1.7.3 Secure for production sites?

Problems with the Windows version of XAMPP, questions, comments, and anything related.

1.7.3 Secure for production sites?

Postby Caps » 30. November 2010 19:54

I've read all about securities issues with LAMPP but that dates back several versions. Before I start using LAMPP for Windows I want to know if I can go ahead and use LAMPP 1.7.3 for production work?
Caps
 
Posts: 18
Joined: 19. November 2010 19:21

Re: 1.7.3 Secure for production sites?

Postby JonB » 30. November 2010 20:50

Well - XAMPP for Windows really isn't LAMPP, LOL but they are kissing cousins.

I have a guide on XAMPP Security you can read if you want (in case you haven't):
http://bravo.newnetenterprises.com/word ... age_id=387

One would have to define 'production' very accurately to get a very accurate answer - I would say - for perrsonal projects and research thingies - that a XAMPP install secured as I have described is pretty secure. Anything done 'for real profit as a full time venture' deserves a 'real server' - yours or someone else's - in my opinion - but again - its only as good as the configuration. The 'real server' thing mostly gets at hardware and OS level stuff, not the stack that is installed.

All Apache, PHP and MySQL distributions start from the same source code (of course by version) - so all distributions (other than operating systems considerations) can be equally secure/insecure. Its all in how they are configured, AND how secure the scripts/applications that are run on them are. A webserver offeriong up static pages with MySQL 'off' is pretty secure, other than defacement. Everything you turn on poses a risk you need a counter-measure for.

Most of the risk is almost always in the applications, provided you secure a few basic elements.

Did I say - backup, backup, backup??? LOL - yeah I have stuff on that too.

Good Luck with your project.

:)
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7

Re: 1.7.3 Secure for production sites?

Postby Caps » 30. November 2010 23:39

Hi Jon,

Thank you for the time you spend on assisting. I asked the question about security because what is posted - read the following:

"The default configuration is not good from a security point of view and it's not secure enough for a production environment - please don't use XAMPP in such environment. " You will find this right under "The philosophy"

Ref: http://www.apachefriends.org/en/xampp.html

Under Download Statistics: "* XAMPP Download Statistics
Since some month (today is the 4th of July 2003) the Source Forge statistics don't work correctly any more and showing only extremely less download counts. "

The date of the posting of the entire page may have been in 2003, which is why I asked the question of the current version. That page should then been updated.

Thank you again,

Caps
Last edited by Caps on 01. December 2010 01:50, edited 1 time in total.
Caps
 
Posts: 18
Joined: 19. November 2010 19:21

Re: 1.7.3 Secure for production sites?

Postby JonB » 01. December 2010 01:21

Although they have not updated the page, the basic facts are un-controverted; the AS-IS default installation (read CONFIGURATION) is not secure enough to use without 'fixing the holes'. (Which the developers and I both explain)

Its nearly as true today - and its true because of the way things like MySQL are distributed (with an unsecured 'root' user) by THEIR developers [Oracle/Sun].

I was chastised on this very issue recently, and I explained it in detail here.

viewtopic.php?f=16&t=42564

if you make basic precautions, your installation is no different than any other - they ALL come form the same source files, no matter how they find their way to you.

Good Luck again, you are OK if you follow good sense precautions from reliable sources (there are lots besides me)

8)
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7

Re: 1.7.3 Secure for production sites?

Postby Caps » 01. December 2010 01:57

Was kind of worried. One example is given of security is the default folder of the XAMPP install. I will enforce what is common sense security policies for LAMPP and it should be good.

Here is a post and response to a performance issue with Concrete5.

http://www.concrete5.org/community/foru ... -c5-4-1-1/

One of the post warns about XAMPP and security.
Last edited by Caps on 01. December 2010 08:06, edited 2 times in total.
Caps
 
Posts: 18
Joined: 19. November 2010 19:21

Re: 1.7.3 Secure for production sites?

Postby JonB » 01. December 2010 04:02

I'm curious when you say you're running on XAMPP -- unless that's a typo, that is a Windows application that encapsulates the LAMP stack for development purposes -- it is absolutely not intended to be used for production, and if you are in fact using that on your server I would suspect that has something to do with the slow performance. Also note that there are many security issues with running XAMPP on a production server -- seehttp://serverfault.com/questions/289 ... -and-ass...



Unfortunately, the commenter was apparently unaware XAMMP runs on 4 platforms - 3 of which are Linux/Unix - Linux itself (there its called LAMPP - remember referring to it as LAMPP???), Mac and Solaris (Sun). Yep - OSX is a shell - Mac's run Unix!
http://osxfaq.com/Tutorials/LearningCenter/

The Linux variant is from the same source versions as Windows XAMPP, but works quite differently from an installation and location point of view as the OS'es are soooo different. It still has all the same 'features' but in *nix variants

Running XAMMP on a VPS is unusual, but it probably is/was an unmanaged VPS (works like a dedicated server - you put your stuff on it, and you are on your own...) That would fit the description.

And, no, I have no interest in correcting morons who don't ACTUALLY HAVE ANY FIRST HAND KNOWLEDGE (and that would be 80-90% of the time, LOL).

Don't worry - you're OK if you follow good lockdown procedures -

Remember that the 'Bravo' server you got that EC Guide info from is running XAMPP for Windows over on another desk there...

I used the same procedures I outlined there in the Guide (that's how I did the Guide stuff, trial and error on a real machine). Its a mere wisp of a machine running XP Home - but It hosts a couple of low traffic forums and 4 WordPress installations (all low traffic), + some of my development PHP and MySQL experiments, and my frequent XAMPP tests for this forum - no problemo.

Gee - I must be crazy, huh?? :mrgreen:

See ya, and have a happy holiday season
8)
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7

Re: 1.7.3 Secure for production sites?

Postby Caps » 01. December 2010 08:11

Your comments are quite helpful. I was going to install a WAMP package then decided that XAMPP would be easier, then a few of my coders friends cautioned me on the security issues.

For some reason after securing down LAMPPs, Concrete5 now runs much faster. Does this make any sense?
Caps
 
Posts: 18
Joined: 19. November 2010 19:21

Re: 1.7.3 Secure for production sites?

Postby JonB » 01. December 2010 16:34

Well - hahahaha - wouldn't it be cool if secure servers ran faster!!! :shock:

That could make my security work a LOT more profitable!!! :mrgreen:

OK - seriously - if you have an application/script running, what you are seeing is the cache effect, where the browser doesn't need to fetch every item. Remember your machine is BOTH the server and the client - so the server side actaully 'serves' everything even if it is on your machine, and the browser's cache is empty to start, OK?

The speed-up period is brief and levels off as you get into the cache expiry period.

Good Luck
8)
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7

Re: 1.7.3 Secure for production sites?

Postby Caps » 01. December 2010 18:59

My testing always deletes the cache first. So I am still wondering. Even if were my hosting environment (VPS) I still tested it the same time frame against other newly installed CMSs.
Caps
 
Posts: 18
Joined: 19. November 2010 19:21


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 162 guests