Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Apache 2.2.3, (php 5.1.6 and mysql), is localhost safe? |
|
Author |
|
chris
Joined: 18 Sep 2006 Posts: 10
|
Posted: Mon 18 Sep '06 21:14 Post subject: Apache 2.2.3, (php 5.1.6 and mysql), is localhost safe? |
|
|
Hello everyone!
I've been using wamp on an offline computer for a while because I thought that having it installed on my online computer might cause a security problem. Because of this, I've been pretty limited in my applications.
I installed wamp on my online computer now, I deleted the annoymous user on mysql and asked to only allow connections from localhost, so I'm wondering does that make me safe from remote attacks on the mysql server?
I installed php and I'm pretty sure it doesn't run as a service and only acts through apache, so isn't that safe if apaches safe?
My biggest concern is apache because installing it was mostly unzipping a file and configuring some things for php, but it had nothing in installation guides about making sure only people from localhost can use it. My suspicion of it has grown a little more because looking in the configuration file it has a configuration called something like listen 80, I guess that means it's listening from port 80 not just from a request from localhost but also from a remote computer? One of the reasons I'm concerned about this, is that if people are able to connect to my computer and see my webpages remotely, those sites they see will mostly be undeveloped and untested and probably access my computers database, in which case they could have a sql injection attack to take control of my computer.
Any answer would be very very helpful to me, without security on this machine I'll have to go back to wamp on my offline computer.
Thanks for any replies. |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Mon 18 Sep '06 21:26 Post subject: |
|
|
Always good to be Security aware, to be localhost only:
Set in mysql.ini:
bind-address=127.0.0.1
Set in the Apache httpd.conf:
Listen 127.0.0.1:80 |
|
Back to top |
|
chris
Joined: 18 Sep 2006 Posts: 10
|
Posted: Mon 18 Sep '06 23:40 Post subject: |
|
|
Thanks for the reply steffen!
I edited the line in httpd.conf as you said so I'm much more comfortable now. One problem is I couldn't find mysql.ini in the mysql directory or in the windows directory (is it possible it's because this is a newer version?) but I think I remember that when I ran the configuration wizard for mysql I checked a box that said only allow connections from localhost, so I hope that did it, it probably did right?
Thanks again! |
|
Back to top |
|
CanUuRead
Joined: 18 Sep 2006 Posts: 38
|
Posted: Mon 18 Sep '06 23:43 Post subject: |
|
|
The actual MySQL INI is named MY.INI |
|
Back to top |
|
chris
Joined: 18 Sep 2006 Posts: 10
|
Posted: Tue 19 Sep '06 2:11 Post subject: |
|
|
I'm not sure where to place bind-address in the my.ini file, it looks like theres two sections. |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Tue 19 Sep '06 9:41 Post subject: |
|
|
set bind-address below [mysqld] |
|
Back to top |
|
chris
Joined: 18 Sep 2006 Posts: 10
|
Posted: Tue 19 Sep '06 11:30 Post subject: |
|
|
Thanks for the reply, it all seems to be working great now.
Btw I think I should also mention that I found a good tutorial on the subject of configuring mysql securly http://dev.mysql.com/tech-resources/articles/securing_mysql_windows.html
Only thing is I didn't understand what the shared-memory thing did and why it would make it more secure, probably not a big deal.
Thank you all for the help. |
|
Back to top |
|
|
|
|
|
|