API tools faq
paste
Advertisement
itnetsec

Securing phpMyAdmin

itnetsec
Dec 3rd, 2011
328
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.62 KB | None | 0 0
raw download clone embed print report
  1. These instructions were perfomed on an Ubuntu 11.10 machine via SSH.
  2. So, I was messing around with phpMyAdmin and noticed the directory /usr/share/phpmyadmin/setup. I browse to http://mydomainname.com/phpmyadmin/setup
  3. and it immediately asks for credentials to login. First, phpMyAdmin has already been setup...why leave the setup directory on the server when it's not needed?
  4.  
  5. I then delete the setup folder from /usr/share/phpmyadmin/setup
  6. sudo rm -rf /usr/share/phpmyadmin/setup
  7.  
  8. Now, by default you can simply just access the web interface of phpMyAdmin by browsing to http://mydomainname.com/phpmyadmin
  9. I want this directory on my server to have an extra layer of protection. I know that you have to login to the phpMyAdmin interface first, but I'm a security conscience guy. Why not have more security added when you can?
  10.  
  11. We will take a look at the phpMyAdmin default Apache configuration file.
  12. I browse to the directory /etc/phpmyadmin and take a look at the file apache.conf
  13.  
  14. Here is the output of apache.conf:
  15. # phpMyAdmin default Apache configuration
  16.  
  17. Alias /phpmyadmin /usr/share/phpmyadmin
  18.  
  19. <Directory /usr/share/phpmyadmin>
  20. Options FollowSymLinks
  21. DirectoryIndex index.php
  22.  
  23. <IfModule mod_php5.c>
  24. AddType application/x-httpd-php .php
  25.  
  26. php_flag magic_quotes_gpc Off
  27. php_flag track_vars On
  28. php_flag register_globals Off
  29. php_admin_flag allow_url_fopen Off
  30. php_value include_path .
  31. php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
  32. php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/
  33. </IfModule>
  34.  
  35. </Directory>
  36.  
  37. # Authorize for setup
  38. <Directory /usr/share/phpmyadmin/setup>
  39. <IfModule mod_authn_file.c>
  40. AuthType Basic
  41. AuthName "phpMyAdmin Setup"
  42. AuthUserFile /etc/phpmyadmin/htpasswd.setup
  43. </IfModule>
  44. Require valid-user
  45. </Directory>
  46.  
  47. # Disallow web access to directories that don't need it
  48. <Directory /usr/share/phpmyadmin/libraries>
  49. Order Deny,Allow
  50. Deny from All
  51. </Directory>
  52. <Directory /usr/share/phpmyadmin/setup/lib>
  53. Order Deny,Allow
  54. Deny from All
  55. </Directory>
  56.  
  57.  
  58. Ok, so what I'm going to try and accomplish here is load the module "mod_authn_file.c" (this is like adding a .htacess file into the /usr/share/phpmyadmin directory)
  59.  
  60. Here is my edited /etc/phpmyadmin/apache.conf file:
  61. Note: If you notice I have added lines starting below "DirectoryIndex index.php"
  62. In the line "AuthUserFile /data/user-access/.htpasswd" this is where my default .htpasswd file is for my .htaccess files. If you want to see how this works and is setup check out the article here: http://pastebin.com/8NuX7PBB
  63. I also commented out all the lines under the "Authorize setup" section (no need for it).
  64. For an extra security step you can change the line:
  65. Alias /phpmyadmin /usr/share/phpmyadmin
  66. To
  67. Alias /whateveryoudecide /usr/share/phpmyadmin
  68.  
  69. Now when you access this it would look like:
  70. http://domainname.com/whateveryoudecide
  71. Instead of
  72. http://domainname.com/phpmyadmin
  73.  
  74. Hackers always look for the defaults, and trust me as many vulnerabilities phpMyAdmin has had over the years they know what to look for.
  75.  
  76. # phpMyAdmin default Apache configuration
  77.  
  78. Alias /phpmyadmin /usr/share/phpmyadmin
  79.  
  80. <Directory /usr/share/phpmyadmin>
  81. Options FollowSymLinks
  82. DirectoryIndex index.php
  83. <IfModule mod_authn_file.c>
  84. AuthType Basic
  85. AuthName "Restricted Access!"
  86. AuthUserFile /data/user-access/.htpasswd
  87. </IfModule>
  88. Require valid-user
  89.  
  90. <IfModule mod_php5.c>
  91. AddType application/x-httpd-php .php
  92.  
  93. php_flag magic_quotes_gpc Off
  94. php_flag track_vars On
  95. php_flag register_globals Off
  96. php_admin_flag allow_url_fopen Off
  97. php_value include_path .
  98. php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
  99. php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/
  100. </IfModule>
  101.  
  102. </Directory>
  103.  
  104. # Authorize for setup
  105. #<Directory /usr/share/phpmyadmin/setup>
  106. # <IfModule mod_authn_file.c>
  107. # AuthType Basic
  108. # AuthName "phpMyAdmin Setup"
  109. # AuthUserFile /etc/phpmyadmin/htpasswd.setup
  110. # </IfModule>
  111. # Require valid-user
  112. #</Directory>
  113.  
  114. # Disallow web access to directories that don't need it
  115. <Directory /usr/share/phpmyadmin/libraries>
  116. Order Deny,Allow
  117. Deny from All
  118. </Directory>
  119. <Directory /usr/share/phpmyadmin/setup/lib>
  120. Order Deny,Allow
  121. Deny from All
  122. </Directory>
  123.  
  124. After you have made the changes above, save the file. Then restart Apache:
  125. sudo /etc/init.d/apache2 restartf
  126.  
  127. Now if you browse to http://mydomainname.com/phpmyadmin Apache will prompt you for a username and password...just an extra layer of security ;)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!