Apache security question?

Re: Apache security question?

New to PHP wrote:
[color=blue]
>
> I have 3 computers with Ethernet connection to a local router
> box(SMC7008ABR) and on the wan side to Verizion DSL.
> I was able to install Apache and PHP on one of the PC with
> XP Home edition. How much risk from being attacked?
> I set up SMC7008ABR to allow only public port 80. The reason
> I am sking becuase Verizon is no longer give me a fix IP
> address anymore since I saw the LED lights of the DSL box
> and SMC keep flashing non-stop.
>
> Thanks.[/color]

Hi,

WHole books, sorry, whole libraries, have been filled with setupd/advises
about security.

You cannot expect we can answer your question within any reasonable time.

I have a few general remarks:
Since you only opened port 80 on your router/firewall, you should be
reasonably safe from other kinds of attacks.
I take it you route the requests to your XPHome/PHP/Apache machine, right?

So that is your primary point of concern for attacks. (Since everybody who
wants to pay you a visit will surely try port 80)

XPHome edition = M$ = often unsafe.

I have zero experience with Apache on M$ boxes, but I can tell you Apache is
a very solid piece of software (on GNU/Nix at least), so that is probably
ok.
Maybe somebody else can help you more on that matter.

And maybe you better visit a security oriented newsgroup.


PHP, however, is involved (probably) in a lot more on your system, like
opening database connections, opening/writing local filesystem, etc. etc.

So you have to be sure your PHP-code is solid enough to withstand standard
fun like SQL-injection, naughty characters, etc.

This is nothing special, all your PHP code should be robust enough to
survive such attacks.

As far as I can see, this is the route for a naughty visitor into your
machine:

Your external IP-num (Port 80)
--> Apache on your local machine (XP) will handle the request
--> some PHP script gets executed.

I expect the weakest point is the PHP script, if you write it yourself and
are new to PHP.

The fact that only open port80, and keep all others closed sounds good.
By the way, how can you host a game of Starcraft, with all those ports
closed? :P


So far. Sorry I cannot be more to the point, but your question is VERY broad
and spans too much to cover for me (if I could anyway)..

Regards,
Erwin Moller

Re: Apache security question?

"New to PHP" <dagger_yeekhai @yahoo.com> wrote in message
news:uhdk8efsk. fsf@yahoo.com.. .[color=blue]
>
> I have 3 computers with Ethernet connection to a local router
> box(SMC7008ABR) and on the wan side to Verizion DSL.
> I was able to install Apache and PHP on one of the PC with
> XP Home edition. How much risk from being attacked?
> I set up SMC7008ABR to allow only public port 80. The reason
> I am sking becuase Verizon is no longer give me a fix IP
> address anymore since I saw the LED lights of the DSL box
> and SMC keep flashing non-stop.
>
> Thanks.[/color]

At work we have a Windows 2000/Apache 2 set up and it has been trouble free
thus far. As Erwin said, Apache is a very solid software and it's unlikely
that it'll be exploited as an avenue of attack.

Be sure to change the login used by Apache to a more restricted account.
Apache installs itself to run as a privileged user. If an attacker finds a
hole in your PHP scripts, he could do very serious damage. It's also a good
idea to change the location of the log files from "C:\Program files\Apache
Group\Apache 2\log" to something else, so that there isn't a well known
place for potential attackers to deposit PHP code.

Re: Apache security question?

New to PHP wrote:
[color=blue]
> I have 3 computers with Ethernet connection to a local router
> box(SMC7008ABR) and on the wan side to Verizion DSL.
> I was able to install Apache and PHP on one of the PC with
> XP Home edition. How much risk from being attacked?
> I set up SMC7008ABR to allow only public port 80. The reason
> I am sking becuase Verizon is no longer give me a fix IP
> address anymore since I saw the LED lights of the DSL box
> and SMC keep flashing non-stop.
>
> Thanks.[/color]

One little hint that might help tie things down a little tigher for you
is to configure Apache to listen to a port >1024 instead of port 80,
then change your router to route WAN port 80 to the new LAN port. I
know on a Unix box (whatever about windoze) that this offers additional
security in what a user can do to your server if they could gain access
to it.... I don't know about windoze though.

Lastly - Have you got a firewall on your windoze box? And what about
your router? My Linksys router provides in and outbound logs... Examine
them - in theory you should not have much inbound traffic that CONNECTed
- Any inbound attempts should be few (since they are stopped at a
correctly configured router/firewall) and if somehow someone does get
it, hopefully windoze would have put up a fight and DROPed the attempts.

I hope that helps... I suggest having a word with someone in a WinXP
group, and/or comp.infosystem s.www.servers.win32...

Hope that helps...

randelld