Securing phpMyadmin

 

credit to: 

 

phpMyAdmin is a great tool but it is also a large target by hackers. Take these initial steps to secure your phpMyAdmin install in Ubuntu Linux.

1. First we will setup an Apache login and password in order to load the phpmyadmin page.

This command creates an apache authenticated user (Example here creates a username admin, though perhaps you should choose a more unique username).

sudo htpasswd -c /etc/apache2/.htpasswd admin

password:

repeat password:

2. Edit /etc/apache2/conf.d/phpmyadmin.conf.

Change the default phpmyadmin url to something unique to avoid hits from script kiddies and scanners.

 

We will put this change as well as the info for apache authentication in the following file:

sudo nano /etc/apache2/conf.d/phpmyadmin.conf

Change the alias line to something very unique. From this:

Alias /phpmyadmin /usr/share/phpmyadmin

…to this for a random example:

Alias /rubberaliens_52b /usr/share/phpmyadmin
Also in that same file (/etc/apache2/conf.d/phpmyadmin.conf), continue editing and put in your authentication info as follows in the Directory section:
<Directory /usr/share/phpmyadmin>
        Options Indexes FollowSymLinks
        DirectoryIndex index.php
        AllowOverride All

        AuthUserFile /etc/apache2/.htpasswd
        AuthName Hello
        AuthType Basic
        require user admin
...

Also add in this to the file which will require https:

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 

The final edits for the file should look somewhat like this:

# phpMyAdmin default Apache configuration

Alias /rubberaliens_52b /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
        Options Indexes FollowSymLinks
        DirectoryIndex index.php
        AllowOverride All

        RewriteEngine On
	RewriteCond %{HTTPS} off
	RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}    

        AuthUserFile /etc/apache2/.htpasswd
        AuthName Hello
        AuthType Basic
        require user admin

[snip]

3. Save that file, and now restart apache.

sudo /etc/init.d/apache2 restart

Now visit your unique alias you specified. Once there, you will be prompted for a login and password before even getting to the phpmyadmin page, as well as being redirected to https:
 

http://mydomain.com/rubberaliens_52b

Sweet!

Advertisements
Posted in LAMP
One comment on “Securing phpMyadmin
  1. Reblogged this on NetSecAd and commented:
    NIce

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

ABOUT AUTHOR
Rodel Sales is a freelance I.T Professional . Start blogging on May 2013 to share my technical skills to other I.T professionals, and collect imperative guide from the internet world.
Blog Archieve
May 2013
M T W T F S S
    Jun »
 12345
6789101112
13141516171819
20212223242526
2728293031  
%d bloggers like this: