1

I know its not really practical, but anyway recently I got interested in making my mac a server, possibly to host a blog, with WordPress. Right now I have a free DynDns account and host with gets the IP updated through the DynDns Updater application I downloaded. I have AirPort Extreme Base Station router, and it forwards port 80 to my mac's port 80. DHCP reserves 10.0.1.2 for my mac, so it will always get that local IP, and the port forwarding will always point to it. The firewall on my mac is turned on, although I'm not sure if that matters for this.

So anyway, with this setup, is that secure enough? Would there be a way that someone could hack into it? It would be impossible for someone to actually hack into the system (like all the files on my computer other then the actual webpage files read from the web server), right? I don't have remote login or SSH or anything like that turned on.

And about MySQL, I need that to use WordPress, and by default the root account has no password, and I've read that is insecure. But wouldn't you have to be on my machine to log into it anyway?

I'm just playing around with it now, and I just want to make sure I'm not putting the system in danger. Right now I'm not so much concerned about hacking into the web server, like deleting the web page files or something, but I'd like to here whatever you have to say.

And don't recommend that I use some free hosting service, the only reason I'm doing this is to see if I can get it to work and to learn about it.

If you could just explain a bit and answer some of my questions, that would be great. Thanks.

Improve this question

1 Answer 1

Reset to default
0

You could run iptables on your mac, for extra security.

Keep your apache updated with all the security patches, make sure you have all the permissions correct on all the directories you're serving. Assign wordpress a different mysql account, grant the tightest restrictions you can on it (I don't remember what the wordpress installer does). Disable mysql remote login (should be disable by default, but double check). Give that root account a password, something non-standard.

The reason you want to restrict the mysql user accounts is to better protect against sql injection attacks. If you're just running wordpress, it shouldn't be too much of an issue, but better safe than sorry (the wordpress community does a pretty good job of making sure the glaring security holes are filled).

Improve this answer
9
  • How do I update apache? I'm using the apple packaged one, Apache/2.2.11 (Unix). And when you say "with all the security patches," those aren't things I have to separately download are they?
    – mk12
    Commented Oct 19, 2009 at 21:04
  • And in MySQL, should I remove the two default anonymous account? One I think has root privileges.
    – mk12
    Commented Oct 19, 2009 at 21:05
  • the easiest way for you to do that is to turn off the default apache, install macports, and use that apache. it will be more up to date than what comes packaged with os x.
    – mote
    Commented Oct 19, 2009 at 21:06
  • Yes, you should remove those accounts. Do a quick google for "securing fresh mysql install" - that will give you more than a few steps to do.
    – mote
    Commented Oct 19, 2009 at 21:06
  • Will it really matter that much if I keep my 2.2.11 instead of upgrading to 2.2.14?
    – mk12
    Commented Oct 19, 2009 at 21:24

Not the answer you're looking for? Browse other questions tagged .