Securing Your XAMPP

XAMPP, Part 3

In dealing with security, there are some essential concepts that we all need to wrestle with.  On the one side, we want to share our stuff, or at least certain parts of it.  On the other side, we need to keep safe and private the things we don’t want others to know about, steal or damage and destroy.

Perhaps you want to just open your WAMP up to the rest of the machines in your local network.  But if we’re going to open it up to a larger audience, we had best know how to set up the fences and close the open doors.  This article will describe the basic ways we have of securing XAMPP for Windows.

A few words of caution before you do that: Be prudent, and don’t disrupt other people’s operations. If it’s your own network (not your employer’s), you’re free to do whatever you want. However, opening the gate to the Internet requires some serious study of the consequences. There are LOTS of malicious people who would love to put key loggers or Trojans on all the systems connected to your LAN.  DON’T make it easy for them.

In order to make this a bit more useful, I started all the XAMPP programs, including Mercury Mail and FileZilla Server, and then opened http://localhost/xampp to get the XAMPP Status Screen.

If you’ll recall, on the left of the screen there is a “security” link.  Click that and you should get a screen like this one.

As you can see, according to this chart, we’ve got a few holes to plug.  We’ll tackle the first three now.

The first one says that all the XAMPP pages are available to anyone on the network.  To check this out, you can go to another machine and see if you can access the machine running XAMPP.  Remember, that machine has its own localhost, so you need to access XAMPP by name or numeric IP address.  Mine is “vbox”, so I used http://vbox.  Here’s what I got:

If you created the Table of Contents page that I described in the last article, you  should see essentially the same thing.  So it’s true that machines on our LAN can access the server.  If you have a home router, it will prevent intrusion from the Internet.

Before we go further, I urge you to create a chart (paper or electronic) to record the various subsystems, accounts and passwords you’ll be setting up.  I made up a spreadsheet to keep track of all the settings we will be making for our WAMPS.  I just filled in the password I’m going to use for MySQL’s root user.

You can download it here.

Now, back on the XAMPP machine we have to do a bit of fixing.  A bit further down the security page is a link:
http://localhost/security/xamppsecurity.php
This the quick way to set up some of the required passwords.  Here’s that page:

The MySQL password is quite important.  It’s the master key to the database server and also to phpMyAdmin, the web-based database admin program you’ll be using a lot.

The account name is root, and it is not readily changeable.  We just want to set up a good password for it.  If you’ll never open this to the outside world, a simple password of 4 or 5 characters will do, but for more security, use a high-security password  (numbers, mixed case) of 10-12 characters.

A note about the pma password.  On XAMPP, phpMyAdmin is installed with a database called pma, and has a separate user with that name, too.  By default, the user doesn’t have a password, since it should be private to your system and not just a copy from the distribution.  It’s up to you to create a new password (but you’ll never need to use it; all the access is through root).  That’s why the default on this page is to create a random password for user pma.

Since we’re in a test environment, and I want to show more of the features of the package, I have also checked to box to create the text file with the password:
(File: C:\xampp\security\mysqlrootpasswd.txt)

When we click the “password changing” button, we should get the following message near the top of the page.

The root password was successfully changed. Please restart MYSQL to enable these changes!

Before we do that, let’s take a look at the lower part of the page, which sets up directory protection using .htaccess files.  This is the method implemented by Apache to allow content creators to set security on specific directories.

Here we have the capability to set both the user name and password for the XAMPP directory access.  When you click the button (“Secure the XAMPP Directory”), you should see the following message:
SUCCESS: The XAMPP directory is protected now! All personal data was saved in the following file:
C:\xampp\security\xampp.users
C:\xampp\htdocs\xampp\.htaccess
C:\xampp\security\xamppdirpasswd.txt

Now we can restart MySQL by clicking the Stop button in the XAMPP Control Panel, wait for it to change to Start, click again and then test out our changes by redisplaying the security screen.  If you did the steps right, you should first see the Authentication screen:

Put in your XAMPP directory user name and password, and the security screen should show the top three entries in green as “SECURE”.

We haven’t changed the passwords for Mercury Mail or FileZilla.  I’ll cover that in later articles about those subsystems.

A final password note:  BE SURE to save the spreadsheet file in a safe location, or if you decided to rely on paper and pencil, find a good safe place to store it.  The reason I use the spreadsheet is that I can copy and paste the relevant account name  and password when they’re requested.

Let’s recap where we are and what’s left to investigate.

We have the Apache server and MySQL installed with PHP and Perl included.  PhpMyAdmin is functional, and I’ll have a separate article about using some of its features.  You have a way (the spreadsheet) to save the essential account information for your WAMPs; you’ll be referring to this when you set up applications under the WAMPs.

That’s all for XAMPP on Windows just now. We’ll come back to it later and look at some of the other features, as well as set up some Web applications.