Can others access my files if I downloaded PHP / MySQL?

Question

I have university Internet. It has IP, let's say 220.81.184.12. I have project named let's say MyProject (it's folder). When I try to type 220.81.184.12/MyProject it launches my site. That means, that everybody in university can access my folder and site? I use Ubuntu and have installed PHP and MySQL. And also I can access phpmyadmin through IP like 220.81.184.12/phpmyadmin.

So, what's happening?

EDIT: And what does it mean? If other person installed PHP in his PC, what would happen?

Answer 1

Quite a lot to cover here, so let's dive in...

As mentioned by Marc B, if you set a web server on an un-firewalled public IP, everyone on the internet can access it. This is not to say that you are in this situation - you say you are on a university network, and you will most likely find that they implement some form of local network that has a NAT layer and/or firewall between your PC and the internet. However, you may still find that everyone on the university network (or at least your segment - see subnetting and VLANs) is able to access your web server.

---

What can you do to prevent this?

This is by no means an exhaustive list, but here are some of the more commonly used approaches to controlling web server security.

Set your web server to listen only on localhost (Mark B has already covered this but to clarify):

The main Apache configuration file, httpd.conf, uses a directive called Listen to determine which listening sockets to create and bind to when it starts up. The default is usually Listen 80, which means that the server will listen on TCP port 80, on every IP address registered on the machine. These IP addresses will be 127.0.0.1, the loopback address, and any IP addresses associated with any network interfaces you have installed, such as the above example of 220.81.184.12.

You can modify this directive to be more restrictive. For example, if you wanted to only accept connections from your local machine, you could change it to Listen 127.0.0.1 80. By doing this, you will be able to access your web server from your local machine at http://127.0.0.1/, http://localhost/, and http://220.81.184.12/ - yes, you can still use any address associated with the machine, because of the way loopback works - but no other machine anywhere in the world will be able to directly access it using any address.

Configure a firewall to block connections from other machines:

Almost all firewalls block every incoming request by default, and you have to explicitly allow open ports and/or applications to accept incoming connections. If you don't want other machines to be able to access your server, don't open the port allowing the application. Many firewalls will allow you to be more selective about these rules, by allowing incoming requests from certain IP addresses but not others.

If you want to stop other people from accessing network resources hosted by you computer, a firewall is usually a good place to start. You should find that your Ubuntu installation comes with iptables included.

Restrict the remote clients that can access directories in your Apache configuration file:
Please Note: This information describes the use of Apache directives that are now deprecated. Refer to footnote #1

As you probably already know, in order to get Apache to serve a directory, you have to create a <Directory> section for it in httpd.conf. Within the the default configuration file, you will find a section pre-configured to serve DocumentRoot, which will contain some lines that look like this:

Order allow,deny
Allow from all

This allows all requests from every client. As you can see, there are two directives there - Order and Allow (which has a complementary directive, Deny). Understanding what these directives do and how they work is essential if you are going to administer an Apache server. They are explained in great detail in the manual pages linked, so I won't go into it here - lets just have an example:

Order deny,allow
Deny from all
Allow from 127.0.0.1

Changing the default to this results in every request being denied, unless it originated from 127.0.0.1 - your local machine. Now lets say you want to allow your friend, who's IP address is 172.32.64.218, to access the page as well - we add an Allow directive for his IP address onto the end of the above configuration:

Allow from 172.32.64.218

After you set this up, your friend tells you that he owns all the IP addresses between 172.32.64.216 and 172.32.64.223, and wants to be able to use any of them to access your server. Instead of creating 8 seperate Allow directives, we can define it in one: using CIDR shorthand, we can express this subnet as 172.32.64.216/29, and we can use this in an Allow directive:

Allow from 172.32.64.216/29

The <Directory> sections define rules for a directory and all of it's sub-directories, so if you apply a rule to /myDir, the same rules will also apply to /myDir/subDir and /myDir/subDir/subSubDir. But, you can override these rules lower down the tree - so you can create a <Directory> section for /myDir/subDir/subSubDir with different rules. You can also use .htaccess files to define the rules, as long as you enable them with an AllowOveride directive.

As you can see, this method of controlling who is allowed to access your site is both relatively simple to configure, and can provide powerful and flexible rule control.

---

To answer your question If other person installed PHP in his PC, what would happen? - nothing. PHP is a server-side scripting language and cannot directly affect anything on any other computer, especially in terms of controlling access to a remote machine.

---

Footnote #1 06/2012

Just a brief note to mention that the Order, Allow and Deny directives have been deprecated in Apache 2.4. This type of access control has now been merged with the standard authentication process and is now provided using Require ip, Require host and Require local directives as supported by mod_authz_host.

Support for Order, Allow and Deny is still provided through mod_access_compat for backwards compatibility, but new configurations for the 2.4 branch and beyond should use the appropriate Require structures and old configurations should be converted to use the new mechanisms as soon as they are migrated. The old control mechanisms will be removed in a future version of Apache.

A document providing an introduction to the usage of the new directives is available here.