How to Secure PHPmyadmin

How to secure phpMyAdmin

The biggest threat is that an attacker could leverage a vulnerability such as; directory traversal, or using SQL Injection to call load_file() to read the plain text username/password in the configuration file and then Login using phpmyadmin or over tcp port 3306. As a pentester I have used this attack pattern to compromise a system.

Here is a great way to lock down phpmyadmin:

  • PhpMyAdmin lacks strong bruteforce protection, so you must use a long randomly generated password.
  • DO NOT ALLOW REMOTE ROOT LOGINS! Instead phpmyadmin can be configured to use "Cookie Auth" to limit what user can access the system. If you need some root privileges, create a custom account that can add/drop/create but doesn't have grant or file_priv.
  • Remove file_priv permissions from every account. file_priv is one of the most dangerous privileges in MySQL because it allows an attacker to read files or upload a backdoor.
  • Whitelist IP address who have access to the phpmyadmin interface. Here is an example .htaccess reulset:
Order deny,allow
Deny from all
allow from 199.166.210.1

  • Do not have a predictable file location like: http://127.0.0.1/phpmyadmin. Vulnerability scanners like Nessus/Nikto/Acunetix/w3af will scan for this.

  • Firewall off tcp port 3306 so that it cannot be accessed by an attacker.

  • Use HTTPS, otherwise data and passwords can be leaked to an
    attacker. If you don't want to fork out the $30 for a cert, then
    use a self-signed. You'll accept it once, and even if it was
    changed due to a MITM you'll be notified.

how to secure phpmyadmin access through .htaccess

I am assuming that you have installed mysql.

  1. Install phpmyadmin:

    sudo apt-get install phpmyadmin

  2. Copy:

    sudo cp /etc/phpmyadmin/apache.conf /etc/apache2/conf-enabled/phpmyadmin.conf

  3. Edit:

    sudo nano /etc/apache2/conf-enabled/phpmyadmin.conf

    enter following line just after "DirectoryIndex index.php":

    AllowOverride All

  4. Edit .htaccess

    sudo nano /usr/share/phpmyadmin/.htaccess

    Enter following content:

    AuthType Basic
    Authname "Restricted files"
    AuthUserFile /etc/phpmyadmin/.htpasswd
    Require valid-user

  5. sudo apt-get install apache2-utils

  6. sudo htpasswd -c /etc/phpmyadmin/.htpasswd username

  7. Enter new password

  8. Restart apache

    sudo service apache2 restart

How to restrict access to phpmyadmin?

I'd make that server listen on 127.0.0.1 and then use port forwarding with SSH...

Make sure, the server serving phpMyAdmin only serves to 127.0.0.1, and then run

$ ssh -L4545:localhost:80 yourserver.com

and then point your browser to http://127.0.0.1:4545/phpmyadmin, you should be able to access phpmyadmin as long as your SSH session is active. You can even make a shell script to automate this.

This works with PuTTY as well.

phpmyadmin security

1) You can do it at the Webserver level.

Use allow/deny rules for apache. If you don't have direct access to your apache configuration file, you may use a .htaccess file.

<Directory /docroot>
    Order Deny,Allow
    Deny from all
    Allow from 10.1.2.3
</Directory>

2) You can do it at the application level using the phpmyadmin config file.

The configuration parameter is: $cfg['Servers'][$i]['AllowDeny']['rules']

Examples of rules are:

'all' -> 0.0.0.0/0
'localhost' -> 127.0.0.1/8
'localnetA' -> SERVER_ADDRESS/8
'localnetB' -> SERVER_ADDRESS/16
'localnetC' -> SERVER_ADDRESS/24

You can see this on the official phpMyAdmin configuration documentation.

http://www.phpmyadmin.net/documentation/#servers_allowdeny_order

Does phpMyAdmin pose security risk on production

Any extra software you add to a system adds complexity. Complexity is the enemy of security.

PHP webapps are notorious for sloppy coding and certainly phpMyAdmin has had more than its share of security holes in the past. You can certainly mitigate the damage by eg. putting behind HTTPS with a client certificate, but that's not going to prevent cross-site-request-forgery attacks.

For a production machine, I'd really prefer to stick to the console.

How can I disallow users from accessing the phpMyAdmin login page?

the .htaccess redirect is the best way but, you can always go to index.php in the phpMyAdmin folder and insert either

exit();

or

header('Location: http://www.mydomain.com');

as the first line of index.php. This will just exit or redirect to the main page of your site whenever anyone tries to access that page.

Whats unsafe about leaving phpmyadmin with a default user/pass

It's always safe to put a password even if your MySQL does not allow access from other host than localhost.

Your phpMyAdmin it's accessed by browser and not by IP.

Even if you host your page on your computer, it is still better to put a password. I get my computer and servers scanned for *phpMyAdmin*, *PMA* every single day.

So yes, it's unsafe.


Related Topics

How to Find a Reason When Mkdir Fails from PHP

How to Use an Object Method as a Callback Function

How to Protect My Source Code When Deployed

Parse Error: Syntax Error, Unexpected '' (T_Encapsed_And_Whitespace)

Supplied Key Param Cannot Be Coerced into a Private Key with Google APIs

Override Default PHP Function

Mysql_Fetch_Array Returns Duplicate Data

Display MySQL Results by Date

Sqlstate[Hy000] [2002] PHP_Network_Getaddresses: Getaddrinfo Failed: Nodename Nor Servname Provided, or Not Known

How to Generate an .Xlsx Using PHP

Pdo Lastinsertid() Always Return 0

How to Get User's Screen Resolution with PHP

PHP Dynamic Name for Object Property

Tcpdf Error :Unable to Get the Size of the Image

Simplexml Get Element Content Based on Attribute Value

Commenting Interpreted Code and Performance

How to Keep Whitespace Formatting Using PHP/Html

How to Stop Gd2 from Washing Away the Colors Upon Resizing Images


Leave a reply



Submit