Securing Apache/Mysql on a home lan

MrAlaska

I am hoping this is an easy fix. I have EasyPHP installed, which is a wrapper application for Apache, PHP, and MySql (for the benifit of anybody who may not be aware) on my main computer (running W98), then I do most of my coding while kicked back on my recliner pounding on my laptop which is hooked up to the PC via peer-peer wireless. It works fine for me. If I need to run an application or reboot something on the main PC I just send a browser over there and take over via TightVnc. No muss, no fuss, or so I thought.

Just for grins, I checked the Apache error log and was struck by an unusual IP address. Since the error log was HUGE (EasyPHP does have a couple minor bugs on my system) I slapped a script together to parse out the IP's that do not match my LAN, used it to view the access log, and was amazed to find DOZENS of hostile IP addresses, one IP family was rather persistent having made several hundred attempts over the last few days. The requests I recognized as commands used to exploit known vulnerabilities for various servers, but they all had the paths wrong.

I don't think my system was penetrated, all the requests resulted in 404 or 400 codes. I also do not think it was directed at me. If someone was after me they probably would have sent a browser to my IP, saw the default EasyPHP page, and could have figured out the right path at least. I think it was script kiddies out of control who probably would not have known what to do if the script they got from their friendly hacker in the chatroom (oh, yea, a few AOL ip's were in there too) ever found a vulnerability.

I do need to fix this, though. And just insuring my server is has no vulnerabilities is not enough. I am on a PHONE modem, I don't have the BANDWIDTH to return all those 404 pages, or even deny them! I want to isolate Apache (and MySql for that matter) from the internet when I am online. Right now I have the server turned off, which works pretty good for security but kind of sucks when I am coding and need to hop online and do a search.

I considered a partial solution of assigning alternative ports, but I still have some un-needed exposure that way (I also like just typing 'home' into my laptop browser to view my root and my HOSTS file does not seem to work if I try to assign ports). I tried disallowing Apache and MySql access to the internet via ZoneAlarm but that killed the LAN too as far as the web service. A rules based firewall might be an option but it seems a lot of trouble to go through for a phone modem and I just wanna write PHP all the time!

I am hoping there is a way I can configure Apache and MySql to only allow the LAN? I don't want Apache returning errors (except to me, cuz I'm the daddy), I want their respective ports closed to the outside world. Any help out there? Thanx!

bormuff98

How about using a .htaccess file in the root directory of your local web server which only allows access to the IP Addresses which make up your LAN. You can then deny access t oany other IP or bring up a password box to allow remote access via username/password.

I have a similar setup at work whereb ya part of our web server is only for my departments eyes and therefore only my staff can view it (without loggin in) but a prompt is brought up if I attempt access from elsewhere.

MrAlaska

.htaccess is something I had not even considered, thanx for the suggestion. I have not used .htaccess before, but it is something I have been meaning to learn a little about.

.htaccess would not protect MySql, though, would it? Is there a way to include the ports MySql is using in the protection? Not that my test database contains anything but junk, it is just the idea of unnecessarily leaving my ports hanging open that is unappealing.

EDIT: Actually, since I am not accessing MySql with anything other than PHP running on the local machine, I just might be able to close its ports to the 'net with ZA. Htaccess might be an ideal solution. Is there known vulnerability issues with htaccess or is it pretty tight in this type of scenario? Time to do a little investigating!

MrAlaska

Hot damn! I think that will do the trick. MySql runs just fine not allowed internet access, and Apache is now denying everybody who doesn't match my LAN family.

Not that I need it, but I hate leaving something half understood.I am still trying to sort out password protection. I have not yet found the encryption routine .htpasswd needs to store the password with. I did find a few sites that offered password encryption as service via form input that was supposed to be formatted to paste into .htpasswrd, but every site returned a different value l Of course, none of them worked.

Oh well, thanks to your suggestion my initial objective has been met satisfactorily, and I have FINALLY exposed myself to HTTP authentication. Now I am full of questions lol

bormuff98

from the htpasswd man page:

NAME
htpasswd - Create and update user authentication files

SYNOPSIS
htpasswd [ -c ] passwdfile username

DESCRIPTION
htpasswd is used to create and update the flat-files used to
store usernames and password for basic authentication of HTTP
users. Resources available from the httpd Apache web server
can be restricted to just the users listed in the files created by
htpasswd. This program can only be used when the usernames
are stored in a flat-file. To use a DBM database see dbmmanage.

This manual page only lists the command line arguments. For
details of the directives necessary to configure user
authentica-tion in httpd see the Apache manual, which is part of
the Apache distribution or can be found at http://www.apache.org/.

OPTIONS
-c Create the passwdfile. If passwdfile already exists, it is deleted first.

   passwdfile
          Name of the file to contain the user name and password. If -c is given, this file is created  if  it  does  not  already
          exist, or deleted and recreated if it does exist.

   username
          The  username  to create or update in passwdfile. If username does not exist is this file, an entry is added. If it does
          exist, the password is changed.[/COLOR]

HTH 🙂

MrAlaska

Damn, I seem to have this uncanny ability to miss the obvious. It never dawned on me to look for htpasswd documentation on the Apache website. DUH!

Thank you once again.

yelvington

There's another thing you should look at.

In your httpd.conf file, there is a BindAddress directive. It's probably commented out. Change it to

BindAddress 127.0.0.1

This will cause httpd to listen ONLY to the loopback address, not to the interface that you get from DHCP when you connect to the net.

MrAlaska

Cool beenz, yelvington, thank you for your input!

It actually did not answer on 127.0.0.1, possibly because I am accessing apache from another machine, but plugging in the LAN address of my main machine worked splendidly.

Sending the browser to my IP address now returns page unavailable. It appears that I am now truly invisible to the web 🙂