[GUIDE] Secure PhpMyAdmin

Questions regarding the Web Server
Apache + Nginx, Nginx + PHP5-FPM
erldcrtz
Posts: 73
Joined: Tue Jun 10, 2014 6:16 am

[GUIDE] Secure PhpMyAdmin

Postby erldcrtz » Tue Jun 10, 2014 9:42 am

I have compiled some tips to add extra layer of protection to your phpmyadmin. Vesta Control Panel is really good but it seems like its lacking in the security department so I want to help as much as possible.

Add htaccess login (extra login)
more info: https://degreesofzero.com/article/how-to-secure-phpmyadmin.html

Change the default /phpmyadmin alias to something like /phpmyadmin-vcn0vgu02j0239f
more info: https://forum.vestacp.com/viewtopic.php?f=10&t=5264 (thanks john)
check your config locations here: http://vestacp.com/docs/#config-log-location-rhel-centos



Alternative (most recommended)


Enable SSL on phpmyadmin and access only from name server
1. create web domain using your name server (server1.myserver.com) with SSL support and nginx
2. edit /etc/httpd/conf.d/phpMyAdmin.conf (centos 6) and delete the following (see below) and save

Code: Select all

Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin

<Directory /usr/share/phpMyAdmin/>
   Order Deny,Allow
   Deny from All
   Allow from All
</Directory>

<Directory /usr/share/phpMyAdmin/scripts/>
   Order Deny,Allow
   Deny from All
   Allow from All
</Directory>


3. edit /home/admin/conf/web/shttpd.conf from step 1(see above) and paste the following (see below) before this line </VirtualHost> and save

Code: Select all

Alias /phpmyadmins-GENERATE-RANDOM-PASS-CODE-HERE /usr/share/phpMyAdmin

<Directory /usr/share/phpMyAdmin/>
        AllowOverride All
        SSLRequireSSL
        Options +Includes -Indexes +ExecCGI
</Directory>

<Directory /usr/share/phpMyAdmin/scripts/>
        AllowOverride All
        SSLRequireSSL
        Options +Includes -Indexes +ExecCGI
</Directory>


4. restart apache server
5. you may now access your phpmyadmin with SSL from only the domain name you made.

Code: Select all

https://server1.myserver.com/phpmyadmins-GENERATE-RANDOM-PASS-CODE-HERE



Force SSL Connection on phpmyadmin
1. go to folder /usr/share/phpMyAdmin (centos 6)
2 create file config.inc.php and put the following code below and save

Code: Select all

<?php $cfg['ForceSSL'] = true; ?>



Add nameserver referral access only (you can only access phpmyadmin by clicking it from the control panel) also uses htaccess
1. open /usr/share/phpMyAdmin (centos 6)
2. create .htaccess file and paste the following code below (replacing the proper domain info server1.yourdomain.com)

Code: Select all

RewriteEngine On
RewriteCond %{HTTP_REFERER} !(server1.)?yourdomain.com
RewriteRule .* - [F]


3. update the phpmyadmin link from vesta control panel viewtopic.php?f=10&t=5264

now that you have that in place. you wont be able to access phpmyadmin directly in your web browser. you need to click the phpmyadmin link from vesta control panel

imperio
VestaCP Team
Posts: 5371
Joined: Sat Dec 01, 2012 12:37 pm
Contact:

Re: [GUIDE] Secure PhpMyAdmin

Postby imperio » Tue Jun 24, 2014 3:53 pm

Hi, erldcrtz
Thank you. I hope it's help our users
-> DigitalOcean competition - please, support us
-> fix for phpmyadmin - nice and sweet now

krok
Posts: 61
Joined: Wed Oct 01, 2014 10:58 am

Re: [GUIDE] Secure PhpMyAdmin

Postby krok » Thu Oct 16, 2014 7:46 pm

How can i set it up with debian?

alex809
Posts: 6
Joined: Sun Feb 08, 2015 11:06 pm

Re: [GUIDE] Secure PhpMyAdmin

Postby alex809 » Mon Feb 09, 2015 11:32 am

This is a very good Guide.
Which i plan to use if however someone can explain this part:

3. update the phpmyadmin link from vesta control panel viewtopic.php?f=10&t=5264


I am a little confused to how to do this part as he did not explain that part and what to do with that topic.

