How do I make XAMPP secure?

Problems with the Windows version of XAMPP, questions, comments, and anything related.

How do I make XAMPP secure?

Postby mkormendy » 04. February 2004 18:20

:shock: I noticed on the page: http://www.apachefriends.org/xampp-en.html
Under The Philosophy paragraph, that the default configuration is not good from a security standpoint - production environment or otherwise.

:? It also says something else confusing:
Since LAMPP 0.9.5 you can make your XAMPP installation secure by calling »/opt/lampp/lampp security«.

:?: What does calling »/opt/lampp/lampp security« mean?
:?: How is this available to XAMPP?
:?: How do I descriptly implement this?

Thanks in advance,
// Mike
User avatar
mkormendy
 
Posts: 12
Joined: 29. January 2004 05:49

Postby VreebieZ » 12. February 2004 17:24

Ugh.. this topic has been sitting here unreplied for a while. I too would like to know what are the necessary steps to make it secure.

I know one would be to give your phpmyadmin a password.
Another tips fellas? Your additions counts!
VreebieZ
 
Posts: 3
Joined: 12. February 2004 17:12

Re: How do I make XAMPP secure?

Postby MinJun » 12. February 2004 17:58

mkormendy wrote: [...]
:?: What does calling »/opt/lampp/lampp security« mean?


This feature can be used using Xampp for Linux. "/opt/lampp/" is the path were Xampp for Linux is installed to and "lampp security" ist the start command for a script (similar to a batch file) which can be used to give xampp, proftp, mysql new passwords and to make mysql unaccessible through the network.
How to the same thing in windows, sorry i don't now. But maybe there is something written down in the faq?!
Pampa: Grast du noch oder ziehst du um?!?
User avatar
MinJun
 
Posts: 29
Joined: 08. December 2003 08:06
Location: grazing in the pampa ;-)

yep

Postby MAGnUm » 19. February 2004 15:43

.htaccess in yor phpmyadmin dir, takes care of that then go into php my admin and look for users and make all the users '@localhost' then create passwords for the users in mysql. as far a the ftp, i dont use the bundled ftp server so ? also if you are on high speed internet please have a router btw you and your modem. and for dial up use something like blackice or alike for a soft firewall.
~~:M A G n U m:~~
(Disclaimer: if any of this info is confusing or vague tough, its free!!)
User avatar
MAGnUm
 
Posts: 151
Joined: 16. October 2003 18:08
Location: USA

ftp unsecure >moveto> https & .htaccess

Postby mkormendy » 19. February 2004 16:09

For circumstances that deal with users that have high bandwidth mostly, I would set up https with .htaccess on my server to be the most secure.

One good reason for this is due to the fact that ftp is insecure. The passwords and usernames are transferred unencrypted, and thus someone can spy on the tranferred data stream and later gain access to your server.

https involves encrypting information streams before it is sent across the internet, and thus spying for usernames and password becomes extremely time consuming and difficult to decrypt if they don't have the exact modulation key (128bit is quite secure - banks use this in north america).

Another reason: you can use your browser to surf the site instead of a seperate ftp application.

One more reason: high bandwidth users can afford to have http transfer protocol information added to their data streams; since they are transferring at high speed, the amount of extra http(s) protocol data is negligable to ftp in this case in regards to download times

(I would personally even use it in low bandwidth cases too, I don't mind waiting a bit longer, just so long as I am secure in my data transfers :D )
User avatar
mkormendy
 
Posts: 12
Joined: 29. January 2004 05:49

I too want to secure my xampp install

Postby warrensomebody » 08. August 2004 04:41

I would like to secure my xampp installation, but keep the out-of-the-box functionality available for administration purposes (localhost/xampp, localhost/phpmyadmin, etc).

I'd like to know:

1. exactly what parts of the web site need securing?
2. what's the best way to secure them (password protect, change to a different port number, delete, etc)?

I guess I like being able to run phpmyadmin or xampp's web tools on my machine, but I don't want my users to be able to do that.

Thanks!

