Home | Hardware | Internet News |Web Hosting |IT Management |Network Storage
LinuxPlanet
Search 
  Power Search | Tips 

 Front Door
 Discussion
 LinuxEngine
 Opinions
 Reports
 Reviews
 Tutorials
 News
 Technology Jobs

 Browse by subject.
Free Newsletter

Java/Open Source Daily
 Linux Today
More Free Newsletters

Be a Commerce Partner



internet.com
IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers
Print this article
Email this article
   LinuxPlanet / Reviews






Review: XAMPP--An Apache Server Stack
Security

Sean Michael Kerner
Wednesday, June 8, 2005 11:35:38 PM

The default LAMPP configuration is insecure and needs some tweaking which can easily be done. There is actually a simple command that will help you to correct the most obvious insecurities. XAMPP's developers (ApacheFriends) evidently feel that XAMMP isn't for production environments so that part of the reason why they haven't implemented the security by default.

Type 

/opt/lampp/lampp security

The security fix will allow you to protect your XAMPP installation with a password, restrict MySQL network access and set a root password for MySQL, change the default FTP password and add a password for phpMyAdmin. The security status of your XAMPP installation can easily be determined by clicking on the security tab (see Figure 2) on the XAMPP dashboard which is the default server start page (until you change it).

Beyond what the security script provides, unless you've got a good reason to have FTP on the server I'd recommend disabling it. Far too many users still send FTP passwords "in the clear" (unencrypted) and FTP hacking is an exceptionally easy attack vector.

To disable FTP type 

/opt/lampp/lampp stopftp

Also one of the most common hacker "tricks" is to use a search engine to look for server components that have a known vulnerability. Lets say apache version x has vulnerability y--that vulnerability has likely been widely published--so all a hacker needs to do is find apache version x to execute the exploit. If you tell the world what you're running you make it easier for them to exploit you. There is something to be said for security in anonymity.

XAMPP does not provide a direct script to modify Apache's httpd.conf to make the change so you'll have to dig into the file directly yourself. The change is made in the ServerToken section of httpd.conf. XAMPP by default has it set at "Full" which send all the version information about Apache and the various compiled modules. Change the entry to "Prod" which offer the least level of detail and will only reveal that Apache (not the version is running).

So instead of having your server report-"Apache/2.0.53 (Unix) mod_ssl/2.0.53 OpenSSL/0.9.7d PHP/5.0.4 DAV/2 mod_perl/1.999.21 Perl/v5.8.6 Server at hostname/ Port "--which is a veritable buffet for a hacker you simply get "Apache Server at hostname/ Port" which makes target enumeration significantly more difficult.

Next: Running XAMPP - Features »

Skip Ahead

1 The Need
2 Installing XAMMP
3 Security
4 Running XAMPP - Features
5 Conclusion
Figure 2: XAMPP Security
Figure 2: XAMPP Security





Linux is a trademark of Linus Torvalds.


internet.com home | search | help! | about us

Jupiter Online Media

internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info


Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Web Hosting | Newsletters | Tech Jobs | Shopping | E-mail Offers