WIN2000Apachephpmysql installation and security manual

Source: Internet
Author: User
Tags crypt http authentication
This article is intended for setting up a secure web platform on win2k. The required program: apachewww. apache. orgdisthttpdbinarieswin32 we choose apache_1.3.28-win32-x86-no_src.msi, or apache_2.0.47-win32-x86-no_ssl.msi can be, do not use the lower version of the program, they have defects, very Apache manual mysql installation

This article is intended for setting up a secure web platform on win2k.
Required program:

Apache
Http://www.apache.org/dist/httpd/binaries/win32/
We choose apache_1.3.28-win32-x86-no_src.msi or apache_2.0.47-win32-x86-no_ssl.msi
Yes. do not use lower-version programs. they are defective and are vulnerable to internet attacks.

Php
Http://cn2.php.net/get/php-4.3.3-Win32.zip/from/a/mirror
Php-4.3.3

Mysql
Http://www.mysql.com/get/Downloa... 5-win.zip/from/pick
Mysql-4.0.15
Note: mysql versions earlier than this version are defective. do not use

Zendoptimizer-2g012.16.1.0a-windows-i386.exe
Php optimizer that supports encryption of php scripts

MySQL-Front
A mysql manager running on the ms Platform gui, which is very easy to use

PhpMyAdmin-2.5.0-php.zip
Mysql manager based on php scripts

Phpencode.exe
Php encryption compiler


Install ~
1. install apache
Because the installation is simple, pass ~!, Please do not install it on the system partition.
In this way, backup, maintenance, and catastrophic recovery are advantageous.
Assume that d: \ is installed :\\
2. install php
For the specific installation process, see install.txt in the PHP directory.
Note that do not use cgi
References
------------------------------------------------------------------
Title 17/2/2002
PHP for Windows Arbitrary Files Execution (GIF, MP3)
Summary
Through PHP. EXE, an attacker can cause PHP to interpret any file as a PHP file,
Even if its extensions are not PHP. This wocould enable the remote attacker
Execute arbitrary commands, leading to a system compromise.
Details
Vulnerable systems:
PHP version 4.1.1 under Windows
PHP version 4.0.4 under Windows
An attacker can upload innocent looking files (with mp3, txt or gif extensions)
Through any uploading systems such as WebExplorer (or any other PHP program that
Has uploading capabilities), and then request PHP to execute it.
Example:
After uploading a file a \ "gif \" extension (in our example huh.gif) that contains
PHP code such:
#------------
Phpinfo ();
?>
#------------
An attacker can type the following address to get in to cause the PHP file to be
Executed:
Http://www.example.com/php/php.exe/UPLOAD_DIRECTORY/huh.gif
Notice: php/php.exe is already Ded in the URL.
Additional information
The information has been provided by CompuMe and RootExtractor.
Ps: This problem occurs in most versions, including the latest versions. therefore, do not install it using cgi! Remember...
3. install mysql
Install it to d :\\, which is also very simple. the specific process is pass.
It's just worrying about the default settings after mysql is installed.
Reference my original article below
Bytes -----------------------------------------------------------------------------------
2002/12/21
Preface: nothing to do, consumption of life, pain ~~~ Ah, so I wrote it. This article is no original, and it is organized!
The following elements are involved in the insecure mysql service installed by default:
I. default mysql authorization table
II. Lack of log capability
III. password leakage for my. INI files
4. services are bound to all network interfaces by default.
V. mysql directory permission in the default installation path
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~
I. default mysql authorization table
Because mysql authenticates identity based on the mysql database, it is also called an authorization table. All permission settings are here.
We will only discuss the most important user table. It controls accepting or rejecting connections.
Let's take a look.
Select host, user, password, Delete_priv from user;
+ ----------- + ------ + ------------------ + ------------- +
| Host | user | password | Delete_priv |
+ ----------- + ------ + ------------------ + ------------- +
| Localhost | root | 67457e226a1a15bd | Y |
| % | Root | Y |
| Localhost | Y |
| % | N |
+ ----------- + ------ + ------------------ + ------------- +
A quick setting window is displayed after the new version is installed to set the password.
The above is the content in the user table (omitted) to see if there is any problem?
We know that the mysql verification method is quite special. it is based on two pieces of information.
1. connect from there
2. user name
The password must be safe.
Article 2 The user root can be connected from any host without a password. The permission is all permissions. (Note: The permission here is global)
Article 3 from the local host, any user name (note: The user is blank, does not indicate that the user name is not required), password is not required, can be connected, all permissions
Article 4 any user name and password on any host can be connected without any permissions.
It can be seen that 2 \ 3 \ 4 is not safe, and how to attack it is not mentioned here, please refer to the data library.
If mysql only allows local connections, delete the % of the host and the nul (null) in the user)
Delete from user where host = '% ';
Delete from host where user = '';
The last user table looks like this.
+ ----------- + ------ + ------------------ + ------------- +
| Host | user | password | Delete_priv |
+ ----------- + ------ + ------------------ + ------------- +
| Localhost | root | 67457e226a1a15bd | Y |
+ ----------- + ------ + ------------------ + ------------- +
Finally, you need to refresh the authorization table to make it take effect immediately.
Flush privileges;
If your mysql needs to be remotely used, add a secure password to the root account in section %.
Update user set password = password ('upass ') where host =' % ';
Here, youpass is the password.
Mysql> select host, user, password, Delete_priv from user;
+ ----------- + ------ + ------------------ + ------------- +
| Host | user | password | Delete_priv |
+ ----------- + ------ + ------------------ + ------------- +
| Localhost | root | 67457e226a1a15bd | Y |
| % | Root | 77c590fa148bc9fb | Y |
+ ----------- + ------ + ------------------ + ------------- +
A better way is to specify the connection to the remote host as a specific
Change % in host to the host that can be connected, for example:
192.168.0.% allows a specific subnet
Www.sandflee.net allows a specific host
The default account name is also a concern. It may cause brute-force cracking.
Update user set user = 'localadmin' where host = 'localhost ';
Update user set user = 'remoteadmin' where host = '% ';
The last user table looks like this.
Mysql> select host, user, password, Delete_priv from user;
+ ----------- + ------------- + ------------------ + ------------- +
| Host | user | password | Delete_priv |
+ ----------- + ------------- + ------------------ + ------------- +
| Localhost | localadmin | 67457e226a1a15bd | Y |
| % | Remoteadmin | 77c590fa148bc9fb | Y |
+ ----------- + ------------- + ------------------ + ------------- +
For more detailed information, see the MySQL Chinese reference manual of Yan Zi. Everything else.
II. Lack of log capability
After mysql is installed, the setting file of my. ini will be generated in the directory % SystemRoot %.
The default content is as follows:
------------------------------
Basedir = C:/mysql
# Bind-address = 192.168.0.1
Datadir = C:/mysql/data
# Language = C:/mysql/share/your language directory
# Slow query log # =
# Tmpdir # =
# Port = 3306
# Set-variable = key_buffer = 16 M
[WinMySQLadmin]
Server = C:/mysql/bin/mysqld-nt.exe
User = root
Password = root
-------------------------------
Note log # = this
It is not defined and canceled.
Change to a suitable path, for example:
Log = c:/mysql/logs/mysql. log
III. password leakage for my. INI files
At the end of my. ini, we can see these two sentences:
User = root
Password = root
If you use the quick setting feature provided by mysql when the installation is complete, your account and password (in a newer version) will be written to the my. ini file.
This is also the winmysqladmin.exe tool written from mysqlto the startup group, which needs to be read during runtime. It provides mysql services
Some monitoring functions. In this example, winmysqladmin.exe can obtain the mysql service status information.
In fact, this is not a vulnerability. let's take a look at the default permissions of my. ini, which can be read by users in the user group.
Resulting in password leakage
Solution:
Set permissions for my. INI files.
Resetting accounts and passwords
Do not use quick settings
4. services are bound to all network interfaces by default.
The service is bound to all network interfaces. for example, you only need a mysql service running on the intranet, but your machine has
Mysql is bound to the external network interface, which brings unnecessary troubles and threats.
In my. ini
# Bind-address = 192.168.0.1
It is canceled by default.
Open it
If it is only used locally, change
Bind-address = 127.0.0.1
In other cases, select a suitable network interface.
V. mysql directory permission in the default installation path
The default installation path for mysql is c: \ mysql, which is basically rare. it is also troublesome to change, but also to change my. ini.
However, there is a problem.
Generally, c: \ has all permissions in the everyone Group. This is the default, and the data directory under mysql is caused by inheritance.
All permissions in the everyone Group. Data may be randomly accessed, read, or deleted, and data may be leaked or damaged.
Change the mysql directory to an appropriate and secure access permission.
Over...
Bytes -----------------------------------------------------------------------------------------
There is a small syntax error, please find it yourself :)

Setup ~
Three configuration documents
Httpd. conf --- apache
Php. ini ----- php
My. ini ------ mysql
1. http. conf
Because the ms version of apache does not support * nix
User and group commands, so don't expect them to reply to the iusr_name account like iis.
* Nobody is used in nix, so your apache runs with the system permission. it is not suitable for setting up personal homepage servers.
Httpd. conf has many parameters and can be used without modification.
The following are the locations to be modified:
Delete all files under the htdocs Directory. delete all files under cgi-bin. they are used for testing and should not be retained.
BindAddress * -- address to be bound * only all addresses
DirectoryIndex index.html index.htm -- default homepage name
AccessFileName. htaccess -- control file name. it is recommended that you disable or change the name, and the file name starting with \ ". \" is not allowed in windows.
ServerSignature on -- error message. it is recommended to off. this will not display your apache version.
-----------------------------------------------
Alias/manual/\ "D:/Apache/htdocs/manual /\"

Options Indexes FollowSymlinks MultiViews
AllowOverride None clear
Order allow, deny
Allow from all

-----------------------------------------------
AddHandler cgi-script. cgi. pl -- to support cgi, open it. otherwise, comment it out.

LoadModule php4_module d:/php/sapi/php4apache. dll
AddModule mod_php4.c
AddType application/x-httpd-php. php -- added support for php scripts
2. php. inf

Engine = On -- enable php support. if you do not want php to work, engine = Off.
Safe_mode = Off -- security mode, which should be enabled safe_mode = On
Safe_mode_exec_dir = -- sets the directory of programs that can be executed in security mode.
Disable_functions = the function to be closed. we recommend that you disable phpinfo and get_cfg_var using \ ", \".
Expose_php = On we recommend that you use expose_php = Off, so that no php version is available in the header.
Display_errors = On display_errors = Off, so that all error messages will be disabled.
Register_globals = Off automatic global variables. Generally, you must enable register_globals = On. However, many
Security issues, especially some poorly written php scripts, may compromise your web server
File_uploads = On: indicates whether to allow file upload. if you do not need to, off.
Allow_url_fopen = Off whether to enable the function remotely. we recommend that you disable

; Extension = php_gd.dll
; Extension = php_gettext.dll
; Extension = php_hyperwave.dll
; Extension = php_iconv.dll
; Extension = php_ifx.dll open some libraries that need to be supported, such as using graphical functions
Copy php/extensions/php_gd.dll to your system directory and remove it;
Restart apache to use
3. my. ini
Above, pass
Security suggestion: in the preceding three settings files, set their permissions to all system permissions and all administrators permissions.

