Security

WampDeveloper is secured and ready for production deployment out-of-the-box.

There are just a couple of things to be aware of…

MySQL Accounts

While MySQL can only be access directly from the local system (it’s bound to 127.0.0.1), it can be accessed indirectly via any phpMyAdmin URL -

http://domain.name/phpmyadmin

The indirect access is currently secured this way:

File: C:\WampDeveloper\Tools\phpMyAdmin\config.inc.php

$cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array(
    'deny % from all',
    'allow % from 127.0.0.1',

    'allow root from localhost',
    'allow root from 127.0.0.1',
    'allow root from 10.0.0.0/8',
    'allow root from 172.16.0.0/12',
    'allow root from 192.168.0.0/16',
    );

A) The user “root” has *no password set*, but this account is restricted and can *only* be accessed from the local system and the local network (as listed above). *If you do set the password for this account, do so for all root accounts (host: localhost, ::1, 127.0.0.1) and update file WampDeveloper.xml with the new password.

B) All other users are also either restricted to local access only, or just denied access all-together (as above). *To open this up, you have to edit the above file and set the proper permissions in the above code (example: ‘allow user-name-here from 127.0.0.1′).

C) There is sometimes 1 MySQL account called “Any” which does allow anyone that can get to MySQL to see (but not modify) the databases. You can safely delete this account if it exists.

AWStats Website Analytics/Statistics

Website statistics can be accessed by anyone from the local network.

Current Settings…

File(s):
C:\WampDeveloper\Tools\awstats\wwwroot\cgi-bin\awstats.www.example.com.conf
(*substitute your domain name for www.example.com)

 
AllowAccessFromWebToFollowingIPAddresses="127.0.0.1 10.0.0.0-10.255.255.255 172.16.0.0-172.31.255.255 192.168.0.0-192.168.255.255"

Directory Index

Each publicy accessable directory that does not contain an index.html or index.php file, will default to displaying an “Index” (auto generated file + directory listing) of that location. To remove “Indexes”…

Add into each website’s top-level .htaccess file, line -

Options -Indexes

VirtualHost, htaccess, and Other Templates

The C:\WampDeveloper\Resources folder contains templates that are used for each new website’s VH (HTTP and SSL) and .htaccess files when a website is created/added. You can edit these templates to meet your specifications.

Securing PHP against 99% of the attacks

Disable most commonly exploited PHP functions

php.ini -

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

This will stop most of the exploits that would try to execute something on the system, without preventing normal scripts and webapps from working.

Restrict opening of files in scripts

Website VirtualHost(s) -

php_admin_value open_basedir "C:/WampDeveloper/Temp;C:/WampDeveloper/Websites/domain.name/webroot/"

This will restrict the locations that can be opened by PHP’s include(), require(), fopen() and other similar functions – to the website’s specific DocumentRoot folder and the general Temporary directory.

By using php_admin_value you are also preventing open_basedir from being reset via .htaccess files and at runtime via ini_set().

http://www.php.net/manual/en/ini.core.php#ini.open-basedir

Note that using open_basedir comes at a cost. You will not be able to modify php.ini realpath_cache_size value for performance gains.

(*using php_value/php_admin_value does not work under PHP-FCGI)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>