I'm developing on my laptop which is constantly connected to the Internet while I'm working. I installed Apache2 with Ubuntu default settings, MySQL and PHP. How safe is it for me to develop when I'm connected to the Internet? Couldn't sb get access to my system somehow?
Asked
Active
Viewed 111 times
1 Answers
2
The short answer is: Probably yes, someone could access your server.
Apache and MySQL can both be configured to listen only on localhost, which would make it impossible for someone out on the internet to connect to either; if you have not already configured them to do this (Apache is configured by default to listen on all available IPs, including your public IP; MySQL depends on the particular distribution, but usually defaults to just localhost), I very strongly suggest you do so (it's the Listen directive in Apache, and the bind (IIRC) directive for MySQL).
Additionally, you should run a firewall that (at the least) only accepts incoming connections you want to accept -- which, by default, should usually be none whatsoever. Just let localhost access your local Apache and MySQL ports, and no one else, and then even if your configuration changes on those servers the firewall will still be protecting you.
With these two steps done, you can safely run these servers while developing locally. For an extra layer, put a physical firewall/NAT between your machine and the big bad internet, and that would be one more thing that would have to allow incoming connections before your development environment can be compromised.
Kromey
- 3,641
- 4
- 25
- 30
-
1+1 regardless of development, he should really be behind a firewall whenever he's connected to the Internet. – gravyface May 24 '11 at 01:34
-
Thanks for your advice and also that of gravyface. I'm not even behind a firewall because I thought Linux/Ubuntu is the safest system there is so I don't have to worry about anything. It's only now while I start to learn about server security that I realize this is simply not true. – Frank Vilea May 25 '11 at 13:16
-
@Frank Linux is quite secure, but it can only be secure as it is allowed to be. If you open up exploitable applications to the world, with no security on them, *any* OS can be broken. There simply is not a "100% safe" OS out there, likely there never will be, but we can certainly make life difficult on the bad guys with simple things like firewalls and good common sense. – Kromey May 25 '11 at 16:30
-
I forgot to ask: Which firewall should I go for? Do you write iptables yourself? Thanks again. – Frank Vilea May 25 '11 at 22:41
-
@Frank I use Shorewall myself (`sudo apt-get install shorewall shorewall-doc`), which is a configuration layer that sits on top of iptables, and does an excellent job of taking care of the low-level stuff you would forget (or might not even think of in the first place). That's just my personal recommendation, though, others will have their own preferences. – Kromey May 25 '11 at 22:49
-
Thanks Kromey, I will give it a try. As a complete beginner I was a bit intimidated by all the functionality that iptables offers you. What do you think of ufw? – Frank Vilea May 25 '11 at 22:59
-
@Frank Never used ufw myself, but I hear good things about it. I think it also relies on iptables under the hood, but could very well be more friendly to newcomers (not sure, though). – Kromey May 25 '11 at 23:30