tags:

views:

791

answers:

3
+2  Q: 

How to secure phpMyAdmin

Hi,

I have noticed that there are strange requests to my website trying to find phpmyadmin, like

/phpmyadmin/
/pma/

etc.

Now I have installed PMA on Ubuntu via apt and would like to access it via webaddress different from /phpmyadmin/. What can I do to change it?

Thanks

Update

For Ubuntu 9.10 and Apache2, the corresponding setting is located in the file /etc/apache2/conf.d/phpmyadmin.conf which is a link to /etc/phpmyadmin/apache.conf. The file contains

Alias /phpmyadmin /usr/share/phpmyadmin

where the first /phpmyadmin should be changed to something different if one wants to avoid the unnecessary activity, e.g.:

Alias /secret /usr/share/phpmyadmin
A: 

The simplest approach would be to edit the webserver, most likely an Apache2 installation, configuration and give phpmyadmin a different name.

A second approach would be to limit the IP addresses from where phpmyadmin may be accessed (e.g. only local lan or localhost).

lexu  2010-04-13 16:30:26
+1  A: 

Most likely, somewhere on your webserver will be an Alias directive like this;

Alias /phpmyadmin "c:/wamp/apps/phpmyadmin3.1.3.1/"

In my wampserver / localhost setup, it was in c:/wamp/alias/phpmyadmin.conf.

Just change the alias directive and you should be good to go.

MatW  2010-04-13 16:39:41
+3  A: 

The biggest threat is that someone could use an exploit to read the plain text username/password in your PHP application configuration file and then Login using phpmyadmin or over tcp port 3306.

There are a few things you can do to stop this:

1) DO NOT ALLOW REMOTE ROOT LOGINS.
Instead you should use "Cookie Auth" to limit what user can access the system. If you need some root privileges, create a custom account that can add/drop/create but doesn't have "grant" or "file_priv". file_priv is really nasty because it can be used to read files or upload backdoors.

2) Put in a IP address restriction in your .htaccess for the phpmyadmin folder:

allow from 199.166.210.1

3) Do not have a predictable file location like: http://127.0.0.1/phpmyadmin. Vulnerability scanners like Nessus/Nikto/Acunetix/w3af will scan for this.

4) firewall off tcp port 3306.

5) Use HTTPS, otherwise data and passwords can be leaked to an attacker. If you don't want to fork out the $30 for a cert, then use a self-signed. You'll accept it once, and even if it was changed due to a MITM you'll be notified.

Rook  2010-04-13 18:15:04
I don't mean to be critical, but funny how you don't address the 'biggest threat' until the last step. The biggest threat for most people is being brute forced- which your other steps address.Using a decent password is also a good idea.
therealsix  2010-04-15 03:49:22
@therealsix your right, but i assumed that was obvious. Brute force for mysql is less common than mssql becuase you have xp_cmdshell() which calls cmd.exe. In mysql wormable code execution isn't straight forward.
Rook  2010-04-15 06:26:30

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL