Setting up a web trap…

In order to better understand web threats, what better way than to create your own web server?

Web admin stuff is not my forte, so I decided to follow my friend JP’s advice and go the easy way with XAMPP.

XAMPP will install pretty much all the stuff you need to start your own web server. It configures Apache, MySql and a bunch of other components used by most servers.

The other advantage that this has for me is the fact that XAMPP is not recommended for ‘real life’ uses. It is mainly geared towards testing and development. One of the reasons is because by doing a lot of the ‘default’ set up for you, it is not making your server very secure right off the bat.

It happens that this what I want anyway.

I still have a lot to learn about Intrusion Detection Systems (IDS) and we’ve had a lot of malware lately causing us grief in our network, such as Conficker.

The idea here is to set up a vulnerable web server (Windows Server 2003) with very lax security settings (default passwords, open connections to DB etc.)

However, this site will not be available to the WWW. It is going to stay in our ‘very infected’ LAN, where I hope it will get owned soon.

Please do that’s what it’s for.

Jerome