Protect phpMyAdmin On An ISPConfig 3 Server (Debian)
With this small howto I explain how to protect your phpmyadmin installation on your Debian server with ISPConfig3 against hack attempts as much as possible. I assume that you already have an ISPConfig3 server running on Debian, which has been set up according to this howto and that phpmyadmin has been installed from the Debian repository into the directory /usr/share/phpmyadmin. With this default setup you can access phpMyAdmin via: http://www.anywebsiteonyourserver.tld/phpmyadmin, which we're going to change for security reasons.
We will protect our phpmyadmin installation by:
- .htpasswd file
- an alias for /phpmyadmin
I do not issue any guarantee that this will work for you!
Here we go:
Login into your ISPConfig3 server as root and execute:
htpasswd -c .htpasswd username
to create the .htpasswd file and add "username" to list of authorized users. The program will initially prompt you for a password and then ask you to verify it.
Now edit the file /etc/apache2/conf.d/phpmyadmin.conf and modify:
# phpMyAdmin default Apache configuration Alias /phpmyadmin /usr/share/phpmyadmin <Directory /usr/share/phpmyadmin>
Options Indexes FollowSymLinks DirectoryIndex index.php # Authorize for setup
# phpMyAdmin default Apache configuration Alias /myalias /usr/share/phpmyadmin <Directory /usr/share/phpmyadmin>
Options Indexes FollowSymLinks DirectoryIndex index.php #Make use of .htpasswd
AuthType Basic AuthName "Enter account information" AuthUserFile /usr/share/phpmyadmin/.htpasswd Require valid-user # Authorize for setup
Reload Apache2 by executing the command:
Now log into ISPConfig3, and click on "SYSTEM" > "Interface Config".
In the PHPMyAdmin URL field On the "Sites" tab, add your alias for /phpmyadmin, which is in this example: /myalias
Finaly Click on "Save" and you're done.
To verify what we've done, within your webbrowser visit your phpMyAdmin installation at: http://www.anywebsiteonyourserver.tld/myalias or within ISPConfig3 itself, just click on the phpmyadmin icon after the database name.