1

To start out I know that XAMPP is not ideal for production. But I'm a begginner in using Apache, MySQL and most importantly I'm very new to PHP. I came from a Node.js/Java/Javascript background and so it is all very new to me.

On this particular testing app that I'm developing using XAMPP, I'm also using Windows (which is also very unsual to me. I usually use Ubuntu to create and manage my servers).

I've created this app through a pre-made PHP template and therefore I replaced all my 'htdocs' files before I could run through XAMPP's security page proccedures.

I'd like to go through the steps that I took to attempt to secure the env a little bit and I'll kindly ask you to give me some more suggestions or tell me if I'm missing something.

  • I completely removed the webdav folder.
  • I changed MySQL root password.
  • I changed PhpAdmin default password for the Cookie Auth.
  • I set up an .htaccess file on folders I wanted protected. (Being new to Apache, this is kind of confusing to me. At first I wanted to secure the entire XAMPP folder, but then nobody could access my web app without being forced to login with the .htpsswd creds, which is not what I wanted. I only wanted this to happen on folders that have downloadable sensitive user files and so therefore I moved the .htaccess file accordingly. Though I don't know if this is advisable at all since I see many people saying that the first security measure to be taken is to actually setup an .htaccess file on the root of XAMPP's folder. Though I do have one, it is not auth protected. My concern comes from the lack of understanding on how Apache decides which folder is "accessible" or whatnot. I'm used to create a web-server that is only accessible through routes I explicitly create and allow the user to consume. I'm not really sure how PHP and Apache work together to define these permissions.)
  • I am NOT using FileZilla (nor running it as far as I know).
  • I am NOT using Mercury (nor running it as far as I know).
  • I am NOT using Tomcat (nor running it as far as I know).

Now, to the more concerning part for me PhpAdmin. At first I had access to it through localhost, but I lost it once I setup my VirtualHost servers pointing to my domain and SSL. The way I "fixed" that was re-creating another VirtualHost listening on port 80 pointing to localhost as well. Even though I tried to access PhpAdmin remotely through the domain and ip and was unsuccessful I'm still worried that it might be vulnerable somehow through the network. This is my VirtualHost setup on httpd-ssl.conf

<VirtualHost *:80>
   ServerName localhost
   DocumentRoot "C:/xampp/apache/logs/error.log"
</VirtualHost>

##
## SSL Virtual Host Context
##
<VirtualHost *:80>
   ServerName http://example.com
   DocumentRoot "C:/xampp/apache/logs/error.log"
   Redirect / https://example.com/login
</VirtualHost>

<VirtualHost _default_:443>

#   General setup for the virtual host
DocumentRoot "C:/xampp/htdocs"
ServerName example
ServerAdmin [email protected]
ErrorLog "C:/xampp/apache/logs/error.log"
TransferLog "C:/xampp/apache/logs/access.log"

From the little I understand about what I'm doing, even though MySQL daemon is accessible via the network, intruders would have to brute force to get the password. My sensitive downloadable files are protected through .htaccess credentials. I think that my PhpAdmin is also protected but this one I'm really not sure. I'd appreciate any inputs.

Improve this question

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .