Apache-SSL/ VNC over SSH, a piece of advices (questions)

Hello,

I need some piece of advices about my WAMP security configuration.
I recently decided to host a personal webserver on my own PC for testing purpose.
But security issues is a real preocupation for me.

Here is my configuration:

* Plateform:
- Windows XP Pro SP2 Us version

* Security related softwares installed:

- XP-AntiSpy; SafeXP;
- Sygate Personal Firewall (Windows Firewall is disabled)
- Protowall (IP Banning);
- SpywareGuard, SpyBot, Spywareblaster, Ad-Aware SE Personal

* AMP configuration

A) APACHE

Distributions:
Apache : Apache_1.3.31-Mod_SSL_2.8.19
OpenSSL: Openssl-0.9.7d-Win32

1. I use HTTPS (without authentic certificate) for sporadic connections.
Is it enough ? Or should I buy a certificate to validate the whole system ? Is SSL the most reliable solution?
2.Site access is IP/login restricted ( .htaccess)
2.All server's information is safely ofuscated (HTTP Headers, 404 error, etc..).

B) PHP
As PHP security relies on good coding practices it is not useful to mention it here (even the php.ini is personalized when dealing with heavy application (ex: Typo3..)

C) MySQL

"Anonymous" account is deleted and the "root" account is password protected.
Can I do somthing more ? Did I miss something ?


* VNC over SSH

I recently discovered ultr@VNC.. it's a terrific program.. Easy to install and very efficient.
But do you know a (Opensource) natively SSH2 secured VNC solution ?

I tried to improve the security here too with SSH encryption ( using OpenSSH (setupssh381-20040709.exe) and Putty (Port forwarding) ).
The configuration supposed a little headache first but it was necessary I think.

Is OpenSSH a reliable solution? Maybe do you know any other way to safely encrypt a VNC session ?

Last question... I would like to watch the Internet traffic in realtime.
Can you recommend me some easy-to-use (for newbie) Packet Analizer ?

Well.. I know there is a lot of questions here.. so, a BIG thank in advance for your answers and opinions.

From Spain, Michaël.

The biggest thing to ensure is that you have all un-needed ports completely blocked from the outside. The best way to do that is invest in a cheap router (you can get one for around $50 US) and have that be your firewall. Deny everything except for the couple of ports you need to open for your experimentation. BTW, make absolutely sure that your router can only be configured from INSIDE your network! The ones I have seen come with that by default, but it is worth the couple of minutes to be sure. Also, change the default password!

My research on VNC is that they decided not to bother implementing encryption and suggest tunneling, so I think you are set. OpenSSL is just about as good as you are going to get, so other than subscribing to their mailing list I wouldn't lose any sleep about it. The cert is only important if you want other people to view your site without having a popup warning them about self-signed cert, if you are not in business don't bother.

As for programming, my sig has a little secure programming writeup, you may find it useful. You seem to have a reasonable grasp of security (about a light year ahead of the average), so you should do fine.

Hi,

You just gave me very wised advices.

Indeed I wasn't sure about buying or not a cert just for development purpose. Thanks to clarify this point!

Especially you made me pretty clear the advantage (and necessity) to use a router. I even didn't think about it.
I already started searching one.. I'm pretty interested in netgear products.
Maybe could you (by experience) recommend me one in particular (without restricting the choice to the mark I mentionned) ?

Thank you to answered me so quickly.

Mike

I use a Linksys router I got from an electronics store. It has 5 ports, more than enough for my home network. The admin functions are accessed via web page, so I can configure it from anywhere inside my network. I suspect that just about any router will work, including used ones, though the older they are the the fewer bells and whistles they will have. Keep in mind that whatever router you get is the entry point for your network, thus where the hackers will be hitting, so be sure to keep it patched. It is also probably worth your while to do a little research on whatever router you are interested in to see its history of vulnerabilities. You can often turn on logging for various routers, though after a couple of days of looking at the endless hits by script kiddies it can get pretty boring (I turned it off and haven't looked since).