First of all, thank you so much for this community and this software. I love the concept of portable apps.
Now, for my question. I'd like to run the xampplite package (needing only apache, mysql, and php) from my local system with local access only. That is localhost alone with no external network access at all.
I've performed two modifications so far:
Apache: I added the line "Listen 127.0.0.1" to my httpd.conf which seems to have worked, as visiting 127.0.0.1 in my browser gives me the normal routine and such, but visiting my ip address with my browser returns an error page of unable to connect. Was this sufficient? I want to disable all network access, as in a port scan would turn up nothing.
MySQL: Same idea as above. I modified the my.cnf file to contain the line bind-address=127.0.0.1 in the [mysqld] section. Again is this adequate?
Do I need to perform a similar modification for PHP? Are there any other services in the xampplite package that I need to modify?
I'd like these services to run locally only. No local network access, no wide network access. Any port scans on my system should return no hits of these services.
Thank you so much.
Trent
If you browse to your IP address and get a web page back then anyone else can do the same thing. That means that it will show up on a port scan. That's not want you want though, right?
That's not what he said...
We are working on the same problem. I would not stop with doing the changes to just http.conf and my.cnf but would include the php.ini and if you are using phpMYAdmin modify it and the XAMPP configs as well. While the ports would be available locally, I suspect that they would still show as open to a port scan.
Have you thought of alternative porting?
______________________________________________________
Ridgewood Foundation Open Source Project
Site: ZedFiles Blog: My 19" Universe
PHP is a scripting language triggered thru a webserver and doesn't listen on a port. Apache is locked down to the localhost so your work is done there.
phpMyAdmin uses PHP to supply a pretty interface to the MySQL server and doesn't listen on a port either. It's a webpage. Since Apache and MySQL are both locked down to localhost after your tweaks, you're work is done there too.
Use the CurrPorts program to figure out if you have more processes running in the xamplite package that you need to lock down to localhost only (if you decide to run the FileZilla FTP server for example).
http://www.nirsoft.net/utils/cports.html
Also, for those above that said that processes that are "listening" on 127.0.0.1 will appear on scans...these processes will NOT appear on network scans. A processes needs to be listening on the local address of 0.0.0.0 or an IP address of the machine itself (ex: 192.168.1.100) for a process to appear on a scan from NMAP (for example). Look at the output of 'netstat -na' in a command prompt.
Cancer Survivors -- Remember the fight, celebrate the victory!
Help control the rugrat population -- have yourself spayed or neutered!
I stand corrected. I am so used to using alternative porting now that it has become habit.
If SSL isn't needed; 'Include conf/extra/httpd-ssl.conf' (around line 510) should be commented out in the httpd.conf. It will open port 443 as 0.0.0.0 unless \extra\httpd-ssl.conf is modified (around line 37) with 'listen 127.0.0.1:443'.
______________________________________________________
Ridgewood Foundation Open Source Project
Site: ZedFiles Blog: My 19" Universe
I though modifying the main directive and not specifying a port changed both port 80 AND 443 at the same time. Guess not. Can you tell it's been a while since I've had to jack with my Apache server?
Also, I guess "alternative porting" (never heard of that term until now) is running a process on a port other than it's normal port...like having an SSH server listen on port 22556 for example?
Cancer Survivors -- Remember the fight, celebrate the victory!
Help control the rugrat population -- have yourself spayed or neutered!
Thanks. That's the deal. A lot of the time someone may be running a XAMPP suite already on their computer with the standard 80/3306/443 ports. If you want to test other builds or if you have a removable drive and want to plug it in, there will be a conflict. By using ports say, 6060/6080/6090 (if you need SSL) you can run concurrent sessions.
Actually a 'best practice' would be to use alternative porting on all portable-XAMPP builds so that you don't inadvertently mess with someone else's system
______________________________________________________
Ridgewood Foundation Open Source Project
Site: ZedFiles Blog: My 19" Universe