used by the administrator. In Apache you can use the .htaccess file to limit the access to particular folders to particular IP addresses. Allow access to the critical admin resources only from workstations or subnets you can trust.
Similar restriction should apply to the MySQL usernames. Create a user for each application and allow it to access that particular database schema from 'localhost'. The administrator username should be limited to a particular host or subnet.
Do not install beta versions of extensions and plugins into your production server. Maintain a separate test environment where bugs can be ironed out.
Regards,
toivo
Sydney, Australia
Edited 1 time(s). Last edit at 03/14/2008 10:38AM by toivo.
Re: Security
Posted by:
patrickvalmont
(---.intelvision.net)
Date: March 14, 2008 11:00AM
toivo Wrote:
-------------------------------------------------------
> Hi,
>
> Your first level of defence is a properly
> configured firewall appliance which limits the
> access to your network to the ports which are
> allowed to be accessed by users from the internet.
> Ideally the firewall supports a DMZ
> (Demilitarized Zone) interface so that your
> webserver is in a separate subnet.
am thinking of using that computer only as a webserver nothing else, and the guy who will do the hosting, i think his farm is secure, he has all is firewalls and cisco routers in place.. and yeah thanks for the links i will check them out
cheers mate
-------------------------------------------------------
> Hi,
>
> Your first level of defence is a properly
> configured firewall appliance which limits the
> access to your network to the ports which are
> allowed to be accessed by users from the internet.
> Ideally the firewall supports a DMZ
> (Demilitarized Zone) interface so that your
> webserver is in a separate subnet.
am thinking of using that computer only as a webserver nothing else, and the guy who will do the hosting, i think his farm is secure, he has all is firewalls and cisco routers in place.. and yeah thanks for the links i will check them out
cheers mate
Sorry, only registered users may post in this forum.
