WIN2000 Apache php mysql installation and security manual

apache|mysql| Security This article is written to friends who want to set up a secure web platform on the Win2K platform.
The required program:

Apache
http://www.apache.org/dist/httpd/binaries/win32/
We choose Apache_1.3.28-win32-x86-no_src.msi, or Apache_2.0.47-win32-x86-no_ssl.msi.
All available, do not use the lower version of the program, they are flawed, very vulnerable to attacks on the Internet

Php
Http://cn2.php.net/get/php-4.3.3-Win32.zip/from/a/mirror
php-4.3.3

Mysql
Http://www.mysql.com/get/Downloa ... 5-win.zip/from/pick
mysql-4.0.15
Note: Below this version of MySQL, there are defects, do not use

Zendoptimizer-2[1].1.0a-windows-i386.exe
PHP Optimizer, support for encrypting PHP script

Mysql-front
A MySQL manager running on the MS Platform GUI, very handy

Phpmyadmin-2.5.0-php.zip
MySQL manager based on PHP script

Phpencode.exe
PHP encryption Compiler


install~
1. Install Apache
Because the installation is very simple, pass~!, just to be aware of, do not install to the system partition
Because of this, there are advantages in terms of backup, maintenance, and catastrophic recovery.
Assuming that the d:\\ is installed
2. Install PHP
Please refer to the install.txt in the PHP directory for the specific installation process.
Note that you do not use the CGI method
The following are reference materials
------------------------------------------------------------------
Title 17/2/2002
PHP for Windows arbitrary Files Execution (GIF, MP3)
Summary
Through PHP. EXE, a attacker can cause PHP to interpret any file as a php file,
Even if it extensions are not PHP. This would enable the remote attacker to
Execute arbitrary commands, leading to a system compromise.
Details
Vulnerable systems:
PHP version 4.1.1 under Windows
PHP version 4.0.4 under Windows
A attacker can upload innocent looking files (with MP3, txt or GIF extensions)
Through any uploading systems such as Webexplorer
has uploading capabilities), and then request PHP to execute it.
Example:
After uploading a file a \ "gif\" extension [in our example Huh.gif] that contains
PHP code such as:
#------------
?
Phpinfo ();
?>
#------------
An attacker can type the "following" to "cause" the PHP file to IS
Executed:
Http://www.example.com/php/php.exe/UPLOAD_DIRECTORY/huh.gif
Notice:php/php.exe is included in the URL.
Additional Information
The information has been provided by Compume and Rootextractor.
PS: Most versions have this problem. Include some of the latest versions, so please do not install with CGI! Remember ...
3. Install MySQL
Install to d:\\, also very simple, specific process pass.
It's just that the default settings for MySQL after installation are really worrying.
The following references my original article
-----------------------------------------------------------------------------------
2002/12/21
Write in front: Nothing can do, life is consumed, pain ~ ~ ~ Ah, so wrote, this article no original, organized and into!
The default installation of MySQL service unsafe factors include:
A. mysql Default authorization table
Two. lack of log capacity
Three. my.ini File leak password
Four. The service defaults to be bound on all network interfaces
Five. mysql directory permissions under the default installation path
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A. mysql Default authorization table
Because MySQL is authentication based on MySQL, this database is also called authorization table. All the permission settings are here.
We'll just discuss one of the most important table user tables. It controls the acceptance or rejection of the connection.
Let's take a look.
Select Host,user,password,delete_priv from user;
+-----------+------+------------------+-------------+
| Host | user | password | Delete_priv |
+-----------+------+------------------+-------------+
| localhost | Root | 67457E226A1A15BD | Y |
| % | Root | | Y |
| localhost | | | Y |
| % | | | N |
+-----------+------+------------------+-------------+
Now that the new version is installed, a Quick Setup window will appear to set the password.
Above, is the contents of the user table (a little bit) to see what the problem is?
We know that MySQL is a very special way of verifying that it's based on two 2 information.
1. Connect from there
2. User Name
The first one is fine, of course the password must be safe.
The second article from any host, to user root, does not require a password can be connected, permissions for all permissions. (Note: The permissions here are global permissions)
Third from the local host, any user name (note: User is blank, does not mean that no user name), do not need a password, can connect, all the permissions
Fourth from any host, any user name, do not need a password, can connect, without any permissions.
