Protect phpMyAdmin On An ISPConfig 3 Server (Debian)

Want to support HowtoForge? Become a subscriber!
 
Submitted by Hans (Contact Author) (Forums) on Fri, 2010-05-21 14:30. :: Debian | ISPConfig | Control Panels

Protect phpMyAdmin On An ISPConfig 3 Server (Debian)

ISPConfig logo

With this small howto I explain how to protect your phpmyadmin installation on your Debian server with ISPConfig3 against hack attempts as much as possible. I assume that you already have an ISPConfig3 server running on Debian, which has been set up according to this howto and that phpmyadmin has been installed from the Debian repository into the directory /usr/share/phpmyadmin. With this default setup you can access phpMyAdmin via: http://www.anywebsiteonyourserver.tld/phpmyadmin, which we're going to change for security reasons.

We will protect our phpmyadmin installation by:

- .htpasswd file
- an alias for /phpmyadmin

I do not issue any guarantee that this will work for you!

Here we go:

Login into your ISPConfig3 server as root and execute:

cd /usr/share/phpmyadmin

Type

htpasswd -c .htpasswd username

to create the .htpasswd file and add "username" to list of authorized users. The program will initially prompt you for a password and then ask you to verify it.

Now edit the file /etc/apache2/conf.d/phpmyadmin.conf and modify:

# phpMyAdmin default Apache configuration
Alias /phpmyadmin /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
Options Indexes FollowSymLinks DirectoryIndex index.php # Authorize for setup

into:

# phpMyAdmin default Apache configuration
Alias /myalias /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
Options Indexes FollowSymLinks DirectoryIndex index.php #Make use of .htpasswd
AuthType Basic AuthName "Enter account information" AuthUserFile /usr/share/phpmyadmin/.htpasswd Require valid-user # Authorize for setup

Reload Apache2 by executing the command:

/etc/init.d/apache2 reload

Now log into ISPConfig3, and click on "SYSTEM" > "Interface Config".

In the PHPMyAdmin URL field On the "Sites" tab, add your alias for /phpmyadmin, which is in this example: /myalias

Finaly Click on "Save" and you're done.

To verify what we've done, within your webbrowser visit your phpMyAdmin installation at: http://www.anywebsiteonyourserver.tld/myalias or within ISPConfig3 itself, just click on the phpmyadmin icon after the database name.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Sun, 2012-01-22 14:29.
Submitted by Geno (not registered) on Tue, 2011-12-20 02:39.

This works for Ubuntu 11.10 and should work for most other Linux flavors as well.

 Highly recommended tweak.

 Thank you for making this.

Submitted by Bruno F (not registered) on Sat, 2010-05-29 20:10.

Reading a bit more documentation on apache you would find that you can use auth mysql directly

http://www.howtoforge.com/mod_auth_mysql_apache2_debian

so you have only one database of user and login ... 

So most secure way is anyway to have a https serveur used to hide login & password.

Try to be imaginative with the alias technique, as bot try a lots of alias like myadmin, db, etc....

 

 

 

Submitted by Moritz (registered user) on Fri, 2010-05-21 15:46.
Quick and slick, gut gemacht Hans!
Submitted by onastvar (registered user) on Mon, 2010-05-24 17:32.

Do you have or know instructions for protectecting phpMyAdmin ISPConfig 3 Server with CentOS 5.4.

 Thanks