CypherGhost
     
 

WAMP Security Tips

I know a bunch of people who are using WAMP, an Apache, MySQL, PHP pre-compiled package for Windows. It’s a very good product as it is kind of challenging to install all of these services together on Windows, but it does leave several things in the default configuration and is therefore not very secure. Here are a few notes on the basic things you need to change in order to make it safer. Note that this is not all-encompassing and will not make an airtight system – this is Windows after all. However, it will at least follow 1985 standards of security. First, find the folder for phpmyadmin. This is a nice web based database tool. In the directory for it, find the config.inc.php file. Open that up with a Unix enabled text editor. If you see little squares on the screen and all the lines run together, your text editor isn’t compatible. Notepad has issues sometimes. If you totally can’t figure it out, download Arachnophilia. Use the edit-find function to locate
$cfg['blowfish_secret'] = '';
In the quote marks, add some random jibberish. Longer is better. 32 characters or so works nicely. Then find:
$cfg['Servers'][$i]['auth_type'] 
and change the value from “config” to “cookie”. Under that, the value for
$cfg['Servers'][$i]['user']
should be empty. Save this file.

What you have done is to set it up to require a username and password when you login. The next problem, however, is that the root password for MySQL is empty. Since that is the default, that is the first thing an attacker would guess. So, let’s change it.

Go to http://localhost/ . Click on the link for phpmyadmin. At the login prompt, enter “root” for the username. Leave the password box empty and login. Now find the user management area and change the password for the root user. When you commit the change, you will get kicked out and land back at the login prompt. Test the new username and password.

Finally, keep in mind that if you don’t want people to see this server, it needs to be behind a firewall. Either way, we recommend blocking general access to port 3306 for MySQL – unless you planned to give lots of people direct access to that service.

There are still dozens of ways to break into your box, but these simple changes will at least keep the beginners out. Good luck.

Comments are closed.

                  

 
     
Copyright © 2012 CypherGhost.com -1354585444