Wednesday, 3 April 2013

Some Apache security.

I recently discovered a blog post that I had written back in 2008 but it is still relevant today. So I have decided to release it now in 2013.

Apache Security

I have been receiving attacks from someone using zombie computers and banning IPs on Apache.
That didn't stop the attacker as he was able to use different IPS for the same attack. So I decided to fix the problem from the root problem.

I checked apache.log and I saw that the attacker was trying to erase some internal Windows files using a PHP file he uploaded by him self using some kind of vulnerability of the XAMPP default settings.

The biggest problem was that I didn't have a password set for phpMyAdmin software so it was like a big hole in the security.

Now I know what to do:
Go to myphpadmin folder and in config.ini
find the next line and set it to authenticate using http and not automatic!

$cfg['Servers'][$i]['auth_type'] = 'http';

Another good thing for security is to disable directory listings. So when a user tries to open a folder, Apache doesn't show the files on the folder...

on .htacess add the following line:

Options -Indexes

No comments: