| Author |  | 
| bert4 
 
 
 Joined: 09 Apr 2007
 Posts: 12
 Location: Bali, Indonesia
 
 | 
|  Posted: Mon 09 Apr '07 20:21    Post subject: Apache on Windows - Safe Enough ? |   |  
| 
 |  
| Hi Apachers, 
 I have run Apache on my local PC for quite some time now just for development purposes. My "live" websites are all with Unix / Linux hosting providers.
 
 I "have a dream" to run my own box somewhere, but I don't want to learn Unix or Linux, and I see that "things" here are hosted on XP.
 
 What kind of safety measures would you need to apply to make it just as secure as with Unix / Linux?
 
 I will not be hosting anything else but my own sites...
 |  | 
| Back to top |  | 
| James Blond Moderator
 
  
 Joined: 19 Jan 2006
 Posts: 7442
 Location: EU, Germany, Next to Hamburg
 
 | 
|  Posted: Tue 10 Apr '07 9:49    Post subject: |   |  
| 
 |  
| it can secure like on *nix Systems. 
 
 
 Run apache on a new created user
Use NTFS as File system and set permission as you would do on *nix system
use a firewall
open only the ports that need to be open
remove server signature
...
watch your logs
 |  | 
| Back to top |  | 
| bert4 
 
 
 Joined: 09 Apr 2007
 Posts: 12
 Location: Bali, Indonesia
 
 | 
|  Posted: Tue 10 Apr '07 10:31    Post subject: |   |  
| 
 |  
| I don't have time to watch the logs all the time   
 Remove server signature, ok...
 
 So they know that if the server signature is removed, its probably a win system
   
 Ok, so I assign the Apache Service to a certain user, and set permissions on folders for this user.
 
 So if a web app needs a 777, I give this user on that folder read /execute, write, modify, list
 
 But I suppose I cannot use a FTP program (or php chmod) to set permissions like with *nix, right?
 |  | 
| Back to top |  | 
| James Blond Moderator
 
  
 Joined: 19 Jan 2006
 Posts: 7442
 Location: EU, Germany, Next to Hamburg
 
 | 
|  Posted: Tue 10 Apr '07 13:55    Post subject: |   |  
| 
 |  
| All files under Windows have "0777" by default, if you don't change r. Under Windows you can attrib. But I don't think that it makes sence.
 Set open_basedir in php.ini so no file can be opened outside the docroot / wwwroot.
 
 If you only run Apache for yourself and don't host other pages. It is secure if you block incomming traffic that don't come to port 80.
 
 The biggest secure leak is script based. If you run PHP or perl or ssi or what ever there is most insecurity.
 
 For what do you want to use our home apache? Only presenting your homepage? For testing or only a nice to have?
 
 Also important is your upload speed (visitors download).
 
 Also the server should be seperated from LAN. And you should not place there your working files.
 |  | 
| Back to top |  | 
| bert4 
 
 
 Joined: 09 Apr 2007
 Posts: 12
 Location: Bali, Indonesia
 
 | 
|  Posted: Tue 10 Apr '07 14:09    Post subject: |   |  
| 
 |  
| Well.... 
 the idea is to use it as a normal (production) server.
 
 Just hire some space in a datacenter somewhere, and not run it from a cable connection at home or something.
 
 And yes, (only) with PHP / MySql
 |  | 
| Back to top |  | 
| Jorge 
 
 
 Joined: 12 Mar 2006
 Posts: 376
 Location: Belgium
 
 | 
|  Posted: Wed 11 Apr '07 19:16    Post subject: |   |  
| 
 |  
|  	  | bert4 wrote: |  	  | I don't have time to watch the logs all the time   
 Remove server signature, ok...
 
 So they know that if the server signature is removed, its probably a win system
   
 | 
 
 Or use mod_security(2) to fake a *nix signature
  |  | 
| Back to top |  | 
| bert4 
 
 
 Joined: 09 Apr 2007
 Posts: 12
 Location: Bali, Indonesia
 
 | 
|  Posted: Wed 11 Apr '07 21:44    Post subject: |   |  
| 
 |  
| Ok, 
 So its:
 
 1. run apache with a "limited user", and only give write permissions there where needed. (NTFS)
 
 2. Firewall
 
 3. Use mod_security (server sig etc)
 
 4. Secure PHP as much as possible (open base dir and....)
 
 Anything else?
 |  | 
| Back to top |  | 
| James Blond Moderator
 
  
 Joined: 19 Jan 2006
 Posts: 7442
 Location: EU, Germany, Next to Hamburg
 
 | 
|  Posted: Thu 12 Apr '07 9:22    Post subject: |   |  
| 
 |  
| in php.ini 
  	  | Code: |  	  | expose_php = Off ; do not show that PHP (and its version) running on your server
 
 display_errors = Off
 log_errors = On
 error_log = C:/server2/logs/phperror.log ;replace with your path
 allow_url_fopen = Off ; do not allow open urls outside your file system
 
 | 
 |  | 
| Back to top |  | 
| bert4 
 
 
 Joined: 09 Apr 2007
 Posts: 12
 Location: Bali, Indonesia
 
 | 
|  Posted: Thu 12 Apr '07 10:51    Post subject: |   |  
| 
 |  
| Ok James, 
 have a shaken and not stirred from me next time you are in a bar
  |  | 
| Back to top |  |