logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache on Windows - Safe Enough ?
Author
bert4



Joined: 09 Apr 2007
Posts: 12
Location: Bali, Indonesia

PostPosted: Mon 09 Apr '07 20:21    Post subject: Apache on Windows - Safe Enough ? Reply with quote

Hi Apachers,

I have run Apache on my local PC for quite some time now just for development purposes. My "live" websites are all with Unix / Linux hosting providers.

I "have a dream" to run my own box somewhere, but I don't want to learn Unix or Linux, and I see that "things" here are hosted on XP.

What kind of safety measures would you need to apply to make it just as secure as with Unix / Linux?

I will not be hosting anything else but my own sites...
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Tue 10 Apr '07 9:49    Post subject: Reply with quote

it can secure like on *nix Systems.


  • Run apache on a new created user
  • Use NTFS as File system and set permission as you would do on *nix system
  • use a firewall
  • open only the ports that need to be open
  • remove server signature
  • ...
  • watch your logs
Back to top
bert4



Joined: 09 Apr 2007
Posts: 12
Location: Bali, Indonesia

PostPosted: Tue 10 Apr '07 10:31    Post subject: Reply with quote

I don't have time to watch the logs all the time Wink

Remove server signature, ok...

So they know that if the server signature is removed, its probably a win system Wink

Ok, so I assign the Apache Service to a certain user, and set permissions on folders for this user.

So if a web app needs a 777, I give this user on that folder read /execute, write, modify, list

But I suppose I cannot use a FTP program (or php chmod) to set permissions like with *nix, right?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Tue 10 Apr '07 13:55    Post subject: Reply with quote

All files under Windows have "0777" by default, if you don't change r.
Under Windows you can attrib. But I don't think that it makes sence.
Set open_basedir in php.ini so no file can be opened outside the docroot / wwwroot.

If you only run Apache for yourself and don't host other pages. It is secure if you block incomming traffic that don't come to port 80.

The biggest secure leak is script based. If you run PHP or perl or ssi or what ever there is most insecurity.

For what do you want to use our home apache? Only presenting your homepage? For testing or only a nice to have?

Also important is your upload speed (visitors download).

Also the server should be seperated from LAN. And you should not place there your working files.
Back to top
bert4



Joined: 09 Apr 2007
Posts: 12
Location: Bali, Indonesia

PostPosted: Tue 10 Apr '07 14:09    Post subject: Reply with quote

Well....

the idea is to use it as a normal (production) server.

Just hire some space in a datacenter somewhere, and not run it from a cable connection at home or something.

And yes, (only) with PHP / MySql
Back to top
Jorge



Joined: 12 Mar 2006
Posts: 376
Location: Belgium

PostPosted: Wed 11 Apr '07 19:16    Post subject: Reply with quote

bert4 wrote:
I don't have time to watch the logs all the time Wink

Remove server signature, ok...

So they know that if the server signature is removed, its probably a win system Wink


Or use mod_security(2) to fake a *nix signature Smile
Back to top
bert4



Joined: 09 Apr 2007
Posts: 12
Location: Bali, Indonesia

PostPosted: Wed 11 Apr '07 21:44    Post subject: Reply with quote

Ok,

So its:

1. run apache with a "limited user", and only give write permissions there where needed. (NTFS)

2. Firewall

3. Use mod_security (server sig etc)

4. Secure PHP as much as possible (open base dir and....)

Anything else?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Thu 12 Apr '07 9:22    Post subject: Reply with quote

in php.ini
Code:

expose_php = Off ; do not show that PHP (and its version) running on your server

display_errors = Off
log_errors = On
error_log = C:/server2/logs/phperror.log ;replace with your path
allow_url_fopen = Off ; do not allow open urls outside your file system
Back to top
bert4



Joined: 09 Apr 2007
Posts: 12
Location: Bali, Indonesia

PostPosted: Thu 12 Apr '07 10:51    Post subject: Reply with quote

Ok James,

have a shaken and not stirred from me next time you are in a bar Wink
Back to top


Reply to topic   Topic: Apache on Windows - Safe Enough ? View previous topic :: View next topic
Post new topic   Forum Index -> Apache