Warren
warrensomebody
 
Posts: 3
Joined: 08. August 2004 03:44

Securing XAMPP

Postby mkormendy » 08. August 2004 18:26

Hey,
Since my last post I've recently figured out how to secure XAMPP.

I've found out that certain administrative functions for applications (i.e. phpmyadmin, mysql, etc.) are left open to the public to access and make modifications with, and are most-likely turned "on".

Now, Apache Friends have set all of this up so that it is easy to start using all of the features included in this setup.

These are security holes though!

Considering that other people can download the same XAMPP package, one would know the locations of this specific setup, and in all likelyhood, it is quite possible to use that information to access someone else's setup over the internet.

This is bad, especially if they haven't locked-down those administrative portions of the server's included applications.

To fix these security holes you can either:
-remove those applications and their administrative portions altogether
-turn them off in the XAMMP package configuration files
-block access to the administrative portions using .htaccess and/or SSL
(username, password and/or encrypted connections)

I chose the later point, since I still want those functionalities to run, but I don't want anyone else but myself to access it.
I didn't use SSL though, as I do not have any sort of important information on my server for anyone to hack into.

So basically I have just simply set up .htaccess on those directories that contain any sort of access to the administrative portions of those applications.

That's it - all of the basic security holes patched.
User avatar
mkormendy
 
Posts: 12
Joined: 29. January 2004 05:49

Postby warrensomebody » 08. August 2004 18:38

mkormendy,

Thanks for your reply. I know that these admin functions are the security holes, but I'm looking for a good recipe to plug them for must users, while letting the webmaster (me) get at them.

I think requiring an SSL login to access them would be ideal, but I'm not sure how to set that up. I think I know how to protect them with .htaccess passwords, but I'm not sure if that's really secure, or recommended.

I'm new to all this -- thanks for any advice you can provide,

Warren
warrensomebody
 
Posts: 3
Joined: 08. August 2004 03:44

Securing XAMPP MORE

Postby mkormendy » 08. August 2004 18:57

I'm not sure since the version I have which portions of XAMPP are open, please look in your configuration files to see what is open and what isn't.

I'd learn how to configure apache by editing the config files, that's the basic place that lists what is open.
User avatar
mkormendy
 
Posts: 12
Joined: 29. January 2004 05:49

Securing Xampp admin files

Postby fusibal » 25. September 2004 22:47

HOW TO SECURE XAMPP ADMINISTRATION?
Ok, folks here it goes. Step by step instruction. Words in all caps (i.e. CAPITAL LETTERS) are instructions or things you should pay special attention to.

------------------------------------------------
1. MAKE A PASSWORD FILE FOR USERS
-----------------------------------------------
GO TO YOUR XAMPP/APACHE/BIN DIRECTORY AND LOOK FOR A ROGRAM CALLED htpasswd.exe, THIS IS THE LITTLE EXECUTABLE WHICH MAKES USER/PASSWORD COMBINATIONS AND STORES THEM ENCRYPTED IN YOUR DESIGNATED FILE. YOU MUST USE IT IN COMMAND CONSOLE (start>run> command), THEN CHANGE DIRECTORY TO WHERE YOU HAVE XAMPP/APACHE/BIN. IN MY COMPUTER I TYPE:
cd c:\xampp\apache\bin

YOU CAN TYPE "htpasswd.exe /?" TO LEARN MORE ABOUT htpasswd.exe OPTIONS. IMPORTANT: THE "-c" OPTION CREATES THE PASSWORD FILE. USE IT ONLY ONCE FOR YOUR FIRST USER. EXAMPLE:
htpasswd.exe -c C:\xampp\apache\bin\passwords USERNAME

TO ADD USERS TO THE FILE, DON'T USE THE "-c" OPTION. EXAMPLE:
htpasswd.exe C:\xampp\apache\bin\passwords USERNAME

CHANGE "USERNAME" TO WHATEVER NAME YOU WANT AS YOUR XAMPP ADMINISTRATOR. THE CONSOLE WILL ASK FOR PASSWORD (CHANGE "MYPASSWORD" TO WHATEVER YOU WANT).
New password: MYPASSWORD
Re-type new password: MYPASSWORD
Adding password for user username

FOR REFERENCE, SEE http://httpd.apache.org/docs-2.0/howto/auth.html

------------------------------------------------------------------
2. ADD NAME BASED VHOSTS IN xampp/apache/conf/httpd.conf
------------------------------------------------------------------
# To secure xampp admin files located at xampp/htdocs,
# add these directives to bottom of your httpd.conf file located
# at \xampp\apache\config
### Note: in apache config files, lines starting with "#" are ignored
### used as comments. "#" must be the first character of the line.

NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
# Change the DocumentRoot path to your own path to htdocs
DocumentRoot "C:/xampp/htdocs"
# Change the ServerName to your own domain, or the name
# you use to reach your xampp installation from the internet
ServerName YOUR.DOMAIIN.COM
RedirectMatch /* "https://YOUR.DOMAIN.COM"
</VirtualHost>

<VitrualHost *:443>
# Change the DocumentRoot path to your own path to htdocs:
DocumentRoot "C:/xampp/htdocs"
# YOUR.DOMAIN.COM must be the same as what you put above VirtualHost at port 80:
ServerName YOUR.DOMAIIN.COM
# If you want to track your logs on who has accessed your xampp,
# change the bleow filenames for the logs to whatever you want. and
# uncomment (i.e. delete "#") for ErrorLog and TransferLog
# ErrorLog logs/YOURDOMAIN_ADMIN_sslerror.log
# TransferLog logs/YOURDOMAIN_ADMIN_sslaccess.log:
SSLEngine on
# Server Certificate, change path to the correct one on your machine:
SSLCertificateFile "C:/xampp/apache/conf/ssl.crt/server.crt"
# Server Private Keym, change path to the correct one on your machine:
SSLCertificateKeyFile "C:/xampp/apache/conf/ssl.key/server.key"
# HERE IS THE PASSWORD PROTECTION PART.
# Change path to your own htdocs folder:
<Directory "C:/xampp/htdocs">
AuthType Basic
AuthName "Welcom to my XAMPP admin area"
# Change "passwords" file to your own passwords file:
AuthUserFile "C:/xampp/apache/bin/passwd/passwords"
# Change USERNAME to the user having access to this directory:
Require user USERNAME
</Directory>
</VirtualHost>

### to learn more about VirtualHosts, see http://httpd.apache.org/docs-2.0/vhosts/

----------------------------------------------------
3. CHECK YOUR WORK AND RESTART APACHE
-----------------------------------------------------
NOW THOROUGHLY CHECK YOUR httpd.conf FILE, TO MAKE SURE THERE ARE NO DUPLICATE CONFLICTING DIRECTIVES, AND YOU HAVE NOT MADE ANY ERRORS, THEN GO TO "xampp/apache/bin" AND IN CONSOLE WINDOW TYPE:
apache.exe -S

THIS CHECKS YOUR httpd.conf FILE FOR YNTAX AND VITUAL HOSTS... IF ALL IS OK, THEN RESTART APACHE GRACEFULLY BY TYPING:
apache.exe -k restart

THIS FORCES APACHE TO RESTART GRACEFULLY, AND TO REREAD AND IMPLEMENT THE 'httpd.conf" CONFIG FILE.

GOOD LUCK.

P.S> if you want to use your own SSL cert/key combination, you can. Just change the SSLCertificateFile and SSLCertificateKey paths. To make your own certificate/key combinations, read the openSSL docs at http://www.openssl.org/docs/HOWTO. the openSSL.exe executable is also in the apache/bin directory.
Dogman McKinszy
****************************************
* SHARE YOUR KNOWLEDGE, AND YE SHALL RECEIVE. *
****************************************
If you benefited from my post, please donate $1. Thank you.
User avatar
fusibal
 
Posts: 6
Joined: 24. September 2004 08:44

Securing Xampp admin files

Postby mkormendy » 26. September 2004 02:01

That's an amazing article, I said I would get around to posting my final run through .. but you beat me to it! Great Job!

One simple question:
Are you defining the website to be 'secure' by setting up the requirement for SSL connection to the whole webserver ... and then just protecting the administrative directories with htpasswd access?
If so, does this encrypt the htpasswd transmissions too?
User avatar
mkormendy
 
Posts: 12
Joined: 29. January 2004 05:49

Postby fusibal » 26. September 2004 19:17

Mkormendy,
Yes, because apache uses the first virtual host as the default (if it can't figure out what domain you want), it will redirect all your requests to secure site https://YOUR.DOMAIN.COM running on port 443.

You can add as many nonSSL websites as you want by just adding appropriate VirtualHosts directives on port 80 (i.e. *:80) and changing the ServerName and DocumentRoot directives, and skip the RedirectMatch directive.

I hope this helps. I am thinking to make it easy, you and I can just write a securexampp.conf file and add an include line in httpd.conf file. People can just uncomment it out to secure their xampp.

Cheers,
-d
Dogman McKinszy
****************************************
* SHARE YOUR KNOWLEDGE, AND YE SHALL RECEIVE. *
****************************************
If you benefited from my post, please donate $1. Thank you.
User avatar
fusibal
 
Posts: 6
Joined: 24. September 2004 08:44

Quite informative, but before I do this I have to ask....

Postby Liath » 06. October 2004 07:17

Fusibal,
The post looks very good, and I'm hoping I can implement this soon (prays for a day off to play with server). I have a few quick questions though:

I'm not entirely sure how this will work...it seems like there may be a few more steps that aren't in that one post, but I don't know a whole lot about it so please clear me up :P Seems that I would still ahve to create or edit the .htaccess file in the phpmyadmin directory. Or...I'm not 100% sure, but I think apache reads htaccess files all the way to the drive's root, so I coul actually put an .htaccess file in the main xammp directory? Also, in case it matters, I access my server from my main computer on the same network, mianly because the server runs too much stuff as is, and is already on the edge of bogging down to an unstable state :(

Will this make or break any functionality? I personally use a directive in my .htaccess to make all .html work like .shtml so I can use SSI. I'm actually curious as to whether this is even a good thing that I've done :P

Are the URLs to access the tools and the regular webspace the same? For example http://my.domain.com/phpmyadmin/ and http://my.domain.com/ ?

Sorry if my questions seem idiotic... I'm still learning all this :P Could explain why I can't get linux completely yet (I can at least install it now!)

Thanks!
Liath

Edit: Could someone make this sticky once its all nice and finished?
Liath
 
Posts: 12
Joined: 08. May 2003 15:18

Postby fusibal » 10. October 2004 02:12

Liath,
Apache reads the .htaccess file only if it is allowed in the corresponding <Directory> directive in httpd.conf. If overriding is allowed, then apache reads the directives listed in the .htaccess file in that directory. Thus, .htaccess file is useful for those who don't have write access to the httpd.conf file. If you have write access to httpd.conf file, you can forget about editing the .htaccess files, in fact this is less tasking on your system and this is what is recommended by apache:
http://httpd.apache.org/docs-2.0/howto/ ... .html#when

If in the httpd.conf file you write (change PATH to your path):
<Directory C:/PATH >
AllowOverride None
</Directory>

Then, apache will ignore everything in .htaccess in C:/PATH. Also, if there is no other directives for subdirecotories, then the parent directives apply. That answers your other question, yes subdirectories are also protected .... However, the best way to secure phpmyadmin is to do it through your MySQL deamon. In my system, I have to use one username/pass to get to xampp, and another for phpmyadmin (stored in mySQL authentication system).

Other references of interest:
http://httpd.apache.org/docs-2.0/mod/co ... #directory
http://httpd.apache.org/docs-2.0/mod/co ... ssfilename
http://httpd.apache.org/docs-2.0/howto/auth.html

Cheers,
-fusibal
Dogman McKinszy
****************************************
* SHARE YOUR KNOWLEDGE, AND YE SHALL RECEIVE. *
****************************************
If you benefited from my post, please donate $1. Thank you.
User avatar
fusibal
 
Posts: 6
Joined: 24. September 2004 08:44


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 51 guests