Security check list

There are a number of reasons for downloading and using Uniform Server apart from its simplistic installation and transportability it boasts very high security. This is the prime reason I decided to use it. When you run the servers, take a close look at apanel you will see these three very important lines:

1. * Change the username:password for the Admin Panel by editing '/htpasswd/home/admin/www/.htpasswd'
2. * Change the username:password for the server (if private) by editing '/htpasswd/www/.htpasswd'
3. * Change the root password for mysql by editing '/home/admin/www/mysql_password'

A test Server

I have corrected the typos even so they still look intimidating what do they mean and more importantly what do you need to do. I am going to cover this in more detail before I do it is worth mentioning that a clean installation has the servers locked down so tight that only the local host can access them hence an ideal test server. You can run them while working on line and be confident no one can access your servers. If you need only a safe test server, well that is it nothing else to do.

Live dangerously

OK so you want to live dangerously and put your servers on line. The first thing to consider is a decent firewall. The second is the security of your servers although the Uniform Server design team has produced an excellent solution to this problem the one element they cannot control is the end user and that is you. They have implemented a safe structure and provided templates to ease your task. However, it is so easy to drop these defences hence the reason for writing this.

Location

Before going live you do need to change these template files, a basic understanding of what they do will help you decide what parts to disable or enable. The following image shows where these files are located in the directory structure.

Overview C) For security, any passwords shall be located outside the root folder and shall not be accessible by external users. The folder htpasswd meet this requirement it contains the passwords (in files named .htpasswd) and is located outside the root folder.   A) and B) The folders www located at A) and B) each contains a file named .htaccess. This file protects that folder. These .htaccess files obtain their appropriate password from the htpasswd folder.   3) MySQL password is located in this www folder. For convenience, it is contained in a file named mysql_password. (It could have resided in the phpMyAdmin and phpMyBackupPro initialisation files more of this later)   Note: Why the empty folders in htpasswd c)? The structure of this folder reflects the location of the files that uses a password.

Detail

The following two www folders (A and B) each contain a file named .htaccess. This file protects the folder and all sub-folders that it resides in. These are your templates they have been set to only allow local access and what files are executable. Now is a good time to have a look at them, there are subtle differences that I will explain.

Note 1: Lines that start with # converts that line into a comment meaning that instructions that follow are not executed.

Note 2: If you have wondered why your passwords do not work you have not enabled password authentication in the corresponding .htaccess file. You need to uncomment the last four lines by removing the #.

Apache directives

Apache directives (instructions) are to a certain extent self-explanatory however, lets dissect them to give you a better understanding what they do.

Descriptions above give you a feel for what’s going on armed with this information lets implement those three lines that started all this off:

1) Change the username:password for the Admin Panel

Change the two files as shown. Chose a suitable name and password I am using mike and fred123

Comment out the last four lines and you are ready to test.

Start your servers you will be prompted to enter a name and password to access apanel. You cannot access apanel on line because you have restricted access to local host only. To control your servers on line you need to comment the local access lines. This allows any one to access apanel if they know the correct user name and password. The final htaccess file looks like this:

2) Change the username:password for the server

Although strictly true its misleading I would prefer to say: Change the username:password for your web space. (your root folder)

If you do need your web space to be private and accessible only to friends that know your name and password the procedure is similar to the above.You can use the same name and password however it is more secure to use at least a different password.

Note 1: If you want your web site viewable by every one on the Internet and do not run any cgi scripts just delete the htaccess file.

Note 2: If you do want to run cgi scripts from your web space comment, all lines except for (AddHandler cgi-script .pl .cgi and Options +ExecCGI.) every one can access your site and run your scripts.

3) Change the root password for MySQL

If you never run MySQL, then online-security is not an issue and you can ignore this section. However, if you do or plan to secure the root user it only takes a few seconds unauthorised access to the root user means you can kiss goodbye to your database and server.

Changing MySQL root password is a two-part process. You must first change the root user password in the MySQL database and then change its corresponding password file.

How to change your database root password:

From apanel click on Run MySQL (starts the server) From apanel click on phpMyAdmin In phpMyAdmin click on Privileges (third link from bottom)

2. To the right of user root click on Edit Privileges

Scroll down to menu Change Password Click the radio button to the left of Password In the password window enter your new password Below this Re-type your new password Click on Go (That completes the first step)

How to change the MySQL file root password:

Using windows explorer navigate to the file named mysql_password (See top image for file location 3)MySql)

Full path shown below:

??/Uniform Server/diskw/home/admin/www/mysql_password

OR from drive W:

W:/home/admin/www/mysql_password

Edit this file in a text editor delete the old password and add your new one.

Why place the password in a file.

Makes it easier to locate and saves you having to trawl through the configuration file if you want delete the password file and replace the implode statement with your password.

     Uniform Server\diskw\home\admin\www\phpMyAdmin/config.inc.php

     $cfg['Servers'][$i]['password'] = implode ('', file ('../mysql_password'));

Final note: Make sure your passwords are different, random and long (nine characters or more) just advice your choice. It’s your server so you can do what you like.

4) Disable MOD DAV

If you do not know what mod_dav is the chances are that you will not need it. I highly recommend that you disable it. Open the file httpd.conf located

UniServer3_3\Uniform Server\diskw\usr\local\apache2\conf\httpd.conf

Search for the line LoadModule dav_module modules/mod_dav.so and disable it by adding a comment symbol # so the line looks like this:

#LoadModule dav_module modules/mod_dav.so

For the changes to take place save the file and and restart the server.

Where to next

All that remains is to put your servers on-line

Putting Servers On-line 

• UniCenter Site Content Copyright © 2006-2007  Mike Gleaves  All Rights Reserved 30-3-2007 •

Copyright & Links

Copyright 2002-2007 The Uniform Server Development Team All rights reserved.

The Uniform Server: Home | Forum | Wiki | Blog