Security Question

Hey Experts,

I have a question about security here.
Here is a little background:

I have a dedicated server with 1 dedicated IP address.
I run one website from that server
I use PHPMYADMIN.

Ok.
www.xxx.com (main domain)
www.yyy.com (alias domain)
www.zzz.com (alias domain)

^ they are my domains (examples)


I have turned on VIRTUAL HOSTS in apache, and have these settings:

<VirtualHost *:80>
DocumentRoot /home/xxx/public_html
ServerName localhost
# Other directives here
</VirtualHost>

<VirtualHost *:80>
DocumentRoot /home/phpmyadmin/public_html
ServerName phpmyadmin
# Other directives here
</VirtualHost>


Now in the servers HOSTS file I have added:

127.0.0.1 phpmyadmin


Which means if at home, I point my HOSTS file to my server IP.
If I open:
http://phpmyadmin/
It loads my server, and it loads the phpmyadmin/public_html
(which is PHPMYADMIN of course)

All of the real domains and alias domains work great, they point to xxxx/public_html








THE QUESTION
-----------------
How secure is this? (I have got different values, I don't use "phpmyadmin" etc...)
Can someone query my Apache and get a list of all my hosts/virtual hosts?
As far as I know, unless they know what the "ServerName" is - they WONT be able to load it, apache will assume Localhost.
I dont know if this is a common method for doing things...
I kind of just stumbled across it when configuring Apache and liked it, so I stuck with it.

Thanks!
LVL 11
neesterAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

m1tk4Commented:
This is what's called "security by obscurity". No, there is no way to query and get all your hosts and virtual hosts. However, consider how much time would it take for someone who knows you and possibly your servers and who finds this question of yours while googling you up to put 2 and 2 together? :))

There is however is a much better way to secure your virtualhost - with passwords;) http://httpd.apache.org/docs/2.0/mod/mod_auth.html.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
neesterAuthor Commented:
Yeah I have already passworded it with htpasswd etc...

But yeah - thanks!
I was really just wondering if apache ever gave information about the virtual hosts etc.
:)

Thnx!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.