Setting Up XAMPP; and Info on Various Security Issues

XAMPP is "an easy to install Apache distribution containing MySQL, PHP and Perl" for Windows. (You can even install Python, though it took me hours to figure out how).

Apache is a type of web server software. PHP (which I used to write ABDesktop), Perl, and Python are three popular programming languages. MySQL is a popular type of database software, and that's what ABDesktop mainly uses to store data. I used JavaScript, an almost ubiquitous client-side programming language built into most modern web browsers, for a few convenient user-interface frills. (Perl and Python weren't used in Astroblahhh Desktop).

You can get XAMPP for a variety of different platforms, like Windows, MacOS, Linux, and Solaris (whatever that is) at this link:

http://www.apachefriends.org/en/xampp.html

Since I only have a Windows XP computer readily available to me, these instructions are for Windows, so, if you're using another platform, you'll have to adapt the instructions somehow.

These instructions were originally written for XAMPP 1.6.3a. I later upgraded to XAMPP 1.7.1, and updated the instructions a little (maybe incompletely).


I recommend installing or unzipping XAMPP's files directly to the location C:\xampp on Windows.

You can start Apache and MySQL by opening the file xampp-control.exe in the directory C:\xampp\ and clicking the Start buttons next to "Apache" and "MySql".


However, be warned that you probably should implement various measures to make sure you have some extra security - because if someone has your IP address, and there are no other safeguards, then, while Apache is running, people on the internet could literally browse some of the files you have on your hard drive. Hopefully only files in the C:\xampp\ folder (the primary place files can be accessed is C:\xampp\htdocs folder), but who knows? (Not me - I'm not some kind of internet security expert.)

One of the easier measures is to change some of Apach's configuration settings. Go to the C:\xampp\apache\conf folder. Make a duplicate of the httpd.conf file, so in case you mess anything up, you can go back to the original settings. Then, open httpd.conf with a text editor.

Go to the section that says:

    #
    # Controls who can get stuff from this server.
    #
    Order allow,deny
    Allow from all

You'll want to delete those last two lines, and replace them with:

    Order deny,allow
    Deny from all
    Allow from 127.0.0.1

127.0.0.1 is the "localhost" address, so, that means anyone with an IP address different than that (such as anyone on the internet) should not be able to get files. I assume this probably works, but I would never trust this 100%, because you never know how a computer might be messing things up behind the scenes, either through inadvertant glitches, or by malicious design.


Something else to be wary of is that various other .conf files, and any files named .htaccess in various directories in the xampp directory, can change the above rules for at least parts of your server and maybe more than just parts of it (I'm not sure). So, there are also a number of other files you should change too. We'll get to that below.

Before we leave httpd.conf, however, we should make a couple other changes. Go to the line that says:

LoadModule dav_module modules/mod_dav.so

Put a pound sign at the beginning of the line, like so:

#LoadModule dav_module modules/mod_dav.so

This makes it so the WebDAV module is turned off. (I don't use it for anything, but, in case you wanted to know, WebDAV is a module for "Web-based Distributed Authoring and Versioning", which apparently allows "creating, moving, copying, and deleting resources and collections on a remote web server". I have no idea how to use it.)

Then, go to the line that says Listen 80. Change it to Listen 127.0.0.1:80. I'm not sure what that does exactly but I think it might make it so not just any IP address can be used to attempt to get things from your web server.


Next, go to the C:\xampp\apache\conf\extra folder. Make backup copies of the files httpd-dav.conf and httpd-xampp.conf. Then, open httpd-dav.conf with a text editor.

Go to the section that says:

     Dav On
    Order allow,deny
    Allow from all

Change it to:

    Dav Off
    Order deny,allow
    Deny from all


Then, open httpd-xampp.conf with a text editor. In this file, there are (or used to be in an old version of XAMPP) numerous blocks of text that say:

        AllowOverride AuthConfig
        Order allow,deny
        Allow from all

If you're using an old version of XAMPP, you'll find a couple of those blocks of text under <Directory "/xampp/security/htdocs"> and <Directory "/xampp/phpMyAdmin">. In a newer version, you might find this instead:

Order deny,allow
        Deny from all
        Allow from 127.0.0.1

Whichever you find, change them to:

        AllowOverride AuthConfig
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1

Actually, you might not even need the "AllowOverride AuthConfig" line. I don't really know what that's for.

You also might find a couple more of those blocks of text under <Directory "/xampp/webalizer"> and <Directory "/xampp/contrib">. Change them to:

        AllowOverride AuthConfig
        Order deny,allow
        Deny from all

(Possibly, taking out "AllowOverride AuthConfig" would be fine).


