|
|
 |
|
|
Security Q&A
1. Is my freshly installed NuSphere web site secure?
The quick answer would be "no". The intent of the NuSphere web site is to enable easy access for development. There are two sections of your new web site, the public web site and the administration web site. You might consider leaving your public web site free to everyone, however you should secure your administration web site before making any of your sites public.
2. What do I need to do to secure my administration web site?
As there are many choices and decisions to be made, you might consider reviewing the following:
- Review the port that the Administration site is running on. You may consider using a non-standard port because the default port for your site is port 9000. You can change the port number and Listen directive in your httpd.conf file.
- Use the NuSphere Apache Access Manager to setup Authentication for your Administration web site.
- Setup additional security within your Apache httpd.conf file to deny access to the Administration web site. Please review the Apache documentation to find out more about how to use "Allow from all" and/or the Order, Allow, and Deny directives. (http://httpd.apache.org/docs/mod/directives)
- See http://httpd.apache.org/docs/misc/security_tips.html for more security information.
3. Is the MySQL database secure by default?
Immediately following your installation of the MySQL database, you should be aware of two potential security issues. By default you will have access to the MySQL database via the ROOT user or via the anonymous user. Following the installation, the root user will have no password therefore creating a possible security risk. This possible security issue will only be an issue for local users or users who how have access to the server where your MySQL database is located. Remote users cannot connect to the database with the default installation.
4. How do I secure my database?
As an administrator, you should assign all users (especially, the ROOT user) a password immediately following your installation. In order to secure your installation properly, you should remove the anonymous user and assign passwords to any databse user accounts that you intend on maintaining.
In order to assign a password to the ROOT user you can do the following:
- For the MySQL database V3.23 and higher:
- $> mysqladmin -u root password "your password"
- For any version, you can do it with the MySQL database command program:
- $> mysql -u root mysql
- Mysql>Grant All on *.* to "root" identified by "your password" with grant option;
to limit access to localhost only, you have to use statement like below
- Mysql>Grant All on *.* to "root@localhost" identified by "your password" with grant option;
After you have set the password you will need to FLUSH the privileges to the server to reload the grant tables.
For more information on creating users and administering passwords for the MySQL database, please refer to your MySQL database documentation.
5. After changing the MySQL database ROOT password, will that have an impact on any of the other applications within the NuSphere Distribution?
By changing the ROOT password for the MySQL database, you will impact a number of applications within the NuSphere Distribution. Specifically, you will have to review the configuration information for phpMyAdmin, NuSphere Sample Applications (MRB and the Shopping Cart), Professional Applications (IRM), and you will need to update the configuration for the Public Web Portal (phpWebSite). Your changes may also impact the NuSphere Apache Access Manager; this would be dependendent on whether or not the Access Manager was configured prior to having updated your MySQL database passwords.
6. After changing the MySQL database ROOT password, how do I ensure that I will be able to use phpMyAdmin, the NuSphere Sample Applications (MRB and the Shopping Cart), Professional Applications (IRM) and phpWebSite?
You will need to update the following applications with the new ROOT password or enter a valid username and password. The file name and file locations that you will need to update are listed next to the application name below:
- phpMyAdmin - You can find the config.inc.php configuration file in [NuSphere installation directory]/Apache/nsdocs/phpMyAdmin.
- MRB - You can find the config.inc configuration file in [NuSphere installation directory]/Apache/nsdocs/apps/mrbs.
- Shopping Cart - You can find the index.php3 configuration file in [NuSphere installation directory]/Apache/nsdocs/apps/shopcart.
- IRM - If you need to update the username and password for IRM you can edit the config.inc.php3 file located in [NuSphere installation directory]/Apache/proapps/irm-1.0.3 directory.
- phpWebSite - You can add the new user and password when you are installing the phpWebSite portal. There is a specific section on setting up user name and password authentication for your database. If you need to update the username and password for phpWebSite after the initial configuration, you can edit the config.php file for phpWebSite located in [NuSphere installation directory]/Apache/htdocs/phpWebSite-0.7.7.
7. If I changed the MySQL database ROOT password, what do I have to consider in order to use the NuSphere Apache Access Manager?
This would depend on whether or not you have configured the Access Manager before or after you made your MySQL database password updates. If you made your changes prior to using the Access Manager, all you need to do is update the DB Admin username and password when you are initially configuring the tool. If you have already configured the Access Manager, you can edit the Data Source to include the appropriate username and password.
8. How do I restrict access to or setup authorization to phpMyAdmin or my other administration web sites?
In order to setup authentication for phpMyAdmin or other administration/public web sites, you can use the Access Manager for Apache. The Access Manager for Apache is a custom NuSphere application that helps administer user access and authorization for Apache Web servers. To find more details on the Access Manager for Apache, please reference the NuSphere "Advantage Guide" online documentation.
|
|
| |
|
Working with PhpED questions Q&A
