| Author |
|
bert4
Joined: 09 Apr 2007
Posts: 12
Location: Bali, Indonesia
|
 Posted: Mon 09 Apr '07 20:21 Post subject: Apache on Windows - Safe Enough ? |
 |
|
Hi Apachers,
I have run Apache on my local PC for quite some time now just for development purposes. My "live" websites are all with Unix / Linux hosting providers.
I "have a dream" to run my own box somewhere, but I don't want to learn Unix or Linux, and I see that "things" here are hosted on XP.
What kind of safety measures would you need to apply to make it just as secure as with Unix / Linux?
I will not be hosting anything else but my own sites... |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Tue 10 Apr '07 9:49 Post subject: |
|
|
it can secure like on *nix Systems.
- Run apache on a new created user
- Use NTFS as File system and set permission as you would do on *nix system
- use a firewall
- open only the ports that need to be open
- remove server signature
- ...
- watch your logs
|
|
| Back to top |
|
bert4
Joined: 09 Apr 2007
Posts: 12
Location: Bali, Indonesia
|
| Posted: Tue 10 Apr '07 10:31 Post subject: |
|
|
I don't have time to watch the logs all the time 
Remove server signature, ok...
So they know that if the server signature is removed, its probably a win system
Ok, so I assign the Apache Service to a certain user, and set permissions on folders for this user.
So if a web app needs a 777, I give this user on that folder read /execute, write, modify, list
But I suppose I cannot use a FTP program (or php chmod) to set permissions like with *nix, right? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Tue 10 Apr '07 13:55 Post subject: |
|
|
All files under Windows have "0777" by default, if you don't change r.
Under Windows you can attrib. But I don't think that it makes sence.
Set open_basedir in php.ini so no file can be opened outside the docroot / wwwroot.
If you only run Apache for yourself and don't host other pages. It is secure if you block incomming traffic that don't come to port 80.
The biggest secure leak is script based. If you run PHP or perl or ssi or what ever there is most insecurity.
For what do you want to use our home apache? Only presenting your homepage? For testing or only a nice to have?
Also important is your upload speed (visitors download).
Also the server should be seperated from LAN. And you should not place there your working files. |
|
| Back to top |
|
bert4
Joined: 09 Apr 2007
Posts: 12
Location: Bali, Indonesia
|
| Posted: Tue 10 Apr '07 14:09 Post subject: |
|
|
Well....
the idea is to use it as a normal (production) server.
Just hire some space in a datacenter somewhere, and not run it from a cable connection at home or something.
And yes, (only) with PHP / MySql |
|
| Back to top |
|
Jorge
Joined: 12 Mar 2006
Posts: 376
Location: Belgium
|
| Posted: Wed 11 Apr '07 19:16 Post subject: |
|
|
| bert4 wrote: | I don't have time to watch the logs all the time
Remove server signature, ok...
So they know that if the server signature is removed, its probably a win system
|
Or use mod_security(2) to fake a *nix signature  |
|
| Back to top |
|
bert4
Joined: 09 Apr 2007
Posts: 12
Location: Bali, Indonesia
|
| Posted: Wed 11 Apr '07 21:44 Post subject: |
|
|
Ok,
So its:
1. run apache with a "limited user", and only give write permissions there where needed. (NTFS)
2. Firewall
3. Use mod_security (server sig etc)
4. Secure PHP as much as possible (open base dir and....)
Anything else? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Thu 12 Apr '07 9:22 Post subject: |
|
|
in php.ini
| Code: |
expose_php = Off ; do not show that PHP (and its version) running on your server
display_errors = Off
log_errors = On
error_log = C:/server2/logs/phperror.log ;replace with your path
allow_url_fopen = Off ; do not allow open urls outside your file system
|
|
|
| Back to top |
|
bert4
Joined: 09 Apr 2007
Posts: 12
Location: Bali, Indonesia
|
| Posted: Thu 12 Apr '07 10:51 Post subject: |
|
|
Ok James,
have a shaken and not stirred from me next time you are in a bar |
|
| Back to top |
|
