You are here

xampplite - how to make it localhost only?

8 posts / 0 new
Last post
entonleyleh
Offline
Last seen: 17 years 5 months ago
Joined: 2007-05-10 09:17
xampplite - how to make it localhost only?

First of all, thank you so much for this community and this software. I love the concept of portable apps.

Now, for my question. I'd like to run the xampplite package (needing only apache, mysql, and php) from my local system with local access only. That is localhost alone with no external network access at all.

I've performed two modifications so far:

Apache: I added the line "Listen 127.0.0.1" to my httpd.conf which seems to have worked, as visiting 127.0.0.1 in my browser gives me the normal routine and such, but visiting my ip address with my browser returns an error page of unable to connect. Was this sufficient? I want to disable all network access, as in a port scan would turn up nothing.

MySQL: Same idea as above. I modified the my.cnf file to contain the line bind-address=127.0.0.1 in the [mysqld] section. Again is this adequate?

Do I need to perform a similar modification for PHP? Are there any other services in the xampplite package that I need to modify?

I'd like these services to run locally only. No local network access, no wide network access. Any port scans on my system should return no hits of these services.

Thank you so much.

Trent

sbabinea
Offline
Last seen: 17 years 4 months ago
Joined: 2007-05-01 08:55
Uhm

If you browse to your IP address and get a web page back then anyone else can do the same thing. That means that it will show up on a port scan. That's not want you want though, right?

rich.bradshaw
Offline
Last seen: 11 years 4 months ago
Joined: 2006-10-05 08:41
That's not what he said...

That's not what he said...

RPBirt
Offline
Last seen: 14 years 9 months ago
Joined: 2005-12-13 18:14
Locking down a local session

We are working on the same problem. I would not stop with doing the changes to just http.conf and my.cnf but would include the php.ini and if you are using phpMYAdmin modify it and the XAMPP configs as well. While the ports would be available locally, I suspect that they would still show as open to a port scan.

Have you thought of alternative porting?

______________________________________________________
Ridgewood Foundation Open Source Project
Site: ZedFiles Blog: My 19" Universe

BuddhaChu
BuddhaChu's picture
Offline
Last seen: 3 months 2 weeks ago
Joined: 2006-11-18 10:26
?

PHP is a scripting language triggered thru a webserver and doesn't listen on a port. Apache is locked down to the localhost so your work is done there.

phpMyAdmin uses PHP to supply a pretty interface to the MySQL server and doesn't listen on a port either. It's a webpage. Since Apache and MySQL are both locked down to localhost after your tweaks, you're work is done there too.

Use the CurrPorts program to figure out if you have more processes running in the xamplite package that you need to lock down to localhost only (if you decide to run the FileZilla FTP server for example).

http://www.nirsoft.net/utils/cports.html

Also, for those above that said that processes that are "listening" on 127.0.0.1 will appear on scans...these processes will NOT appear on network scans. A processes needs to be listening on the local address of 0.0.0.0 or an IP address of the machine itself (ex: 192.168.1.100) for a process to appear on a scan from NMAP (for example). Look at the output of 'netstat -na' in a command prompt.

Cancer Survivors -- Remember the fight, celebrate the victory!
Help control the rugrat population -- have yourself spayed or neutered!

RPBirt
Offline
Last seen: 14 years 9 months ago
Joined: 2005-12-13 18:14
You are right !

I stand corrected. I am so used to using alternative porting now that it has become habit.

If SSL isn't needed; 'Include conf/extra/httpd-ssl.conf' (around line 510) should be commented out in the httpd.conf. It will open port 443 as 0.0.0.0 unless \extra\httpd-ssl.conf is modified (around line 37) with 'listen 127.0.0.1:443'.

______________________________________________________
Ridgewood Foundation Open Source Project
Site: ZedFiles Blog: My 19" Universe

BuddhaChu
BuddhaChu's picture
Offline
Last seen: 3 months 2 weeks ago
Joined: 2006-11-18 10:26
Good catch

I though modifying the main directive and not specifying a port changed both port 80 AND 443 at the same time. Guess not. Can you tell it's been a while since I've had to jack with my Apache server? Wink

Also, I guess "alternative porting" (never heard of that term until now) is running a process on a port other than it's normal port...like having an SSH server listen on port 22556 for example?

Cancer Survivors -- Remember the fight, celebrate the victory!
Help control the rugrat population -- have yourself spayed or neutered!

RPBirt
Offline
Last seen: 14 years 9 months ago
Joined: 2005-12-13 18:14
Alternative Ports

Thanks. That's the deal. A lot of the time someone may be running a XAMPP suite already on their computer with the standard 80/3306/443 ports. If you want to test other builds or if you have a removable drive and want to plug it in, there will be a conflict. By using ports say, 6060/6080/6090 (if you need SSL) you can run concurrent sessions.

Actually a 'best practice' would be to use alternative porting on all portable-XAMPP builds so that you don't inadvertently mess with someone else's system Wink

______________________________________________________
Ridgewood Foundation Open Source Project
Site: ZedFiles Blog: My 19" Universe

Log in or register to post comments