PhpMyAdmin is a PHP based web admin panel for MySQL. It has been my go to GUI for MySQL for more than 10 years. Over the years I've ran PHP on Windows, Mac and various flavors of Linux; currently Ubuntu. PhpMyAdmin has worked flawlessly the entire time. What I've come away with are few tips and best practices. While the implementation will focus on Ubuntu Linux running the Apache web server, the rational should hold true across all platforms. For this article we will assume phpMyAdmin is being installed for the domain example.com.
Goals
- example.com/phpmyadmin should resolve to phpMyAdmin.
- Defend against direct attacks on phpMyAdmin.
- Only allow phpMyAdmin to be accessed over SSL.
Resolving phpMyAdmin
I like apt-get as a package manager, while you can install phpMyAdmin using apt-get; you will probably won't be able to access it. This can be resolved by simply telling apache where to look.
vim /etc/apache2/apache2.conf
Add the following lines to the end of the file.
# Include phpmyadmin's configuration
Include /etc/phpmyadmin/apache.conf
Restart Apache.
sudo service apache2 restart
Open a browser and enter http://example.com/phpmyadmin
if it resolves to a phpMyAdmin login page, the setup was successful.
A Little Security
Defending Against Blind Attacks
If your ever checked your 404 logs you'll probably notice a lot of references to phpMyAdmin. These are what I like to call blind attacks. This is the result of a hacker throwing known malformed query strings at your web site hoping to exploit common implementation flaws. There are two techniques that will provide some protection against blind attacks; authentication and access control.
Authentication
For authentication use Apache's htpasswd utility to create a flat password file, .htaccess files are used to enforce the usage of the password. We will start by telling Apache to allow .htaccess for the phpMyAdmin directory.
## Open the phpMyAdmin's Apache configuration file.
sudo vim /etc/phpmyadmin/apache.conf
## Find the directory Directive.
Options FollowSymLinks
## And add the following line:
AllowOverride All
## The result should be as follows:
Options FollowSymLinks
AllowOverride All
## Restart Apache.
sudo service apache2 restart
Navigate to the directory defined in the afore mentioned Directory directive and create the .htpasswd and .htaccess files.
## Htpasswd, assuming Bob is the user.
sudo htpasswd -c .htpasswd bob
Follow the prompts to create Bob's password. Then tell Apache to enforce authentication.
vim .htaccess
## Add the following lines
AuthUserFile /usr/share/phpmyadmin/.htpasswd
AuthName "Authentication Required"
AuthType Basic
require valid-user
Open a browser and enter http://example.com/phpmyadmin
instead of resolving to phpMyAdmin's login page you'll be prompted to enter a username and password. Once entered you will continue on to the the phpMyAdmin login screen.
Access Control
Access control will allow us to white list and/or black list specific IP address or ranges of IP addresses. We will use the allow, deny directive which will allow only white listed IPs to have access to the phpMyAdmin directory. We will start by opening the .htaccess file we created in the last example.
cd /usr/share/phpmyadmin
sudo vim .htaccess
## Add the following line to the bottom of the .htaccess file
Order allow,deny
## At this point we are free to allow IP addresses, to allow all traffic from the local server/machine simply add the
## line
Allow from 127
## Allow a single IP
Allow from 10.10.110.122
## Allow all traffic from a subnet
Allow from 10.10.110
To test, exclude the IP of you local machine and in your browser navigate to http://example.com/phpmyadmin. If Apache returns a forbidden error traffic is being block as expected. Then enter your local IP as an Allow from value, if you are now granted access, everything is working as expected.
Force SSL
We never want to send our credentials in plain text, especially not our database credentials. To assure this does not happen, we will force the use of SSL we attempting to access phpMyAdmin. We will use mod rewrite to force an SSL connection. This assumes you've already installed and SSL certificate on your server. We will continue to use the previously created .htaccess file.
## Open the .htaccess file
cd /usr/share/phpmyadmin
sudo vim .htaccess
## Add the following lines to the .htaccess file.
# Turns on mod rewrite.
RewriteEngine On
# If the connection is not secure,
RewriteCond %{SERVER_PORT} 80
# And we are attempting to access phpMyAdmin.
RewriteCond %{REQUEST_URI} phpmyadmin
# Rewrite the URL to a secure port
RewriteRule ^(.*)$ <a href="https://example.com/phpmyadmin/$1">https://example.com/phpmyadmin/$1</a> [R,L]
To test, open a browser and navigate to http://example.com/phpmyadmin. If you are instead sent to https://example.com/phpmyadmin, everything is working.