PDA

View Full Version : Securing PHPmyadmin


scottrill2
17th July 2010, 06:38
Hello,

I was curious about a few things. I have read that phpmyadmin can be vulnerable to the www. I wanted to do 2 things.

1. Change the "phpmyadmin" folder to another name like "mysqlmanagement".

2. Create a .htaccess file with the following in it: "Allow from 127.0.0.1" so that only the local machine can access phpmyadmin.


Now renaming the folder was easy enough even for me :) I just have to manually type in the url which is fine. But I still thought I would ask if there is a simple way to change where the tools phpmyadmin links/points to?

My second question is about the htaccess file, I have tried putting the file in "/home/admispconfig/ispconfig/web/mysqlmanagement" and to no avail, is there a certain code I need to put in there since is on the main server and not a virtual site/client/reseller account?

Finally, is there a better way to secure it than what I'm trying to do?

Thanks in advance for your time,

Scott

Hans
17th July 2010, 12:17
The best is to protect your phpMyAdmin configuration by installing a SSL-certicate, because then all the data from and to your phpMyAdmin will be encrypted.

If you don't plan to install a SSL-certicate, maybe this guide (http://www.howtoforge.com/protect-phpmyadmin-on-an-ispconfig-3-server-debian) can help you.

scottrill2
18th July 2010, 14:18
Hello Hans and thanks for the reply.

I do have a SSL certificate for the server already. The link you posted was about ISPConfig 3 and I checked my ISPConfig 2 files and phpmyadmin isnt in the folder the tutorial lists. I am a complete newb and cannot extrapolate the info from that tutorial and apply it to my own set up.


It could be that I am being too anal lol. Perhaps it is because I am new to Linux and reading every scrap of info I can trying to teach myself.


I had read several blogs and forums mentioning how phpmyadmin was vulnerable since hackers new the folder would be http://mysite.com/phpmyadmin

I figured I would try to go for the trifecta of secureness by:

a. Renaming my phpmyadmin folder to something insanely vague
b. Putting a htaccess file in there only allowing either my static IP or the local machine IP.
c. SSL Certificate

As I said, I am probably overreacting lol lack of knowledge can do that :)

Thanks again for the input Hans, I truly appreciate it.

Scott

falko
18th July 2010, 18:57
But I still thought I would ask if there is a simple way to change where the tools phpmyadmin links/points to?You can change it under /home/admispconfig/ispconfig/web/tools/tools/phpmyadmin/nav.inc.php.

My second question is about the htaccess file, I have tried putting the file in "/home/admispconfig/ispconfig/web/mysqlmanagement" and to no avail, is there a certain code I need to put in there since is on the main server and not a virtual site/client/reseller account?I guess you need to put the line
AllowOverride All
into the
<VirtualHost _default_:81>

# General setup for the virtual host
DocumentRoot "/home/admispconfig/ispconfig/web"
ServerName xxx.xxx.com
ServerAdmin root@xxx.xxx.com
ErrorLog /root/ispconfig/httpd/logs/error_log
TransferLog /root/ispconfig/httpd/logs/access_log
</VirtualHost>
stanza at the end of /root/ispconfig/httpd/conf/httpd.conf. Restart ISPConfig afterwards.

scottrill2
19th July 2010, 02:13
Falko the nav.inc worked a treat sir Perfect indeed. Now on the second part, when I edited that file and tried restarting ISPConfig it gave me this:




syntax error on line 1231 of /root/ispconfig/httpd/conf/httpd.conf: AllowOverride not allowed here



Is there anything I might have screwed up on earlier that would block this?


Thanks as always,

Scott

falko
19th July 2010, 13:25
Try
<Directory /home/admispconfig/ispconfig/web>
AllowOverride All
</Directory>instead.

scottrill2
22nd July 2010, 19:40
Spot on perfect as always. Thank you sir.


Scott