Tags

, , , , , , , , ,


[123/365] Mastering phpMyAdmin 3.1

[123/365] Mastering phpMyAdmin 3.1 (Photo credit: Ben Dodson)

phpMyAdmin is quite popular software (to give some numbers let’s mention nearly 10000 downloads daily on SourceForge.net or 126645 reports in Debian’s popcon) and as such is quite attractive target for various scripted attacks. If you run phpMyAdmin installation somewhere you should really make sure it is enough secured, so that these script kiddies don’t get through.

1. First we will setup an Apache login and password in order to load the phpmyadmin page :
htpasswd -c /etc/apache2/.htpasswd admin

password:

repeat password:
2. Edit /etc/apache2/conf.d/phpmyadmin.conf :

Change the default phpmyadmin url to something unique to avoid hits from script kiddies and scanners.

We will put this change as well as the info for apache authentication in the following file:

sudo nano /etc/apache2/conf.d/phpmyadmin.conf

Change the alias line to something very unique. From this:

Alias /phpmyadmin /usr/share/phpmyadmin

…to this for a random example:

Alias /securepanel /usr/share/phpmyadmin

Also in that same file (/etc/apache2/conf.d/phpmyadmin.conf), continue editing and put in your authentication info as follows in the Directory section:

< Directory /usr/share/phpmyadmin >
        Options Indexes FollowSymLinks
        DirectoryIndex index.php
        AllowOverride All

        AuthUserFile /etc/apache2/.htpasswd
        AuthName Hello
        AuthType Basic
        require user admin
...

Also add in this to the file which will require https:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Last but not least restrict the acces to a certain IP, in our case the localhost.

# Deny all hosts unless an implicit Allow command is included.
        Order Allow, Deny 
        Allow from 127.0.0.1

The final edits for the file should look somewhat like this:

# phpMyAdmin default Apache configuration

Alias /securepanel /usr/share/phpmyadmin

< Directory /usr/share/phpmyadmin>
        Options Indexes FollowSymLinks
        DirectoryIndex index.php
        AllowOverride All        RewriteEngine On
	RewriteCond %{HTTPS} off
	RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}        # Deny all hosts unless an implicit Allow command is included.
        Order Allow, Deny
        Allow from 127.0.0.1        AuthUserFile /etc/apache2/.htpasswd 
        AuthName Hello 
        AuthType Basic 
        require user admin
3. Save that file, and now restart apache.
/etc/init.d/apache2 restart

PS : A better replacement for phpmyadmin that can offer almost all the features and more security for the end user is Adminer

For more details, check the next link ( a comparison between phpmyadmin & adminer) :

http://www.adminer.org/en/phpmyadmin/