?
Solved

Security Question

Posted on 2006-04-24
2
Medium Priority
?
214 Views
Last Modified: 2010-03-04
Hey Experts,

I have a question about security here.
Here is a little background:

I have a dedicated server with 1 dedicated IP address.
I run one website from that server
I use PHPMYADMIN.

Ok.
www.xxx.com (main domain)
www.yyy.com (alias domain)
www.zzz.com (alias domain)

^ they are my domains (examples)


I have turned on VIRTUAL HOSTS in apache, and have these settings:

<VirtualHost *:80>
DocumentRoot /home/xxx/public_html
ServerName localhost
# Other directives here
</VirtualHost>

<VirtualHost *:80>
DocumentRoot /home/phpmyadmin/public_html
ServerName phpmyadmin
# Other directives here
</VirtualHost>


Now in the servers HOSTS file I have added:

127.0.0.1 phpmyadmin


Which means if at home, I point my HOSTS file to my server IP.
If I open:
http://phpmyadmin/
It loads my server, and it loads the phpmyadmin/public_html
(which is PHPMYADMIN of course)

All of the real domains and alias domains work great, they point to xxxx/public_html








THE QUESTION
-----------------
How secure is this? (I have got different values, I don't use "phpmyadmin" etc...)
Can someone query my Apache and get a list of all my hosts/virtual hosts?
As far as I know, unless they know what the "ServerName" is - they WONT be able to load it, apache will assume Localhost.
I dont know if this is a common method for doing things...
I kind of just stumbled across it when configuring Apache and liked it, so I stuck with it.

Thanks!
0
Comment
Question by:neester
2 Comments
 
LVL 15

Accepted Solution

by:
m1tk4 earned 2000 total points
ID: 16531513
This is what's called "security by obscurity". No, there is no way to query and get all your hosts and virtual hosts. However, consider how much time would it take for someone who knows you and possibly your servers and who finds this question of yours while googling you up to put 2 and 2 together? :))

There is however is a much better way to secure your virtualhost - with passwords;) http://httpd.apache.org/docs/2.0/mod/mod_auth.html.

0
 
LVL 11

Author Comment

by:neester
ID: 16531658
Yeah I have already passworded it with htpasswd etc...

But yeah - thanks!
I was really just wondering if apache ever gave information about the virtual hosts etc.
:)

Thnx!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Screencast - Getting to Know the Pipeline
Suggested Courses
Course of the Month14 days, 21 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question