oboitoke!

1. Edit the following document as root

sudo pico /opt/lampp/etc/extra/httpd-multilang-errordoc.conf

at the end of the file, change the lines as shown i.e. put # to the begginning and add new lines.

ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
#ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
#ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
ErrorDocument 404 /error403.html
ErrorDocument 404 /error404.html
ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var

Save and exit (Ctrl+O, CTRL+X)

2.  Prepare custom error files named error403.html and error403.html. These files should be kept in root of your webserver (ie: opt/lampp/htdocs) directory

3.  Just restart XAMPP by below code.

sudo /opt/lampp/lampp restart

4. With the  XAMPP's new security setting of preventing access to XAMPP and phpmyadmin directories rather than the permitted IP addresses, it will throw the error 403 page. To change this setting, edit the following:

sudo pico /opt/lammp/etc/extra/httpd-xampp.conf

Thus,

change the line below:

ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var

to

ErrorDocument 403 /error404.html

It is not a mistake. Intentionally I recommend you to direct unauthorized visitors requesting to access xampp and phpmyadmin directories to the "page not found" (404) error page. This will be slightly more secure since the attacker may think that there is no xampp or phpmyadmin directory in the server. (that is also the reason of having error404.html not .php file, though you have to enable seo if you use joomla so that it is not too obvious by looking at the address)

What is XAMPP ?

XAMPP is an easy to install Apache distribution containing MySQL, PHP and Perl. LAMPP (XAMPP for Linux) is very easy to install and to use – just download, extract and start.

Download XAMPP

http://sourceforge.net/projects/xampp/files/XAMPP Linux/

Installing XAMPP in Linux

Download XAMPP Latest version from the following link
http://sourceforge.net/projects/xampp/files/XAMPP Linux

Currently latest XAMPP version is 1.7.7 (Sept 21)

$wget http://cdnetworks-kr-1.dl.sourceforge.net/project/xampp/BETAS/xampp-linux-1.7...

Now you should be having xampp-linux-1.7.7.tar.gz in your downloaded location

Go to a Linux shell and login as root:
Perform these commands as root user

$ su -p
Extract the downloaded archive file to /opt

#tar xvfz xampp-linux-1.7.7.tar.gz -C /opt

XAMPP is now installed below the /opt/lampp directory.

Start XAMPP Server

To start XAMPP simply call this command:

#/opt/lampp/lampp start

Starting XAMPP for 1.7.3a…
XAMPP: Starting Apache with SSL (and PHP5)…
XAMPP: Starting MySQL…
XAMPP: Starting ProFTPD…
XAMPP for Linux started.

Test Your XAMPP Installation

OK, that was easy but how can you check that everything really works? Just type in the following URL at your favourite web browser:

http://localhost

XAMPP Security Configuration

As mentioned before, XAMPP is not meant for production use but only for developers in a development environment. The way XAMPP is configured is to be open as possible and allowing the developer anything he/she wants. For development environments this is great but in a production environment it could be fatal.

Here a list of missing security in XAMPP:

The MySQL administrator (root) has no password.
The MySQL daemon is accessible via network.
ProFTPD uses the password “lampp” for user “nobody”.
PhpMyAdmin is accessible via network.
Examples are accessible via network.
MySQL and Apache running under the same user (nobody).
To fix most of the security weaknesses simply call the following command:

#/opt/lampp/lampp security

It starts a small security check and makes your XAMPP installation more secure.
Start And Stop Server Services

start
Starts XAMPP.

stop
Stops XAMPP.

restart
Stops and starts XAMPP.

startapache
Starts only the Apache.

startssl
Starts the Apache SSL support. This command activates the SSL support permanently, e.g. if you restarts XAMPP in the future SSL will stay activated.

startmysql
Starts only the MySQL database.

startftp
Starts the ProFTPD server. Via FTP you can upload files for your web server (user “nobody”, password “lampp”). This command activates the ProFTPD permanently, e.g. if you restarts XAMPP in the future FTP will stay activated.

stopapache
Stops the Apache.

stopssl
Stops the Apache SSL support. This command deactivates the SSL support permanently, e.g. if you restarts XAMPP in the future SSL will stay deactivated.

stopmysql
Stops the MySQL database.

stopftp
Stops the ProFTPD server. This command deactivates the ProFTPD permanently, e.g. if you restarts XAMPP in the future FTP will stay deactivated.

security
Starts a small security check programm.

