Some-one confirm these settings please

Security->Application Monitor-> Apache
Parent App->Services.exe

Order is : Application,Remote,Port,Protocol,Permission

Apache [Any] [Any] TCP/UDP In/Out Allow
Apache [Any] In[80,443] TCP/UDP In Allow

<<<<++++ IMPORTANT QUESTIONS ++++>>>>>

  1. In the previous version of CPF I dont remember the parent for Apache being Services.exe. It spond correct, but is it ?

  2. What rules should I be setting for Services.exe

  3. Do I have the above rules in the correct order ?

  4. Mysql-nt has no rules, and shows Services.exe as the parent, can anyone help with rules and confirm Services.exe as parent please.

  5. php.exe shows the parent as Apache.exe (finally something looks correct), could some-one confirm and also help with the rules please.

Smile, I aint even started on the network settings :slight_smile:

Thanks in advance

First, coule you explain why the default settings are not sufficient.

Because I run a webserver and host 2 sites. Admittedly not high traffic sites, they are just for myself and my friends. But, I have an obligation to secure it to the maximum. Apart from that I want to learn. Having my webserver set up with just any-any (both in and out) is hardly secure. I want very limited access available.

I was also told on this forum that I had an obligation to secure my database and webserver.

From my limited understanding Apache serves up the webpage. Php queries the database (mysql) and provides Apache with the information it needs to build the page. If that is correct then there shouldn’t be a need for mysql or php to have access to the net directly, if at all.

As things are now Apache is the parent of php, that sounds about right. But, why would mysql-nt have services.exe as the parent. It kinda sounds right, but I would have thought Apache would be the parent.

Lets add to that that this is the gateway for my home network. Since uninstalling Outpost and installing CPF I have had endless problems with trojans, viruses, etc. I’m not blaming CPF, its my own fault for not running a tight enough ship. I believe some-one may have found a way onto my computer, I wish to tighten it up and clean it out so I can sleep at nite. Although the sites I run are only for friends, they are still important to me, and I dont need uninvited guests on my computer.

If there was NO need to adjust the rules to suit each individuals circumstances then why would they make it available.

Your question has left me a bit confused.

I may well be misunderstanding something here. You may be trying to get a valid point across that I am missing. If so, please tell me. As I have stated, I want to learn.

And thankyou so far for answering my posts, much appreciated that you would take the time.

Needed to know more information about your set up. Since you’re running a web server you might want to consider putting a Linux box (old computer) as a firewall. As for your questions. One way to determine how the CPF is determining a parent is look at the logs as you are testing your set up, which I’m sure you already know about but worth mentioning again. Since you used a previous version of CPF to good order you will need to look back at your previous set up. Services.exe should be verified that it is from Microsoft to feel comfortable that CPF is choosing it as a parent correctly. The process is used for starting, running, interacting, and stopping services. The reason why I recommend studying using a simple Linux box as a firewall is because it is simple, reliable, and avoids such things as possible memory leaks between mysql and services.exe. CPF is a fine firewall but I wouldn’t recommend it beyond simple desktop protection. That last bit of advice will let you know how knowledgeable our community is at the present time concerning using CPF as a firewall to protect a web server. It is sure to be rebuked by someone. If not, then you know you are lost on this forum to help set up your system with CPF.

Hmm… I’m not exactly sure what you try to accomplish here, but I’m gonna asume basic internet web-access towards your Apache server. Make one rule that says:
ALLOW TCP IN FROM IP [ANY] TO IP [INSERT IP ADDRESS OF APACHE HERE] WHERE SOURCE PORT IS [ANY] AND DESTINATION PORT IS IN [80]
(This text is made capitalized to match CPF output. I’m not shouting :))
Remove the TCP 443 access. You do not want this type of access from the internet. Leave the rest as is, meaning the deny statement at the end. This should pretty much cover internet access and leave your apache secured.

For more advanced configurations, feel free to ask :slight_smile:

Culpeper, I’m planning on running a *nix box for a firewall and then another *nix box as my web server. Problem is, I’m 51yrs old now and have only been on a computer for about 5yrs. In between learning how to set up a home network, PHP, setting up Apache, and database management I havent had time to learn much on the linux side of things. I would love nothing more than to not have to ever use an MS box ever again. I was just today checking if CPF ran on both linux and MS. Thanks for your advice

Triplejolt , the setting I posted were what I was recommended here for the older version. Isnt 443 for SSH access or something. I cant remember why, but I was told to leave it open as far as I know.

Thanks for the replies guys.

Thier are many very good linux forums and guides to download if you need to. if you are going to use linux as a firewall use:

http://www.smoothwall.org/

OR:

http://ipcop.org/

These are actual operating systems but only act as a standalone firewall and do nothing else but act as a firewall. This makes configuration easier because you don’t have to deal with anything else but the firewall component.

cheers, rotty

443 is HTTPS. This too is safe to use. My apologies. I kinda misread the number there and thought you said 445 (which is a completely different port all together :))
Port 22 is SSH. And unless you need it for remote management, I wouldn’t recommend it for Internet access from a security point of view. Actually, I try to restrict the access from the Internet as much as possible. If I need to remotely configure/manage something, I use VPN.

CPF for Linux… That I don’t know. I hope so though :slight_smile: