Securing PHPmyadmin

Discussion in 'Installation/Configuration' started by scottrill2, Jul 17, 2010.

  1. scottrill2

    scottrill2 Member

    Hello,

    I was curious about a few things. I have read that phpmyadmin can be vulnerable to the www. I wanted to do 2 things.

    1. Change the "phpmyadmin" folder to another name like "mysqlmanagement".

    2. Create a .htaccess file with the following in it: "Allow from 127.0.0.1" so that only the local machine can access phpmyadmin.


    Now renaming the folder was easy enough even for me :) I just have to manually type in the url which is fine. But I still thought I would ask if there is a simple way to change where the tools phpmyadmin links/points to?

    My second question is about the htaccess file, I have tried putting the file in "/home/admispconfig/ispconfig/web/mysqlmanagement" and to no avail, is there a certain code I need to put in there since is on the main server and not a virtual site/client/reseller account?

    Finally, is there a better way to secure it than what I'm trying to do?

    Thanks in advance for your time,

    Scott
     
  2. Hans

    Hans Moderator ISPConfig Developer

    The best is to protect your phpMyAdmin configuration by installing a SSL-certicate, because then all the data from and to your phpMyAdmin will be encrypted.

    If you don't plan to install a SSL-certicate, maybe this guide can help you.
     
  3. scottrill2

    scottrill2 Member

    Hello Hans and thanks for the reply.

    I do have a SSL certificate for the server already. The link you posted was about ISPConfig 3 and I checked my ISPConfig 2 files and phpmyadmin isnt in the folder the tutorial lists. I am a complete newb and cannot extrapolate the info from that tutorial and apply it to my own set up.


    It could be that I am being too anal lol. Perhaps it is because I am new to Linux and reading every scrap of info I can trying to teach myself.


    I had read several blogs and forums mentioning how phpmyadmin was vulnerable since hackers new the folder would be http://mysite.com/phpmyadmin

    I figured I would try to go for the trifecta of secureness by:

    a. Renaming my phpmyadmin folder to something insanely vague
    b. Putting a htaccess file in there only allowing either my static IP or the local machine IP.
    c. SSL Certificate

    As I said, I am probably overreacting lol lack of knowledge can do that :)

    Thanks again for the input Hans, I truly appreciate it.

    Scott
     
  4. falko

    falko Super Moderator ISPConfig Developer

    You can change it under /home/admispconfig/ispconfig/web/tools/tools/phpmyadmin/nav.inc.php.

    I guess you need to put the line
    Code:
    AllowOverride All
    into the
    Code:
    <VirtualHost _default_:81>
    
    #  General setup for the virtual host
    DocumentRoot "/home/admispconfig/ispconfig/web"
    ServerName xxx.xxx.com
    ServerAdmin [email protected]
    ErrorLog /root/ispconfig/httpd/logs/error_log
    TransferLog /root/ispconfig/httpd/logs/access_log
    </VirtualHost>
    stanza at the end of /root/ispconfig/httpd/conf/httpd.conf. Restart ISPConfig afterwards.
     
    Last edited: Jul 19, 2010
  5. scottrill2

    scottrill2 Member

    Thanks!

    Falko the nav.inc worked a treat sir Perfect indeed. Now on the second part, when I edited that file and tried restarting ISPConfig it gave me this:




    syntax error on line 1231 of /root/ispconfig/httpd/conf/httpd.conf: AllowOverride not allowed here



    Is there anything I might have screwed up on earlier that would block this?


    Thanks as always,

    Scott
     
  6. falko

    falko Super Moderator ISPConfig Developer

    Try
    Code:
    <Directory /home/admispconfig/ispconfig/web>
      AllowOverride All
    </Directory>
    instead.
     
  7. scottrill2

    scottrill2 Member

    Spot on perfect as always. Thank you sir.


    Scott
     

Share This Page