It can be seen that 2\\3\\4 are not safe, how to attack here will not say, please refer to the data base.
If you MySQL only allows local connections, delete the% of host and nul in user (indicates null)
Delete from user where host= '% ';
Delete from host where user= ';
The last user table, it looks that way.
+-----------+------+------------------+-------------+
| Host | user | password | Delete_priv |
+-----------+------+------------------+-------------+
| localhost | Root | 67457E226A1A15BD | Y |
+-----------+------+------------------+-------------+
Finally, the authorization table needs to be refreshed to take effect immediately.
Flush privileges;
If your MySQL needs to be used remotely, you need to have the root account in the% section plus a secure password
Update user set Password=password (' Youpass ') where host= '% ';
Where Youpass, is the password
Mysql> select Host,user,password,delete_priv from user;
+-----------+------+------------------+-------------+
| Host | user | password | Delete_priv |
+-----------+------+------------------+-------------+
| localhost | Root | 67457E226A1A15BD | Y |
| % | Root | 77C590FA148BC9FB | Y |
+-----------+------+------------------+-------------+
Better yet, the connection to the remote host is specified as a specific
Modify% in host to allow connected hosts, such as:
192.168.0.% allows a specific subnet
Www.sandflee.net allows a specific host
The default name of the account number is also a concern. Could lead to a violent break.
Update user set user= ' localadmin ' where host= ' localhost ';
Update user set user= ' remoteadmin ' where host= '% ';
The last user table looks like this.
Mysql> select Host,user,password,delete_priv from user;
+-----------+-------------+------------------+-------------+
| Host | user | password | Delete_priv |
+-----------+-------------+------------------+-------------+
| localhost | Localadmin | 67457E226A1A15BD | Y |
| % | Remoteadmin | 77C590FA148BC9FB | Y |
+-----------+-------------+------------------+-------------+
For more detailed information, please refer to Yan Zi's "MySQL Chinese reference manual". Whatever it is, it's down.
Two. lack of log capacity
After the MySQL installation is complete, the My.ini settings file will be generated in the%systemroot% directory
The default content is as follows:
——————————————————————————————
Basedir=c:/mysql
#bind-address=192.168.0.1
Datadir=c:/mysql/data
#language =c:/mysql/share/your Language Directory
#slow Query log#=
#tmpdir #=
#port =3306
#set-variable=key_buffer=16m
[Winmysqladmin]
Server=c:/mysql/bin/mysqld-nt.exe
User=root
Password=root
———————————————————————————————
Pay attention to log#= this.
It has not been defined and has been written off.
Change to a suitable path, such as:
Log=c:/mysql/logs/mysql.log
Three. my.ini File leak password
We see My.ini Finally, there are these two sentences
User=root
Password=root
If, when you are finished installing, you use the Quick Setup feature provided by MySQL, your account number and password will be written to the My.ini file (newer version).
This is also the Winmysqladmin.exe tool that MySQL writes to the Startup group, the runtime needs to read. It provides the MySQL service
Some of the monitoring features. This allows Winmysqladmin.exe to obtain the status information of the MySQL service.
In fact, this is not a loophole, we look at My.ini default permissions, it can be read by user group users.
Which causes the password to be compromised.
Workaround:
Permissions to My.ini files from new settings.
Set up the account number and password from the new
Do not use the Quick setting
Four. The service defaults to be bound on all network interfaces
The service is bound to all network interfaces, for example, you only need a MySQL service running on the intranet, but your machine has
External network interface, MySQL will also be bound, resulting in some unnecessary trouble and threats.
The phrase in My.ini.
#bind-address=192.168.0.1
It was written off by default.
Should open it
If, just local use, change to
bind-address=127.0.0.1
In other cases, you should select a suitable network interface
Five. mysql directory permissions under the default installation path
MySQL default installation path for C:\\mysql, basically are rare to change, to change the words is also trouble, but also to change the My.ini.
But, there's a problem.
Usually the c:\\ permissions are the Everyone group-all permissions. This is the default, due to inheritance, resulting in MySQL under the data directory
Also the Everyone group-all permissions. Leads to arbitrary access, reading, deletion, and possible disclosure and destruction of data.
Change the MySQL directory to an appropriate, secure access right.
Over ...
-----------------------------------------------------------------------------------------
Here is a small grammatical error, please find out yourself:

setup~
3 Configuration Documents
httpd.conf---Apache
PHP.ini-----PHP
My.ini------MySQL
1.http.conf
Because the MS version of Apache is not like *nix under
User,group These two instructions, so you don't expect it to be like IIS, the server response to the Iusr_name account
*nix under the Nobody, so your Apache is operating with system privileges, and it's not very suitable for erecting personal homepage servers
httpd.conf a lot of parameters, basically do not need to modify the work
Here are the areas to be modified
Deletes all files in the Htdocs directory. Deletes all files under Cgi-bin, which are used for testing purposes and should not be retained.
Bindaddress *-Need to bind the address * only all addresses
DirectoryIndex index.html index.htm--The name of the default home page
Accessfilename. htaccess--control file name, suggest to turn off or change name, and the file name starting with \ ". \" is not allowed under Windows
Serversignature on--error message, recommended off. This will not show you the Apache version number.
-----------------------------------------------
alias/manual/\ "D:/apache/htdocs/manual/\"
<directory \ "D:/apache/htdocs/manual\" >
Options Indexes followsymlinks MultiViews
AllowOverride None Purge
Order Allow,deny
Allow from all
</Directory>
-----------------------------------------------
AddHandler cgi-script. PL--If you need to support CGI, you need to open it, or comment it out.

LoadModule Php4_module D:/php/sapi/php4apache.dll
Addmodule mod_php4.c
AddType application/x-httpd-php. PHP--Add support for PHP scripts
2.php.inf

Engine = on--Open PHP support, if PHP is not allowed to work engine = off
Safe_mode = off-Safe mode, it should be opened Safe_mode = On
Safe_mode_exec_dir =--Sets the directory where Safe mode can execute programs
Disable_functions = The function to be closed, with \, \, to separate the recommended shutdown Phpinfo,get_cfg_var
expose_php = on recommendation expose_php = off so that there will be no PHP version number in header
Display_errors =on recommend Display_errors =off, so that all error messages will be closed
Register_globals = off automatic global variable, generally open register_globals = on, but can cause a lot of
Security issues, especially some write-not-good PHP scripts, can potentially compromise your Web server
File_uploads = on whether to allow uploading files if you do not need to off
Allow_url_fopen = off whether function is turned on remotely, recommended shutdown

; Extension=php_gd.dll
; Extension=php_gettext.dll
; Extension=php_hyperwave.dll
; Extension=php_iconv.dll
Extension=php_ifx.dll open Some libraries that need support, such as using graphical functions to
Need copy Php/extensions/php_gd.dll to your system directory, then remove;
If you restart Apache, you can use the
3.my.ini
There it is, pass.
Security recommendations, the above 3 settings files, set their permissions to system all permissions, administrators all permissions

4. Enhance the security of virtual directory
Some important directives.
The specific case:
<directory \ "D:/apache/htdocs/tools\" >
Options Indexes
AllowOverride None
Order Allow,deny
Allow from all
</Directory>
Php_flag engine off; Turn off PHP explain execution function
Php_admin_value safe_mode 1; Safe Mode 1-open 0-off
Php_admin_value Open_basedir D:/apache/htdocs/tools; Limited in a developed directory
This limits the PHP script to only open files under D:/apache/htdocs/tools.
The following code is useless.
-----------------------------------------------------------
$FD = fopen ($filename, \ "R\");
$view = Fread ($FD, FileSize ($filename));
echo \ "<pre>\";
echo htmlspecialchars (\ "$view \";
echo \ "</pre>\";
Fclose ($FD);
-----------------------------------------------------------
Enable the Apache-http authentication feature
Clear
<directory \ "D:/apache/htdocs/home\" >
...
...
AllowOverride authconfig
</Directory>
In the

