How to secure phpMyAdmin
phpMyAdmin is free and open-source web application that provides simple GUI for MySQL written in php. phpMyAdmin is widely used to manage MySQL database. Thus this become biggest threat that attacker may get access through MySQL injection or bruteforce attack. This becomes important to give extra security layers for phpMyAdmin.
In this article, we will use few security steps that will prevent attackers to get access phpMyAdmin. If you have have not installed phpMyAdmin, you can install it from this article.
Change phpMyAdmin login URL
When you install phpMyAdmin, the default URL to access phpMyAdmin is http://<your-server-ip>/phpmyadmin. The first step we need is to change Alias for phpMyAdmin. For that open phpMyAdmin configuration file /etc/phpmyadmin/apache.conf in Terminal using nano command.
sudo nano /etc/phpmyadmin/apache.confIn this file find the line for Alias
Alias /phpmyadmin /usr/share/phpmyadminChange /phpmyadmin to something like below that unknown user can't access phpMyAdmin login.
Alias /pma-login /usr/share/phpmyadminSave and exit the file. Restart the apache server using command.
sudo service apache2 restartNow your phpMyAdmin login URL is also changed to the alias you have set. E.g. http://<your-server-ip>/pma-login
Only allow your specific IP address
This is great security measure to allow only whitelisted IP address only. This will restrict unknown users to access phpMyAdmin.
Open the same above config file /etc/phpmyadmin/apache.conf. In the file find the directive <Directory /usr/share/phpmyadmin> and add these lines inside it with your local IPs.
<Directory /usr/share/phpmyadmin>
Options SymLinksIfOwnerMatch
DirectoryIndex index.php
Order Deny,Allow
Deny from All
Allow from 127.0.1.1
...And restart the Apache server.
sudo service apache2 restartNow every IPs except whitelisted IP will get forbidden message.
Add extra apache security layer
Adding extra apache login layer will provide phpMyAdmin strong security. It will also stop attack on phpMyAdmin login. Here is how you can add extra security with apache2.
In the phpMyAdmin apache configuration file, /etc/phpmyadmin/apache.conf edit and add AllowOverride All in the same directive.
<Directory /usr/share/phpmyadmin>
Options SymLinksIfOwnerMatch
DirectoryIndex index.php
AllowOverride All
...This will allow you to change configurations from the .htaccess file.
Now create /usr/share/phpmyadmin/.htaccess file and input below authentication configuration.
AuthType Basic
AuthName "Stay Away"
AuthUserFile /etc/phpmyadmin/.htpasswd
Require valid-userAfter creating the file, you will need to create user and password to authenticate. To create that run the below htpasswd command with your username.
sudo htpasswd -c /etc/phpmyadmin/.htpasswd <username>It will ask to enter and then confirm password. After password confirm, again restart the apache server.
sudo service apache2 restartNow whenever you try to login phpMyAdmin url, the popup form will ask to enter user and password.
Other measures:
Obviously important point is to set phpMyAdmin password minimum 8 character long with special character and password should be unpredictable. This will secure to prevent dictionary attack.
In addition, you can also configure phpMyAdmin to limit user can access the system. You can set and modify from phpMyAdmin configuration file located at /etc/phpmyadmin/config.inc.php
Here are few option you can add or change:
$cfg['AllowUserDropDatabase'] = false; // restrict user to drop database
$cfg['LoginCookieValidity'] = 14400; // auto logout timeThere are always chance to get hacked the server. But the above steps will make phpMyAdmin enough secure to restrict most of the attack. If you also knows the way to keep phpMyAdmin secure, please do write in below comment. Also like our Facebook page and follow us on Twitter.
Copyright 2023 HackTheStuff