Now, go to C:\xampp\mysql\bin. Make a backup copy of the file titled "My" (or "my.ini"). Then, open the "My" or "my.ini" file with a text editor. Find the text server-id = 1, and above it, add this line:

bind-address = 127.0.0.1

It might be a good idea to increase the amount of memory MySQL can use. I'm not really sure what settings are best to change, though. I guess maybe the ones in the first half of the file.


Next, go to C:\xampp\php. Make a backup copy of the file "php.ini". Then, open "php.ini" with a text editor. Find this line:

; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On

Change the last line to:

magic_quotes_gpc = Off

Sorry if anyone out there actually uses the incredibly annoying magic quotes feature for anything, but, my programs are all incompatible with magic quotes, and I'm not sure how I'd make them compatible.


While we're here in C:\xampp\php\php.ini, you might also want to increase the amount of memory and time PHP can use while executing scripts, especially if you're going to use the Astroblahhh File Organizer, which can require a lot of memory and time to do stuff when it reads in the contents of large directories and creates thumbnails for images (especially BMPs). The older and slower your computer is, the more time it might need for a really large directory and lots of images.

Go to the line that says:

; Resource Limits ;

Below that, change the max_execution_time and max_input_time to larger numbers of seconds, and change memory_limit to a higher number of megabytes.

If that doesn't work, there are some settings in lib-abdesk.php in ABDesktop which you can change - the variables $setphpdefaults, $phpmem, and $phpmaxexec.

I recommend only importing folders which have around 2000 files, even though larger folders are possible. Also, not creating thumbnails during the import is a good way to save memory and time. (They can be created later).


Next, go to C:/xampp/phpMyAdmin/. Make a backup of the file "config.inc.php". Then, open "config.inc.php" with a text editor. Go to the line that says something like:

$cfg['blowfish_secret'] = ''; /* YOU SHOULD CHANGE THIS FOR A MORE SECURE COOKIE AUTH! */

Put any random text you want in between the single-quotes after the equal sign. I'm not suer if you can change 'blowfish_secret', since PhpMyAdmin gave me an error.

To (hopefully) increase the amount of time you'll remain logged in to PhpMyAdmin, Go to the lines that begin with:

$cfg['LoginCookieValidity']
$cfg['LoginCookieStore']

Change them to something like:

$cfg['LoginCookieValidity'] = 5184000; // validity of cookie login (in seconds) $cfg['LoginCookieStore'] = 5184000; // how long login cookie should be stored (in seconds)

If the above lines don't exist already, just copy and paste them in somewhere. They should hopefully make PhpMyAdmin stay logged in much longer.


Next, you should probably have a firewall. You might have to fiddle around with your firewall software to be able to use Apache at the same time you have your firewall software on.

I have Norton Internet Security 2003 and Windows XP, so these next instructions (or suggestions) won't apply to everyone. If you have Norton Internet Security, then, the first time you start Apache and MySQL, a Norton Internet Security alert should come up asking you whether to permit or block them, or if you want to manually configure access.

I picked manually configure, then blocked connections to and from any other computer, both TCP and UDP connections on all ports, and, since I'm a bit paranoid, I have it create an event log entry and show me both a Security Monitor and Security Alert message when that firewall rule is triggered. These alerts display every time I start up Apache and MySQL. And, it used to be that if I didn't do this next step, those alerts came up intolerably often, every time I did anything with Apache, like browse a web page on my computer's server.

If you have that problem, to fix that, open up Norton Internet Security, then click Personal Firewall, and click the Configure button. Then, go to the Home Networking tab. Click add, and select "Individually", then put in the localhost IP address - 127.0.0.1.

Hopefully this won't be a horrible, security-endangering move. If you're really worried, you can delete 127.0.0.1 from your Trusted Zone when you're done using XAMPP - or, you can physically disconnect your computer from the internet when you use XAMPP.

Oddly, for some reason I no longer have to have 127.0.0.1 in the trusted zone at all to avoid all those alerts. I don't know what I changed exactly that made that happen, but, yay. :-)


If you really can't figure out how to configure your firewall, or just don't trust it, a presumably safe alternative is to physically disconnect your computer from the internet and turn off your firewall software while you're running XAMPP. Remember to turn your firewall software back on before you reconnect your computer to the internet.

If you're using Norton Internet Security 2003 and somehow messed up the firewall rules when you first configured them, you can edit the rules you added by opening Norton Internet Security, clicking Personal Firewall, clicking the Configure button, and going to the Program Control tab. Apache will be listed in the programs list as either "apache.exe" if you're using an old version of XAMPP, or "httpd.exe" in later versions of XAMPP. MySQL will be listed as "mysqld.exe". Highlight whichever one you want to edit and press Modify, and adjust it as you wish.


One odd side effect of having Apache on while I was browsing the rest of the internet was that sometimes little web browser alert things used to pop up asking me about certificates and stuff related to "localhost". Also, if I deleted 127.0.0.1 from my Norton Internet Security Trusted Zone and still had Apache running, visiting some internet sites triggered multiple Norton Internet Security alerts.

I believe this might have been related to the fact that I use a Hosts file to block Google AdSense, Google Analytics and other nuisances (such as websites that distract me) - since what a Hosts file does is redirects attempts to connect to nuisance sites to some other IP address, and frequently, the IP address of choice is 127.0.0.1 - the localhost address. (Here's a blog post I wrote on how to edit your Hosts file: Avoiding Distractions on the Web - How to Block Websites Using Your Hosts File)

So, I think, when you have Apache running - because Apache reacts whenever anything on your computer goes to http://localhost/ or http://127.0.0.1/ , Apache takes notice when the Hosts file redirects stuff to 127.0.0.1, hence possibly triggering various Norton Internet Security alerts (if 127.0.0.1 isn't in your Trusted Zone) which don't normally show up when Apache is turned off, as well as somehow causing those web browser alerts about certificates and localhost, etc.


(By the way, though this has nothing to do with installing the Astroblahhh Desktop, I just thought I should point out somewhere that, despite the fact that I keep putting in these links to Wikipedia articles, you should never completely trust Wikipedia, since Wikipedia can be edited by literally anyone at any time.

And, while we're on the topic of security, I'd like to also point out the excellent free (but not open source) software Spybot: Search & Destroy. Among many other things, it creates (or edits) a Hosts file for you, though you can also edit it manually.

On my Windows XP computer, the Hosts file is located at C:\WINDOWS\system32\drivers\etc . If you want to edit your Hosts file, I recommend making a backup copy of it before you edit it).


And, another security-related idea - a router might be helpful. A router is a physical device which you might use to share your internet connection (like probably a high-speed cable connection) amongst multiple computers in your house. As I understand it, in my currently feeble, poor, and inadequate way, any connections that try to come in from the internet have to go through the router, and somehow this can help with your security.

However, if you have a router, you should have a password on it, because otherwise, anyone who visits your IP address and puts in your router's default login details will be able to get into your router and reconfigure its settings, unless you changed the default login details.

Consult your router's manual for more details. (And in case you can't find your router's manual, you often can find the manuals of routers on the web on the manufacturer's website).


Once you start running XAMPP, you might as well go to http://localhost/xampp and click the Security link, and follow the instructions to plug the various security holes that are left open by default.


Then, log in to the software phpMyAdmin, which is a handy MySQL database manager program included with XAMPP. At first, your user name will probably be "root" and your password might be the same as your XAMPP password, which, if I recall correctly, you set when you go here: http://localhost/security/index.php For better security, though, you'd probably be better off changing the "root" account to something with a name that isn't as easily guessed as "root", and which also has a different password.

You can do that on the Privileges page. And, while you're there, you should also change all of the user accounts to be accessible only by "localhost". With each user, click the icon at the end of the line which has the text "Edit Privileges" when you hover your cursor over it for a few seconds. Scroll down to the section which says "Change Login Information / Copy User", then, next to "Host", select "Local" from the dropdown menu. Then, click "Go". After that, if you see any duplicate users on the main Privileges page, delete the ones which don't use the host "localhost".


By the way, I would like to caution people against just running any random PHP, Perl, or Python script they find without understanding it. Even I didn't realize this at first, when I first installed XAMPP, but:

To my surprise, these scripts, run by Apache/XAMPP, are capable of accessing, reading, writing, overwriting, and deleting information not only in the htdocs folder, but anywhere on your hard drive.

That is actually what makes a lot of the features of my programs possible. But, it also means scripts are potentially very dangerous. So, don't go naively running every random script or scrap of source code you find on the internet, OK?


Another thing more people should be aware of is the fact that JavaScript, as well as Java and ActiveX controls, can sometimes be exploited to do various bad things. Here's a forum thread with more information on that topic.

To avoid such problems, I like to either a) use the Opera web browser with my toolbar customized to have three checkboxes in it: "Enable plug-ins", "Enable Java" and "Enable JavaScript", which I normally leave unchecked, or b) use Firefox either with the NoScript plug-in, or with JavaScript, Java, ActiveX, Flash, etc. turned off completely.


Go to top
Last modified: Dec. 5, 2009
This page uploaded to web: Sept. 9, 2009