Is it necessary to install phpMyAdmin? Does this help security?

Discussion in 'Installation/Configuration' started by Milly, Jan 27, 2020.

  1. Milly

    Milly Member

    Hello, I am testing with a small server with only two domains with 3 email accounts each.

    I followed the tutorial of The Perfect Server - Debian 10 Apache

    I try to be strong in security and I don't have much knowledge, so I was wondering if it is necessary to install phpMyAdmin and if doing so gives a little more security or if it is necessary for the correct operation according to the tutorial The Perfect Server - Debian 10 Apache


    Thank you

    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] OS version is Debian GNU/Linux 10 (buster)
    [INFO] ISPConfig is installed.

    ##### ISPCONFIG #####
    ISPConfig version is 3.1.15p2


    ##### VERSION CHECK #####

    [INFO] php (cli) version is 7.3.11-1~deb10u1

    ##### PORT CHECK #####

    [WARN] Port 22 (SSH server) seems NOT to be listening

    ##### MAIL SERVER CHECK #####


    ##### RUNNING SERVER PROCESSES #####

    [INFO] I found the following web server(s):
    Apache 2 (PID 773)
    [INFO] I found the following mail server(s):
    Postfix (PID 1055)
    [INFO] I found the following pop3 server(s):
    Dovecot (PID 487)
    [INFO] I found the following imap server(s):
    Dovecot (PID 487)
    [INFO] I found the following ftp server(s):
    PureFTP (PID 839)

    ##### LISTENING PORTS #####
    (only ()
    Local (Address)
    [anywhere]:25 (1055/master)
    [localhost]:953 (450/named)
    [anywhere]:22080 (530/sshd)
    [anywhere]:993 (487/dovecot)
    [anywhere]:995 (487/dovecot)
    [localhost]:10023 (816/postgrey)
    [localhost]:10024 (1060/amavisd-new)
    [localhost]:10025 (1055/master)
    [localhost]:10026 (1060/amavisd-new)
    [localhost]:10027 (1055/master)
    [anywhere]:587 (1055/master)
    [localhost]:11211 (476/memcached)
    [anywhere]:110 (487/dovecot)
    [anywhere]:143 (487/dovecot)
    [anywhere]:465 (1055/master)
    [anywhere]:21 (839/pure-ftpd)
    ***.***.***.***:53 (450/named)
    ***.***.***.***:53 (450/named)
    [localhost]:53 (450/named)
    *:*:*:*::*:25 (1055/master)
    *:*:*:*::*:953 (450/named)
    *:*:*:*::*:443 (773/apache2)
    *:*:*:*::*:22080 (530/sshd)
    *:*:*:*::*:993 (487/dovecot)
    *:*:*:*::*:995 (487/dovecot)
    *:*:*:*::*:10024 (1060/amavisd-new)
    *:*:*:*::*:10026 (1060/amavisd-new)
    *:*:*:*::*:3306 (623/mysqld)
    *:*:*:*::*:587 (1055/master)
    [localhost]10 (487/dovecot)
    [localhost]43 (487/dovecot)
    *:*:*:*::*:8080 (773/apache2)
    *:*:*:*::*:80 (773/apache2)
    *:*:*:*::*:465 (1055/master)
    *:*:*:*::*:8081 (773/apache2)
    *:*:*:*::*:21 (839/pure-ftpd)
    *:*:*:*::*:53 (450/named)




    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    f2b-postfix-sasl tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25,465,587,143,993,110,995

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain f2b-postfix-sasl (1 references)
    target prot opt source destination
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    RETURN all -- [anywhere]/0 [anywhere]/0
     
  2. recin

    recin Member

    Phpmyadmin only provides a web interface that make easier to work with mysql databases. With no phpmyadmin you could work with mysql from command line, which is less friendly.
    In regards of security, phpmyadmin does not help security in anyway. Indeed, it could be a potential risk, like any other web open to internet, as it could be the target of attacks, but this shouldn't be a problem if you set it up properly.
     