For example: To start Apache with SSL support simply type in the following command (as root):

#/opt/lampp/lampp startssl

You can also access your Apache server via SSL under https://localhost.

Important Configuration Files And Directories

/opt/lampp/bin/ – The XAMPP commands home. /opt/lampp/bin/mysql calls for example the MySQL monitor.
/opt/lampp/htdocs/ – The Apache DocumentRoot directory.
/opt/lampp/etc/httpd.conf – The Apache configuration file.
/opt/lampp/etc/my.cnf – The MySQL configuration file.
/opt/lampp/etc/php.ini – The PHP configuration file.
/opt/lampp/etc/proftpd.conf – The ProFTPD configuration file. (since 0.9.5)
/opt/lampp/phpmyadmin/config.inc.php – The phpMyAdmin configuration file.

Stopping XAMPP

To stop XAMPP simply call this command:

#/opt/lampp/lampp stop

You should now see:

Stopping XAMPP 1.7.3a…
XAMPP: Stopping Apache…
XAMPP: Stopping MySQL…
XAMPP: Stopping ProFTPD…
XAMPP stopped.

And XAMPP for Linux is stopped.

Starting LAMPP automatically on startup

For starting LAMPP automatically on startup, add the following line to you /etc/rc.local file

# /opt/lampp/lampp start

where /opt/lampp is the location where XAMPP files are kept. You will have to substitute the path to your XAMPP in the above command.

Uninstall XAMPP From your Machine

To uninstall XAMPP just type in this command

#rm -rf /opt/lampp

Baru nak belajar guna Joomla!.. agak terlambat. Tapi masih belum terlambat jika ada keinginan untuk belajar.

Dah siap buat website guna Joomla!, upload ke public, nak kena la perhatikan aspek keselamatannya pulak. Joomla! ni sangat popular dan menjadi target mudah para penggodam. Sekali tengok url kat browser tu, dah boleh tahu guna joomla. Lepas tu masukkan apa-apa je kat url tu,

bam!!...

keluar error404... dan serba sedikit maklumat pasal server. Ini dah cukup untuk penggodam kecikkan skop target diorang. Kena buat customised error404 page. (aku belum buat lagi huhu... sebab tu tak boleh tulis lagi pasal tu)

Satu lagi, diaorang akan selalu cuba akses ke laman administrator. www.contohsite.com/administrator/ dan brute-force dari situ. Jadi, bila kita lindungi direktori ini sekurang-kurangnya dah menambah sedikit kerja diorang. Kita tak boleh simply rename je folder administrator ni kerana banyak component dan plug-in yang merujuk ke folder /administrator ni.

Caranya...

haa... caranya ialah dengan membuat satu direktori baru, contohnya pentadbir, dan akses ke administrator melalui direktori ini.

1. Buat satu folder baru dalam direktori root, contohnya pentadbir.

2. Dalam folder pentadbir, cipta satu fail index.php dengan jampi-jampi berikut:

$admin_cookie_code="1234567890";
setcookie("JoomlaAdminSession",$admin_cookie_code,0,"/");
header("Location: ../administrator/index.php");
?>

3. Tambah fail .htaccess dalam direktori administrtor asal dengan ayat-ayat berikut:

RewriteEngine On
RewriteCond %{REQUEST_URI} ^/administrator
RewriteCond %{HTTP_COOKIE} !JoomlaAdminSession=1234567890
RewriteRule .* - [L,F]

4. tambahkan ayat-ayat berikut di awal index.php dalam folder administrator

if ($_COOKIE('JoomlaAdminSession') !="1234567890")
{
?><script>location='../index.php';</script><?;
}

Sekarang ni, setiap kali kita nak akses ke administrator kena lalu pentadbir dulu, contohnya www.contohsite.com/pentadbir/, kemudian kita akan diredirect ke direktori sebenar. Jika akses terus ke www.contohsite.com/administrator/ akan dipulangkan ke laman utama. Jika tak buat langkah 4, akan keluar error404.

pesanan: jangan lupa tukar cookie_code 1234567890 dan pentadbir kepada pilihan sendiri, kerana contoh ni dah bayar pengerasnya... dah tak boleh pakai.

so apa lagi, cuba jangan tak cuba...