phpMyAdmin is listening on 80 AND 8080 - How to fix this?

Discussion in 'General' started by Spawnsworth, Jun 12, 2019.

  1. Spawnsworth

    Spawnsworth Member

    Hi all,

    So we have a server that we thought phpMyAdmin was secure and happily working on port 8080 which was locked down on the firewall. Only after running a vulnerability scan did we realize it was open to the world this whole time. How can I stop it listening on port 443 completely and just have it on 8080?

    Thanks!
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Why not lock also port 443 on the firewall? But if you want to use PHPMyAdmin from your intranet, there must be some port open to the intranet. 443 is used for httpS connections.
     
  3. Spawnsworth

    Spawnsworth Member

    Thanks. The server hosts a number of websites so we need 80 and 443 open to the public but 8080 is restricted by IP.

    CORRECT PMA URL:
    http://myserver.hostname:8080/phpmyadmin/

    INCORRECT, INSECURE URL:
    https://myserver.hostname/phpmyadmin/

    In fact, if I replace 'myserver.hostname' with any of the server's websites as hostnames then /phpmyadmin they can all gain access. They can also see the Apache manual at 'http://myserver.hostname/manual'. This is not ideally secure so is this just my build? It's ISP Config 3.1dev version.

    Thanks!
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  5. Spawnsworth

    Spawnsworth Member

    Thanks for confirming. We absolutely do not want /phpymadmin to work on port 80 as we want phpmyadmin locked down to trusted IP's managed by a firewall ACL.

    How can I stop /phpymadmin working on port 80 and have it liste on another port like 8080 or 8081 instead?

    Thanks
     
  6. Jesse Norell

    Jesse Norell Well-Known Member

    The /phpmyadmin Alias is added via global config, eg. via /etc/apache2/conf-enabled/phpmyadmin.conf in debian. Your options are either 1) to redirect that location on both ports 80 and 443 to the correct one on port 8080, where it will be blocked by your acl, or 2) disable the global /phpmyadmin alias and add it directly to the vhost config on 8080.

    If you like the redirect (#1), I do a similar thing to redirect any /phpmyadmin request to the server's hostname, which you could modify a bit for your needs (change hostname to match your server, change both RewriteCond to include your port number, add the port number to the RewriteRule, and change 11.22.33.44 to your server's ip address):
    Code:
    # cat /etc/apache2/conf-available/phpmyadmin_redirect.conf
    # This makes the '/phpmyadmin' url work on each domain
    # by redirecting to the local server's hostname rather than
    # directly running phpmyadmin to not require phpmyadmin paths
    # in each site's open_basedir.
    
    <LocationMatch "(?i)^/phpmyadmin(/?|/.+)$">
        RewriteEngine on
        RewriteCond "%{HTTP_HOST}"  "!^ispconfig-hostname\.domain\.tld"  [NC]
        RewriteCond "%{HTTP_HOST}"  "!^11\.22\.33\.44"  [NC]
        RewriteRule (.*)  https://ispconfig-hostname.domain.tld%{REQUEST_URI}  [R=301,NE,END]
    </LocationMatch>
    
    Make sure to 'a2enconf phpmyadmin_redirect' after that. And as a secondary measure you could add ip restrictions on phpmyadmin files right in your apache config, so even without the redirect, the requests would still get blocked.

    If you want to disable /phpmyadmin (solution #2), on debian you would run
    Code:
    a2disconf phpmyadmin
    then restart apache. You would then need to create a conf-custom file for your ispconfig vhost on port 8080 which includes the contents of your phpmyadmin config (/etc/phpmyadmin/apache.conf on debian), and be aware with future ispconfig upgrades that you'll need to monitor for changes to apache_ispconfig.vhost.master in the installation files and carry those changes into your local version.


    Most installations have phpmyadmin available for clients to use, though of course your installation may not (obviously does not?) need that. But if you want a more secure setup all around, with all the work required to switch to it (actually not that much with migration toolkit), switch to using a multiserver install, and keep the ispconfig control panel on a separate server than your client websites. You can then allow phpmyadmin for clients on their own webserver (with fail2ban catching brute force attempts), and restrict phpmyadmin access on the control panel to just your ip's.

    In all of the above, I would configure phpmyadmin to reject logins by root, ispconfig and debian-sys-maint users. There are times when you might need a root mysql login, and for those I temporarily edit phpmyadmin config to allow it, and (try to remember to) change it back after I'm done. Eg. this is on a client webserver, edit /etc/phpmyadmin/config.inc.php and add this block into the existing if() section:
    Code:
    /* Configure according to dbconfig-common if enabled */
    if (!empty($dbname)) {
    
        ... existing config ...
    
        // Disallow login from root, ispconfig and debian-sys-maint users
        $cfg['Servers'][$i]['AllowRoot'] = FALSE;
        $cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow';
        $cfg['Servers'][$i]['AllowDeny']['rules'] = array(
            'deny ispconfig from all',
            'deny debian-sys-maint from all',
        );
    
        /* Advance to next server for rest of config */
        $i++;
    }
    
     
    Last edited: Jun 12, 2019
  7. Spawnsworth

    Spawnsworth Member

    Thanks for the very helpful post Jesse I will look in to this and decide which method is best. Thank you!!!
     

Share This Page