    Milly, ahrasis and Th0m like this.
  3. Milly

    Milly Member

    Thanks, I will skip the installation of phpmyadmin and roundcube that are not necessary for this server test.
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I would advice you to install PHPMyAdmin when you are going to install for real, since it's a easy and fast tool to check and change database values - there are cases where you can for example change a setting for all users only through the database and not in the panel, and PMA is a really good tool to do such things.
     
    Milly likes this.
  5. Milly

    Milly Member

    Thanks, I will follow your advice

    - Could you guide me on how to properly ensure PMA?

    Add AllowOverride All to phpmyadmin.conf

    nano /etc/apache2/conf-available/phpmyadmin.conf

    # phpMyAdmin default Apache configuration

    Alias / phpmyadmin / usr / share / phpmyadmin

    <Directory / usr / share / phpmyadmin>
    Options FollowSymLinks
    DirectoryIndex index.php
    AllowOverride All

    Add to .htaccess:

    nano /usr/share/phpmyadmin/.htaccess

    AuthType Basic
    AuthName "Restricted Files"
    AuthUserFile /etc/phpmyadmin/.htpasswd
    Require valid-user
    deny from all
    allow from 192.34.45.23

    Create new username and password

    htpasswd -c /etc/phpmyadmin/.htpasswd new user

    - I would also like to know how I add PMA to fail2ban correctly?
     
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Just follow the Perfect Server guide, it's in there.
    You can use Internet Search Engines to find a tutorial of how to use a F2B filter for PMA (this sentence makes me think of @Taleman )
     
    Milly likes this.
  7. Milly

    Milly Member

    I'm sorry, you're right, I'll find out how to do it correctly.

    But I have followed the Perfect Server guide and receive visits from attempts to enter PMA, so I wanted to try asking for some security suggestions.

    Greetings and thanks for answering.
     
    Last edited: Jan 28, 2020
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    You will get such visits for all software and services on your server, that's normal for any system that's connected to the internet. Use a long and secure password for your mysql users to avoid issues.
     
    Milly and Th0m like this.
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You can either restrict the access to PMA by IP or add it to Fail2Ban. To add it to Fail2Ban, any online tutorial is sufficient. To restrict access by IP, edit /etc/apache2/conf-available/phpmyadmin.conf and add:
    Code:
     Order Deny,Allow
     Deny from all
     Allow from YOUR_IP
     Allow from YOUR_SECOND_IP
     
    Milly likes this.
  10. Milly

    Milly Member

    oh ok now I understand it thank you very much
     
  11. Milly

    Milly Member

    Perfect thank you, so I will do it
     
  12. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Obviously if you only allow your own IP, your customers can't use PMA, which may be fine (your call). If you do allow public access, you can limit potential abuse by not allowing administrative accounts (root, ispconfig, debian-sys-maint) to use mysql, eg. on one such debian server I have this in /etc/phpmyadmin/config.inc.php:
    Code:
    ...
    /* Configure according to dbconfig-common if enabled */
    if (!empty($dbname)) {
        ...
        /* Uncomment the following to enable logging in to passwordless accounts,
         * after taking note of the associated security risks. */
        // $cfg['Servers'][$i]['AllowNoPassword'] = TRUE;
    
        // Disallow login from root and ispconfig users
        $cfg['Servers'][$i]['AllowRoot'] = FALSE;
        $cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow';
        $cfg['Servers'][$i]['AllowDeny']['rules'] = array(
            'deny ispconfig from all',
            'deny debian-sys-maint from all',
        );
    
        /* Advance to next server for rest of config */
        $i++;
    }
    
    ...
    
    You can just change the line disallowing root access temporarily if/when you need to use PMA yourself, then change it back when you're done. Or even get creative and set that based on the client's IP address (so it is set TRUE for your IP, FALSE for everyone else).

    On the pro's and con's of your setup, not allowing public access at all (restrict by ip if you need it) is of course more secure, as vulnerabilities in the php code can't be abused then. But using all of the above recommendations, plus other measures you might take (eg. mod_security could be used) and keeping your phpmyadmin install up to date might well be a good tradeoff.

    (FWIW, we have IP restrictions for accessing phpmyadmin on our control panel node, where I do occasionally use it as root to examine/fix ISPConfig. For customers we have phpmyadmin installed on their web server, without IP restriction but no root logins, fail2ban, etc.)
     

Share This Page