Securing phpMyAdmin

By | 2011/03/14

phpMyAdmin is a great tool but it is also a large target by hackers. Take these initial steps to secure your phpMyAdmin install in Ubuntu Linux.

1. First we will setup an Apache login and password in order to load the phpmyadmin page.

This command creates an apache authenticated user (Example here creates a username admin, though perhaps you should choose a more unique username).

sudo htpasswd -c /etc/apache2/.htpasswd admin

password:

repeat password:

2. Edit /etc/apache2/conf.d/phpmyadmin.conf.

Change the default phpmyadmin url to something unique to avoid hits from script kiddies and scanners.

We will put this change as well as the info for apache authentication in the following file:

sudo nano /etc/apache2/conf.d/phpmyadmin.conf

Change the alias line to something very unique. From this:

Alias /phpmyadmin /usr/share/phpmyadmin

…to this for a random example:

Alias /rubberaliens_52b /usr/share/phpmyadmin

Also in that same file (/etc/apache2/conf.d/phpmyadmin.conf), continue editing and put in your authentication info as follows in the Directory section:

<Directory /usr/share/phpmyadmin>
        Options Indexes FollowSymLinks
        DirectoryIndex index.php
        AllowOverride All

        AuthUserFile /etc/apache2/.htpasswd
        AuthName Hello
        AuthType Basic
        require user admin
...

Also add in this to the file which will require https:

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

The final edits for the file should look somewhat like this:


# phpMyAdmin default Apache configuration

Alias /rubberaliens_52b /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
        Options Indexes FollowSymLinks
        DirectoryIndex index.php
        AllowOverride All

        RewriteEngine On
	RewriteCond %{HTTPS} off
	RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}    
    
        AuthUserFile /etc/apache2/.htpasswd
        AuthName Hello
        AuthType Basic
        require user admin

	
[snip]

3. Save that file, and now restart apache.

sudo /etc/init.d/apache2 restart

Now visit your unique alias you specified. Once there, you will be prompted for a login and password before even getting to the phpmyadmin page, as well as being redirected to https:

http://mydomain.com/rubberaliens_52b

Sweet!

One thought on “Securing phpMyAdmin

  1. Mark

    Also, consider using the /etc/apache2/conf.d/phpmyadmin.conf file for restricting traffic via allow,deny arguments for IP addresses. Specifically, if you visit your database management from a known set of external or LAN/WAN IP’s, you can add them to the phpmyadmin.conf, engaging restrictive access. This article shows the specific arguments.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.