Parameter allowoverride authconfig
Note that here's the D:/apache/htdocs/home, which represents the Web root directory for the Apache service I installed, yours and mine are not necessarily the same
The default, as if there is no such allowoverride authconfig parameters.
AllowOverride the meaning of authconfig parameters.
It means that access control for all directories under the root directory is set by the. htaccess file in its directory.
Here, I would like to say a little more nonsense.
Why is. htaccess, this file name, not the other.
This is defined in the Accessfilename parameter. This is the default.
Accessfilename. htaccess
You have to do to clear the allowoverride authconfig parameters (add # or erase)
The reason for doing so
1. I feel trouble (each directory requires a. htaccess file, and the file name that starts with \ ". \" is not allowed under Windows system. ）
2. Not very safe (it may be seen.) ）
How do you verify the directory you want to specify?
A column child
<directory \ "D:/apache/htdocs/home\" >//definition to verify directory path
AuthType Basic//mode, Windows does not support MD5, so please use the basic method
AuthName TEST//Definition Display in dialog box field name
AuthUserFile d:/apache/user//Definition password file
ErrorDocument 401 \ "Error Password//define the content that will be displayed after the validation fails, of course it can be a file
Require Valid-user note, I here let it directly show the error Password, with \ "The beginning is, there is only one OH
</Directory>
Just add it to the back of the httpd.conf.
Then there's a htpasswd.exe file in the bin directory in the Apache installation directory.
Please run it under cmd
D:\\apache\\bin>htpasswd.exe
Usage:
htpasswd [-cmdps] passwordfile username
HTPASSWD-B[CMDPS] passwordfile username password

Htpasswd-n[mdps] Username
HTPASSWD-NB[MDPS] Username password
-C Create a new file. Create a new password file (you use it for the first time, because this parameter is used)
-N don\ ' t update file; Display results on stdout. Show to Screen
-M Force MD5 encryption of the password (default). Encrypt password (MD5 mode) default
-D Force CRYPT encryption of the password. Encrypt a password using the Crypt method
-P does not encrypt the password (plaintext). Password not encrypted
-S Force SHA encryption of the password. Using the SHA algorithm to encrypt
-B Use the password from the command line rather than prompting for it. Mutual Exchange Mode
On Windows, TPF and NetWare systems the \ '-m\ ' flag are used by default.
On all other systems, the \ '-p\ ' flag'll probably not work.
——————————————————————————————————————
Liezi:
D:\\apache\\bin>htpasswd.exe-c D:\\apache\\user Taotao
Automatically using MD5 format on Windows.
New Password: * * *
Re-type New Password: * * *
Adding password for user Taotao
The creation is complete.
One of the things to pay attention to
Passwordfile, should not be placed in the Web directory, because it will be downloaded, very stupid, although the password has been MD5
The-c parameter is used to create a new password file.
D:\\apache\\user path, to be with you in
AuthUserFile d:/apache/user settings are consistent.
and start your Apache service again.

Remember to back up your Httpd.conf,php.ini and My.ini

Install Zendoptimizer-2[1].1.0a-windows-i386.exe
It's simple, it's back to automatically modify your php.ini (C:\\winnt\\php.ini) file
Added the following:
[Zend]
Zend_optimizer.optimization_level=15
Zend_extension_ts=\ "C:\\Program Files\\zend\\lib\\zendoptimizer.dll\"

There are many benefits to installing the PHP optimizer
Speed up PHP, and most importantly, it can encrypt PHP scripts
So that you write the user in the PHP script, pass can be well protected.
In addition, you can also modify the header of Apache, with Utraedit32 open ApacheCore.dll
Find your corresponding Apache version number, change it to something else, like I changed it.
2000