Secure Wamp Server How to do it effectively








Wamp stands for "Windows, Apache, MySQL, and PHP".  It is a variation of LAMP for Windows systems and is often installed as a software bundle (Apache, MySQL, and PHP). It is often used for web development and internal testing, but may also be used to serve live websites.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform Wamp Server related tasks.

In this context, we shall look into how to secure a wamp server.


Different methods to secure a wamp Server ?

To secure a wamp server, you need to apply the following tips as given below. Before we proceed, restart the wamp server after configuration.


1. Hide server signature

In order to prevent bad guys from mining the server signature, hide it.

For doing that, open httpd-default.conf file and change the parameters as given below:

ServerSignature Off
ServerTokens Prod

Here, we are setting ServerTokens to Prod so that Apache will set the response headers as simply:

Server: Apache

2. Directories/files outside the document root must not be served

Ensure that the directories/files outside the document root (website) are not served. For that, open the httpd.conf file and verify the content of the directory tag is as below:

<Directory/>
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>

or

<Directory />
AllowOverride none
Require all denied
</Directory>
<Directory C:/apache2/htdocs>
Order Allow,Deny
Allow from all
</Directory>

The above code assumes the correct document root for your WAMP server is C:/apache2/htdocs/. However, if your document root is different, modify the same in the above code.


3. To prevent DoS attacks, reduce time out

To fix Denial of service (DoS) attacks, you need to change the timeout directive within the httpd-default.conf file from the default of 300 to 60. Access the httpd-default.conf file and search the below code:

TimeOut 300

and change it to:

TimeOut 60

Now, restart the Apache services.


4. Set MySQL password

By default, the MySQL set in the Wamp Servers come with no password. 

Here are the steps to set the password:

i. First, left-click the WAMP icon in the system tray.

ii. Now select MySQL followed by accessing MySQL console.

iii. After the console window opens and asks for a password, hit enter.

iv. Now from the command line, enter SET PASSWORD FOR root@localhost=PASSWORD(‘password’); (password is the new password to be set).

v. Finally, hit enter.

vi. If the password change is successfully done, then you will see a query OK. Close the MySQL console window and access it again.

vii. Now when you are prompted for a password, enter the password and you must land at the MySQL prompt.


5. Change folder permissions in your website

The folders must have Read and Execute permissions excluding only some folders must have Write permissions.

In order to check what user runs Apache, open Windows Task Manager, and click the Details tab. In the User name column, you can see the user. Usually, it will be the SYSTEM user.


6. Set phpMyAdmin password

In order to set the password, edit the phpMyAdmin config file.

Open the file C:\wamp\apps\phpmyadmin3.2.0.1\config.inc.php.

Replace these four lines:

$cfg[‘Servers’][$i][‘auth_type’] = ‘config’;

$cfg[‘Servers’][$i][‘user’] = ‘root’;
$cfg[‘Servers’][$i][‘password’] = ”;
$cfg[‘Servers’][$i][‘AllowNoPassword’] = true;

with these lines given below:

$cfg[‘Servers’][$i][‘auth_type’] = ‘http’;
$cfg[‘Servers’][$i][‘user’] = ”;
$cfg[‘Servers’][$i][‘password’] = ”;
$cfg[‘Servers’][$i][‘AllowNoPassword’] = false;
$cfg[‘Servers’][$i][‘LogoutURL’] = ‘http://localhost/’;

Here we’ve changed ‘auth type’ from ‘config’ to ‘http’ which is more secure. Also, we changed ‘AllowNoPasswordRoot’ from true to false. The result will be a login dialog box when you go to phpmyadmin.


Finally, we added a line to set a LogOutURL so that you land on a new page i.e a exit page after clicking on the ‘Exit’.


7. MySQL configuration in C:\wamp\bin\mysql\mysql5.1.36\my.ini

Add a bind-address to limit who MySQL listens to, and we can change the port it listens at.


[mysqld]
port=3306 (can change to any other port)
bind-address=127.0.0.1

Finally, this way we have secured the Wamp Server.


[Need urgent assistance with Wamp related tasks? – We are here to help you.]



Conclusion

This article will guide you on the different methods to secure #WAMP Server. Basically, WAMP provides support for #MySQL and #PHP. It can be used in production under condition that you install the secure WAMP #distro and it can run on #Internet and not just #intranet.


For Linux Tutorials

We create Linux HowTos and Tutorials for Sys Admins. Visit us on LinuxAPT.com

Also for Tech related tips, Visit forum.outsourcepath.com or General Technical tips on www.outsourcepath.com