tags:

views:

253

answers:

4
+2  Q: 

How to restrict access to phpmyadmin ?

Possible Duplicate:
How to secure phpMyAdmin

I use phpmyadmin to preview the database of my website. However, everyone can access the login page of my phpmyadmin by simply typing example.com/phpmyadmin

I am not an expert in network security but I assume this isn't very secure.

How can I restrict the access to the login page(maybe creating some alias like example.com/a4ebb72d ). I heard about allowing access only for specified IPs, but it won't help because I have dynamically assigned IP.

I'd be thankful for your tips.

+1  A: 

I suppose you could install phpMyAdmin in a directory behind a firewall so that only users with inside access could get to it.

Adam  2010-09-10 20:09:11
+2  A: 

I'd make that server listen on 127.0.0.1 and then use port forwarding with SSH...

Make sure, the server serving phpMyAdmin only serves to 127.0.0.1, and then run

$ ssh -L4545:localhost:80 yourserver.com

and then point your browser to http://127.0.0.1/phpmyadmin, you should be able to access phpmyadmin as longs as your SSH session is active.

This works with PuTTY as well.

polemon  2010-09-10 20:09:31
Thanks that looks nice, I'll try it. But wouldn't that tunneling cause slow page loading?
Andrzej Nosal  2010-09-11 18:49:39
I had great results using this kind of tunneling. In fact, I use that for all kind of proxy work.
polemon  2010-09-11 19:24:18
+2  A: 

Exposing any part of phpMyAdmin is a potential risk. You could use Apache's Allow/Deny directives:

Order Allow,Deny
Deny from All
Allow from 12.34.56.78

Replace 12.34.56.78 with your IP address, and put this in a .htaccess file in your phpMyAdmin folder.

Lekensteyn  2010-09-10 20:12:15
This would be a great answer if the OP hadn't specifically said that IP restriction wasn't of use to him.
Josh Leitzel  2010-09-10 20:19:15
+1  A: 

As you said, you can change the name of the directory to be something that is not easily guessable.

You can also place the directory (or a parent directory, if you can't do it in the phpmyadmin directory directly) under password protection using .htaccess. Regardless of this perceived enhanced security, it's probably not going to be much more secure. After all, phpMyAdmin requires a login and a password just as much as .htaccess would, so if you use weak passwords or password practices, you're still just as vulnerable, so obviously make sure that both user/password combinations are both unique and strong.

The best thing you can do is ensure that all your phpMyAdmin users/passwords are secure and that you only entrust them to people you trust. Keep in mind that phpMyAdmin allows for the dropping of tables and entire databases, so keep regular backups and continually ensure the integrity of the data on your server, because in reality hiding the directory name or placing it behind another login barrier is only worthwhile if your password practices are as secure as possible to begin with.

Josh Leitzel  2010-09-10 20:16:33
Thanks for nice answer.
Andrzej Nosal  2010-09-11 18:46:27

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases