plug security holes for xampp

Problems with the Windows version of XAMPP, questions, comments, and anything related.

plug security holes for xampp

Postby jpanski55 » 27. February 2009 08:29

Hi All, I have spent a considerable amount of time trying to figure out how to get my security settings just right for XAMPP, but I'm not sure I am doing it right. I am begging for help..

I have 5 computers running at home being routed with a linksys router. I have XAMPP for windows running on one of the machines (right out of the box.. thus far no configuration). I have apache and mysql running as services.

This is what I want:
1) I don't want mysql to be accessed remotely. I only want it accessible from the localhost (both from command line as well as the apache server).
2) I only want the machines behind the router to access the webpage. I don't want it visible externally at all..

Can I do this?

I found the LISTEN configuration in httpd.conf and set that to 127.0.0.1, but this makes apache accessible to the localhost.. I still want it accessible to the other 5 machines...

Since I have such tight access restrictions, can I ignore putting passwords for mysql (if I trust everything behind the router?) If not, what other passwords do I need other than one on mysql?

Thanks in advance! :)
jpanski55
 
Posts: 5
Joined: 27. February 2009 08:08

Re: plug security holes for xampp

Postby Izzy » 27. February 2009 09:04

Change Listen 127.0.0.1 to Listen *:80 which is a wild card that will listen on all IPs on port 80, then all your computers will be able to access the web page - to prevent unauthorized access create user pass and only distribute to the other 5 computers.

You also may be able to use Listen 192.170.2.1:80 or what ever your server's IP is on the LAN.

Here is the official docs for the Listen Directive and worth a read:
http://httpd.apache.org/docs/2.2/mod/mp ... tml#listen

http://localhost and http://127.0.0.1 are the local loopback address on a single computer and can't be accessed form another computer on your LAN, they would have to use http://192.170.2.1 or what ever the IP is to access the web pages.

Then go to the xampp\readme_en.txt file and find this section:
A matter of security (A MUST READ!)
to create your root user password for MySQL and phpMyAdmin which share the same credentials.

You can also create a user/pass for the XAMPP pages.

See if all that meets your needs.
Last edited by Izzy on 12. March 2009 10:11, edited 1 time in total.
Izzy
 
Posts: 3344
Joined: 25. April 2006 17:06

Re: plug security holes for xampp

Postby jpanski55 » 27. February 2009 09:20

creating user/password authentication is waay beyond my web programming skills.. The website I have running right now is just a bunch of files located in the htdocs folder and I would have no idea how to only make those accessible after logging in.. sounds tough.. I was hopeing for a solution just by using configuration. Is it possible?
jpanski55
 
Posts: 5
Joined: 27. February 2009 08:08

Re: plug security holes for xampp

Postby Izzy » 27. February 2009 09:31

So you will be replacing the index.php and the index.html files that belong to XAMPP with your own files, is that correct?

To access the XAMPP Welcome Page you would then have to use http://localhost/xampp/ is that correct?

I gave you an or to the user/pass alternative:
You also may be able to use Listen 192.170.2.1:80 or what ever your server's IP is on the LAN.
Apache would only listen on that IP and nothing else would be listened to, would that not be what you want as it is a configuration?
Last edited by Izzy on 12. March 2009 10:14, edited 1 time in total.
Izzy
 
Posts: 3344
Joined: 25. April 2006 17:06

Re: plug security holes for xampp

Postby jpanski55 » 27. February 2009 09:52

I have a folder in the htdocs folder called mysite where I have an index.html. So, I browse to, http://localhost/mysite/ and the index.html page is served up. Ya, I realized you had the "or", I will give that a try. If it works, that's exactly what I want. THANKS!! :) Just a little confused on the IP you listed.. 192.170.2.1.. what IP is that? Do you mean I should list all the IPs for the 5 machines in my network? For example:

LISTEN 192.168.1.2
LISTEN 192.168.1.3
LISTEN 192.168.1.4
LISTEN 192.168.1.5
LISTEN 192.168.1.6

Or just put the IP of the machine that is running the server? I'm not sure what it means to only list the server's IP?.. sorry for being soo dense, this is pretty new to me.
jpanski55
 
Posts: 5
Joined: 27. February 2009 08:08

Re: plug security holes for xampp

Postby Izzy » 27. February 2009 09:59

192.170.2.1.. what IP is that?
An example.
Or just put the IP of the machine that is running the server?
Yes, and don't forget to add the port number :80 as I did in the example.

