Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- These instructions were perfomed on an Ubuntu 11.10 machine via SSH.
- So, I was messing around with phpMyAdmin and noticed the directory /usr/share/phpmyadmin/setup. I browse to http://mydomainname.com/phpmyadmin/setup
- and it immediately asks for credentials to login. First, phpMyAdmin has already been setup...why leave the setup directory on the server when it's not needed?
- I then delete the setup folder from /usr/share/phpmyadmin/setup
- sudo rm -rf /usr/share/phpmyadmin/setup
- Now, by default you can simply just access the web interface of phpMyAdmin by browsing to http://mydomainname.com/phpmyadmin
- I want this directory on my server to have an extra layer of protection. I know that you have to login to the phpMyAdmin interface first, but I'm a security conscience guy. Why not have more security added when you can?
- We will take a look at the phpMyAdmin default Apache configuration file.
- I browse to the directory /etc/phpmyadmin and take a look at the file apache.conf
- Here is the output of apache.conf:
- # phpMyAdmin default Apache configuration
- Alias /phpmyadmin /usr/share/phpmyadmin
- <Directory /usr/share/phpmyadmin>
- Options FollowSymLinks
- DirectoryIndex index.php
- <IfModule mod_php5.c>
- AddType application/x-httpd-php .php
- php_flag magic_quotes_gpc Off
- php_flag track_vars On
- php_flag register_globals Off
- php_admin_flag allow_url_fopen Off
- php_value include_path .
- php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
- php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/
- </IfModule>
- </Directory>
- # Authorize for setup
- <Directory /usr/share/phpmyadmin/setup>
- <IfModule mod_authn_file.c>
- AuthType Basic
- AuthName "phpMyAdmin Setup"
- AuthUserFile /etc/phpmyadmin/htpasswd.setup
- </IfModule>
- Require valid-user
- </Directory>
- # Disallow web access to directories that don't need it
- <Directory /usr/share/phpmyadmin/libraries>
- Order Deny,Allow
- Deny from All
- </Directory>
- <Directory /usr/share/phpmyadmin/setup/lib>
- Order Deny,Allow
- Deny from All
- </Directory>
- Ok, so what I'm going to try and accomplish here is load the module "mod_authn_file.c" (this is like adding a .htacess file into the /usr/share/phpmyadmin directory)
- Here is my edited /etc/phpmyadmin/apache.conf file:
- Note: If you notice I have added lines starting below "DirectoryIndex index.php"
- In the line "AuthUserFile /data/user-access/.htpasswd" this is where my default .htpasswd file is for my .htaccess files. If you want to see how this works and is setup check out the article here: http://pastebin.com/8NuX7PBB
- I also commented out all the lines under the "Authorize setup" section (no need for it).
- For an extra security step you can change the line:
- Alias /phpmyadmin /usr/share/phpmyadmin
- To
- Alias /whateveryoudecide /usr/share/phpmyadmin
- Now when you access this it would look like:
- http://domainname.com/whateveryoudecide
- Instead of
- http://domainname.com/phpmyadmin
- Hackers always look for the defaults, and trust me as many vulnerabilities phpMyAdmin has had over the years they know what to look for.
- # phpMyAdmin default Apache configuration
- Alias /phpmyadmin /usr/share/phpmyadmin
- <Directory /usr/share/phpmyadmin>
- Options FollowSymLinks
- DirectoryIndex index.php
- <IfModule mod_authn_file.c>
- AuthType Basic
- AuthName "Restricted Access!"
- AuthUserFile /data/user-access/.htpasswd
- </IfModule>
- Require valid-user
- <IfModule mod_php5.c>
- AddType application/x-httpd-php .php
- php_flag magic_quotes_gpc Off
- php_flag track_vars On
- php_flag register_globals Off
- php_admin_flag allow_url_fopen Off
- php_value include_path .
- php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
- php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/
- </IfModule>
- </Directory>
- # Authorize for setup
- #<Directory /usr/share/phpmyadmin/setup>
- # <IfModule mod_authn_file.c>
- # AuthType Basic
- # AuthName "phpMyAdmin Setup"
- # AuthUserFile /etc/phpmyadmin/htpasswd.setup
- # </IfModule>
- # Require valid-user
- #</Directory>
- # Disallow web access to directories that don't need it
- <Directory /usr/share/phpmyadmin/libraries>
- Order Deny,Allow
- Deny from All
- </Directory>
- <Directory /usr/share/phpmyadmin/setup/lib>
- Order Deny,Allow
- Deny from All
- </Directory>
- After you have made the changes above, save the file. Then restart Apache:
- sudo /etc/init.d/apache2 restartf
- Now if you browse to http://mydomainname.com/phpmyadmin Apache will prompt you for a username and password...just an extra layer of security ;)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement