Home / server / Questions / 78787
Accepted
Boris Guéry
Asked: 2009-10-28 09:52:59 +0800 CST

How to secure phpmyadmin?

  • 772

I checked out my apache logs, and, whooooaaa, there are a lot of bots trying to exploit phpmyadmin. The first thing i did was to change the directory name to something more obscure.

But, are there any other tips to secure phpmyadmin?

(The database itself is only available from the local network)

apache-2.2

8 Answers

  1. Best Answer

    We do a combination of things:

    • Protect phpMyAdmin via .htaccess or Apache configuration which requests a HTTP username/password login.
    • Protect phpMyAdmin via .htaccess or Apache configuration to only allow access from certain trusted IP addresses
    • Put phpMyAdmin in it's own VirtualHost and run it on a non-standard port
    • Only allow HTTPS connections to phpMyAdmin, and not regular HTTP
    • Only allow connections to it from the LAN (use a VPN to get through your firewall, and only allow connections if you're on that LAN/VPN)
    • Don't name the directory it's in something obvious like /phpMyAdmin/

    You could also use SSH port forwarding to utilize SSH keys. See https://stackoverflow.com/a/3687969/193494

    • 13

  2. Add a .htaccess which only allows local IP access to the phpmyadmin folder.

    • 6

  3. Make phpmyadmin available on a vhost that is only accessible from localhost and require users to use ssh and port forwarding to get access to it.

    • 6

  4. Use .htaccess

    We just toss up an .htaccess file with username/password protection and (depending on the circumstances) IP address.

    This allows US to get to the resource quickly and easily from trusted computers but keeps the hackers out.

    One other note... don't use the SAME username/password for your .htaccess as you do for PHPMyAdmin... that would be silly. :-)

    Hope this helps.

    • 2

  5. I agree with htaccess (/w password) and https.

    You might also consider adding a second IP to that server, and creating an IP based Apache virtualhost for phpmyadmin. This could just be a local network IP, so it would be protected by the firewall ( and you might not even have a nat rule for it).

    The more layers (ie htaccess + https + Virtualhost), the better I think. Ideally, the bots should not be able to reach it in the first place.

    You can of course always put phpmyadmin on a different box too.

    • 2

  6. In addition to the answers provided, we also use the open source OSSEC to monitor our web logs and alert/block these scans.

    It is very simple to install and by default it will find your web logs and start monitoring them.

    Link: http://www.ossec.net

    • 1

  7. Move phpmyadmin into a directory whose name is obscured the way one would expect a password to be ie: combination of mixed case letters as well as numbers (PhP01mY2011AdMin , for example) and similarly "securely" password protecting the directory with .htpasswd should pretty much do the trick.

    Then again, if the security of your mysql databases are vital to your business, one has to ask "whatcha doing making an admin tool like phpmyadmin accessible to the internet in the first place?" But hey, everybody has their reasons for living.

    • 1
    • HTTPS
    • Make it reachable only via VPN/SSH tunnel

    phpmyadmin is too much of a beast to secure. You'd need mod_security and a week of time debugging the alerts just to disable half of the rules to ensure the functionality of phpmyadmin. Conclusion: Don't make it publicly accessible.

    • 0