After editing the httpd.conf file save the file and then restart Apache.
Last edited by Izzy on 12. March 2009 10:16, edited 1 time in total.
Izzy
 
Posts: 3344
Joined: 25. April 2006 17:06

Re: plug security holes for xampp

Postby Wiedmann » 27. February 2009 12:41

Or just put the IP of the machine that is running the server?

In this case you can use the default "Listen 80". It makes no real difference (if you have only one network interface, and you are not using 127.0.0.1).

2) I only want the machines behind the router to access the webpage.

So the default "Listen 80" is correct for you.

I don't want it visible externally at all..

Don't forward port 80 in your router to the server.

1) I don't want mysql to be accessed remotely. I only want it accessible from the localhost (both from command line as well as the apache server).

You can use "bind-address = 127.0.0.1" in "my.cnf". (\xampp\mysql\bin)
Wiedmann
AF Moderator
 
Posts: 17106
Joined: 01. February 2004 12:38
Location: Stuttgart / Germany

Re: plug security holes for xampp

Postby jpanski55 » 28. February 2009 00:06

So, I am beginning to think that the Listen directive is just a joke that apache is trying to play on us... I have set up port forwarding on my router to route requests on port 80 to go to the machine with the web server.. When I set the Listen directive to 80, *:80, 192.168.1.122:80 (which is the IP of the web server), I am able to serve requests from the localhost, from the machines on my LAN, and ALSO a machine outside the LAN. :( (I do restart apache everytime i change the directive) So far, the only way I have been able to make it where only machines IN the LAN can access my webserver is to set port forwarding on the router to route to some random IP (not the webserver's IP) to prevent external machines from accessing my web server...

Any more suggestions would be greatly appreciated.. (Thanks Izzy and Wiedmann for the suggestions thus far :)
jpanski55
 
Posts: 5
Joined: 27. February 2009 08:08

Re: plug security holes for xampp

Postby Wiedmann » 28. February 2009 00:24

I am beginning to think that the Listen directive is just a joke that apache is trying to play on us...

No, "Listen" is exactly doing what it should. (but that's not what you think what it's doing ;-) )

What you think "Listen" is doing, is the job from "Allow/Deny".


I am able to serve requests from the localhost, from the machines on my LAN, and ALSO a machine outside the LAN.

"Listen" is: at which server ip (or network interface) a request can come in. E.g. you have 2 ip's for your sever: 192.168.1.1 and 192.168.2.1:
- With "Listen 192.168.1.1:80" you can access the server only with "http://192.168.1.1", but not with "http://192.168.2.1/"
- With "Listen 192.168.2.1:80" you can access the server only with "http://192.168.2.1", but not with "http://192.168.1.1/"
- With "Listen 80" you can access the server with "http://192.168.1.1" and with "http://192.168.2.1/"
(The source ip is not from interest for "Listen". Only the target ip)

So far, the only way I have been able to make it where only machines IN the LAN can access my webserver is to set port forwarding on the router to route to some random IP (not the webserver's IP) to prevent external machines from accessing my web server...

If you want prevent external machines from accessing your web server, don't make a port-forwarding. Only if you have a port-forwarding, external machines can access your local web server.
--> So, why did you have a port-forwarding, if you don't want external access?
Wiedmann
AF Moderator
 
Posts: 17106
Joined: 01. February 2004 12:38
Location: Stuttgart / Germany

Re: plug security holes for xampp

Postby jpanski55 » 28. February 2009 01:48

ohhhh.. Listen is for the web server to listen on a port/ip combination.. not to accept requests from a machine of that combination.. now that makes sense.. :)

I set up port forwarding just so I can test my configuration.. If the router forwards to my webserver, and my webserver denys the request, then I know I am in business..

Looks like you hit it right on the nose, Wiedmann.. Thanks soo much for the help.. I now can access the site from my LAN and get "Access Forbidden" when accessed outside my LAN. Here is my httpd.conf Directory setup.. the only weird thing is the order of "deny,allow".. I thought the first rule that matches will be the rule applied.. but whatever, im not complaining :)

<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>

<Directory "C:/xampp/htdocs">

Options Indexes FollowSymLinks Includes ExecCGI

AllowOverride All

Order deny,allow
Allow from 192.168
Deny from all

</Directory>
jpanski55
 
Posts: 5
Joined: 27. February 2009 08:08

Re: plug security holes for xampp

Postby Wiedmann » 28. February 2009 01:54

the only weird thing is the order of "deny,allow"..

The table form the Apache manual does not help?
http://httpd.apache.org/docs/2.2/mod/mo ... html#order
Wiedmann
AF Moderator
 
Posts: 17106
Joined: 01. February 2004 12:38
Location: Stuttgart / Germany


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 54 guests