|Localhost Security Issues ?|
am i putting my client at risk?
I'm running Mac OS 10.3.9, using the "turn on personal websharing" feature. This gives me an apache server running a localhost. I set up my clients computer the same way. As i update and add pages, I take the entire website and email it to her as a zip file. Then, when i'm at her office, i download and install the new pages on her computer, which is set up the same as mine (except she's running OS 10.5). This way we both have a perfect mirror of the actual site (It's all relative links).
I'm concerned, now, that there may some security risks for both of us. Besides turning on the firewall, what else might i need to be concerned with. This is the first live site i've done, and there's alot i don't know yet.
Am i putting her laptop, and her website at risk by running localhost and leaving it on so she can check it when i'm not there?
How are the computers connected to the internet?
Most routers have a built-in NAT firewall, and allow port forwarding.
Whatever you do, there is always some element of risk.
Thanks for answering! -I might not have described things clearly. The actual website files reside on a server that i do not administer. But i have apache turned on in 2 laptops. This is just to use as a 'localhost' environment. so I'm wondering if, since they are 'serving' pages, though only locally to the browser on each respective computer (these 2 laptops are not in connection with each other in any way through internet), can the laptops be compromised in any way that web developers using a 'localhost' environment usually take into account.
Both my computer and hers are connected to the Web through high-speed broadband, and hers also through various open wifi 'hotspots' that she frequents.
I am ignorant about routers. Niether of us has one to my knowledge. It sounds like your answer was addressing a server and router. so I hope I have clarified my question anyway.
There is no DNS pointing a domain to either of our computers. But each is accessible via its IP address. If i call a freind on the phone and tell them to type in the IP address for my computer, they will be served a webpage.
So am i exposing my client to casual mischief by leaving her with a laptop that has an apache server turned on ?
OK, first of all I am not an expert on security.
I do occasionally run various servers on OSX and have never had a problem, but the computers I use go through the NAT firewall on my router, as well as the built-in software firewall.
My understanding is that any computer that is web-accessible by IP address is vulnerable to some degree, and that if someone with enough expertise is determined to hack in then they will probably manage it - even if you are the Pentagon.
In your case it is probably enough to defend against casual chancers, automated or otherwise, and having a hardware firewall between your computer and the web would seem advisable if running a webserver for any length of time.
Hopefully a real security expert will comment soon.
They will probably freak us both out.
What I would do is get the WAN IP of both computers and try and access each system from the other. If you are able to see the website then port 80 is open on the router. I recomend closing this just to try and tighten things up a bit. If you get a 404 error then the port is closed and http traffic is not beign alowed past the router.
I have been using servers on pc as "localhost" for ages and have never had any issues, occasionaly if I have a client on messeger I will open port 80 and send then a link to view the site usign my computer as a server.
Localhost development machines are very handy tools, and as long as your router is doing its job, and the server is configured correctly the risk should be very small. The advantages will sure outweigh the risk.
Thanks Mac -That's a good tip. You used the word "messenger". If that means MSNMessenger, my client's on it all the time. If closing port 80 cuts that off I'll have to leave it open. It doesn't sound like there's alot to worry about in this situation. I'm going to keep researching it. The client is gone for a week so I won't have any results till then and won't have anything of interest to post.
My question should have read, are these 2 computers at risk by running an Apache server without an administrator ! That's the real issue. My eyes just can't handle any more documentation on my 'to do list" :)
I think what Mack was talking about was opening port 80 on the router firewall to allow someone he is chatting to on an IM client to click a link and access the webserver on his computer.
|I am ignorant about routers. Niether of us has one to my knowledge. |
When I am running a webserver just for my own testing, my router firewall is blocking port 80 to outsiders. If I want to make the webserver available to the public I open port 80, and that is when security becomes an issue.
One rough and ready method of keeping the nasties out is using a different (obscure) port number.