logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache 2.2.3, (php 5.1.6 and mysql), is localhost safe?
Author
chris



Joined: 18 Sep 2006
Posts: 10

PostPosted: Mon 18 Sep '06 21:14    Post subject: Apache 2.2.3, (php 5.1.6 and mysql), is localhost safe? Reply with quote

Hello everyone!

I've been using wamp on an offline computer for a while because I thought that having it installed on my online computer might cause a security problem. Because of this, I've been pretty limited in my applications.

I installed wamp on my online computer now, I deleted the annoymous user on mysql and asked to only allow connections from localhost, so I'm wondering does that make me safe from remote attacks on the mysql server?

I installed php and I'm pretty sure it doesn't run as a service and only acts through apache, so isn't that safe if apaches safe?

My biggest concern is apache because installing it was mostly unzipping a file and configuring some things for php, but it had nothing in installation guides about making sure only people from localhost can use it. My suspicion of it has grown a little more because looking in the configuration file it has a configuration called something like listen 80, I guess that means it's listening from port 80 not just from a request from localhost but also from a remote computer? One of the reasons I'm concerned about this, is that if people are able to connect to my computer and see my webpages remotely, those sites they see will mostly be undeveloped and untested and probably access my computers database, in which case they could have a sql injection attack to take control of my computer.

Any answer would be very very helpful to me, without security on this machine I'll have to go back to wamp on my offline computer.

Thanks for any replies.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Mon 18 Sep '06 21:26    Post subject: Reply with quote

Always good to be Security aware, to be localhost only:

Set in mysql.ini:
bind-address=127.0.0.1

Set in the Apache httpd.conf:
Listen 127.0.0.1:80
Back to top
chris



Joined: 18 Sep 2006
Posts: 10

PostPosted: Mon 18 Sep '06 23:40    Post subject: Reply with quote

Thanks for the reply steffen!

I edited the line in httpd.conf as you said so I'm much more comfortable now. One problem is I couldn't find mysql.ini in the mysql directory or in the windows directory (is it possible it's because this is a newer version?) but I think I remember that when I ran the configuration wizard for mysql I checked a box that said only allow connections from localhost, so I hope that did it, it probably did right?

Thanks again!
Back to top
CanUuRead



Joined: 18 Sep 2006
Posts: 38

PostPosted: Mon 18 Sep '06 23:43    Post subject: Reply with quote

The actual MySQL INI is named MY.INI
Back to top
chris



Joined: 18 Sep 2006
Posts: 10

PostPosted: Tue 19 Sep '06 2:11    Post subject: Reply with quote

I'm not sure where to place bind-address in the my.ini file, it looks like theres two sections.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Tue 19 Sep '06 9:41    Post subject: Reply with quote

set bind-address below [mysqld]
Back to top
chris



Joined: 18 Sep 2006
Posts: 10

PostPosted: Tue 19 Sep '06 11:30    Post subject: Reply with quote

Thanks for the reply, it all seems to be working great now.

Btw I think I should also mention that I found a good tutorial on the subject of configuring mysql securly http://dev.mysql.com/tech-resources/articles/securing_mysql_windows.html

Only thing is I didn't understand what the shared-memory thing did and why it would make it more secure, probably not a big deal.

Thank you all for the help.
Back to top


Reply to topic   Topic: Apache 2.2.3, (php 5.1.6 and mysql), is localhost safe? View previous topic :: View next topic
Post new topic   Forum Index -> Apache