4. enhanced security of virtual directories
Some important commands
Specific column:

Options Indexes
AllowOverride None
Order allow, deny
Allow from all

Php_flag engine off; disable the php interpreter execution function
Php_admin_value safe_mode 1; security mode 1-enable 0-disable
Php_admin_value open_basedir d:/Apache/htdocs/tools;
In this way, php scripts can only open files under d:/Apache/htdocs/tools.
The following code is useless.
-----------------------------------------------------------
$ Fd = fopen ($ filename, \ "r \");
$ View = fread ($ fd, filesize ($ filename ));
Echo \"
\"; 
echo htmlspecialchars(\"$view\";
echo \"
\";
Fclose ($ fd );
-----------------------------------------------------------
Enable apache-http authentication
Clear

...
...
Allowoverride authconfig

In

Parameter allowoverride authconfig
Note: Here, d:/Apache/htdocs/home indicates the web root directory of the apache service I installed. Your web root directory is not necessarily the same as mine.
The default value is "allowoverride authconfig.
Description of the allowoverride authconfig parameter.
It means that the access control of all directories under the root directory is set by the. htaccess file under its directory.
Here, I want to talk nonsense.
Why is it. htaccess? this file name is not another one.
This is defined in the AccessFileName parameter. By default, this is the case.
AccessFileName. htaccess
You need to clear the allowoverride authconfig parameter (add # or delete)
Reasons for doing so
1. I am in trouble (a. htaccess file must be placed in each directory and a file name starting with \ ". \" is not allowed in windows .)
2. it is not safe (it may be seen .)
How to verify the directory you want to specify?
One column
// Define the directory path to be verified
AuthType Basic // method. md5 is not supported in windows, so use basic.
AuthName TEST // define the domain name displayed in the dialog box
AuthUserFile d:/Apache/user // defines the password file
ErrorDocument 401 \ "Error Password // defines the content displayed after verification fails. of course, it can be a file.
Require valid-user Note: Here I want it to display the Error Password directly, start with \ ", there is only one

Directly add it to the end of httpd. conf.
There is an htpasswd.exe file in the binlog of the apacheinstallation directory.
Run it in cmd.
D: \ Apache \ bin> htpasswd.exe
Usage:
Htpasswd [-cmdps] passwordfile username
Htpasswd-B [cmdps] passwordfile username password

Htpasswd-n [mdps] username
Htpasswd-nb [mdps] username password
-C Create a new file. // Create a new password file (you use this parameter for the first time)
-N Don \'t update file; display results on stdout. // display to the screen
-M Force MD5 encryption of the password (default). // the default encryption password (md5 mode)
-D Force CRYPT encryption of the password. // use CRYPT to encrypt the password
-P Do not encrypt the password (plaintext). // unencrypted password
-S Force SHA encryption of the password. // use the sha algorithm for encryption
-B Use the password from the command line rather than prompting for it. // method of intercommunication
On Windows, TPF and NetWare systems the \ '-m \' flag is used by default.
On all other systems, the \ '-p \' flag will probably not work.
--------------------------------------
Column:
D: \ Apache \ bin> htpasswd.exe-c d: \ apache \ user taotao
Automatically using MD5 format on Windows.
New password :***
Re-type new password :***
Adding password for user taotao
The creation is complete.
Note that
Passwordfile should not be placed in the web Directory, because it will be downloaded and stupid, although the password has been md5
The-c parameter is used to create a new password file.
D: \ apache \ user path.
AuthUserFile d:/Apache/user settings are consistent.
Start your apache service again

Back up your httpd. conf, php. ini, and my. ini

Install zendoptimizer-21_12.16.1.0a-windows-i386.exe
It automatically modifies your php. ini (c: \ winnt \ php. ini) file.
Added the following content:
[Zend]
Zend_optimizer.optimization_level = 15
Zend_extension_ts = \ "C: \ Program Files \ Zend \ lib \ ZendOptimizer. dll \"

Installing the php Optimizer has many advantages.
It accelerates the running speed of php. The most important thing is that it can encrypt php scripts.
In this way, the user you wrote in the php script can be well protected by pass.
In addition, you can modify the apache header and use utraedit32 to open ApacheCore. dll.
Search for your apache version number and change it to another version. for example, I changed it
2000
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.