I get that your supposed to update the link to phpmyadmin in the theme using those instructions however the thing is this guide changes phpmyadmin to work from a sub domain and then he links it to a seperate thread that just changes the alias and he doesn't provide any further code to actually update the code.. and therefore makes it kind of hard to finish the guide.

I am quite confused as to what to do exactly and what to change in the theme for the rest of the guide to actually work properly. If someone could explain this and provide some more information on how to update it to reflect the rest of this guide and load phpmyadmin correctly only from referral of the VestaCP panel then i would be very grateful :)

Thanks

erldcrtz
Posts: 73
Joined: Tue Jun 10, 2014 6:16 am

Re: [GUIDE] Secure PhpMyAdmin

Postby erldcrtz » Tue Mar 03, 2015 4:53 pm

alex809 wrote:This is a very good Guide.
Which i plan to use if however someone can explain this part:

3. update the phpmyadmin link from vesta control panel viewtopic.php?f=10&t=5264


I am a little confused to how to do this part as he did not explain that part and what to do with that topic.

I get that your supposed to update the link to phpmyadmin in the theme using those instructions however the thing is this guide changes phpmyadmin to work from a sub domain and then he links it to a seperate thread that just changes the alias and he doesn't provide any further code to actually update the code.. and therefore makes it kind of hard to finish the guide.

I am quite confused as to what to do exactly and what to change in the theme for the rest of the guide to actually work properly. If someone could explain this and provide some more information on how to update it to reflect the rest of this guide and load phpmyadmin correctly only from referral of the VestaCP panel then i would be very grateful :)

Thanks



sorry for the late reply

read under "THEME/UI EDIT Link" viewtopic.php?f=10&t=5264

in other words edit these files and update the links of phpmyadmin to the new one you created

/usr/local/vesta/web/templates/admin/list_db.html
if ($data[$key]['TYPE'] == 'mysql') $db_admin_link = "http://".$http_host."/phpmyadmin/";


/usr/local/vesta/web/templates/user/list_db.html
if ($data[$key]['TYPE'] == 'mysql') $db_admin_link = "http://".$http_host."/phpmyadmin/";

drsdre
Posts: 9
Joined: Fri May 08, 2015 8:49 am

Re: [GUIDE] Secure PhpMyAdmin

Postby drsdre » Fri May 08, 2015 8:57 am

Unfortunately adding the alias and directory in step 3 did not work me. But alternatively (although a bit less secure) you can also add a symlink to phpmyadmin from the secure directory.

In /home/admin/web/<domain-name>/public_shtml (provided you selected public_shtml as the directory in SSL setup of domain) execute:

Code: Select all

ln -s /usr/share/phpmyadmin/ phpmyadmin-YOUR-SECRET-CODE


Open phpMyAdmin with:

Code: Select all

https://<domain-name>/phpmyadmin-YOUR-SECRET-CODE


Andre

pandabb
Posts: 192
Joined: Sat Aug 08, 2015 3:03 am

Re: [GUIDE] Secure PhpMyAdmin

Postby pandabb » Sat Aug 08, 2015 8:01 am

Hello newbie here can you please hel me with this one?

RewriteCond %{HTTP_REFERER} !(server1.)?yourdomain.com


If my domain is pandabb.com how do i put here ? whats server1?

ex. my hostname is cute.pandabb.com

skurudo
VestaCP Team
Posts: 7676
Joined: Fri Dec 26, 2014 2:23 pm
Location: Moscow
Contact:

Re: [GUIDE] Secure PhpMyAdmin

Postby skurudo » Tue Aug 11, 2015 9:12 am

pandabb wrote:
RewriteCond %{HTTP_REFERER} !(server1.)?yourdomain.com

If my domain is pandabb.com how do i put here ? whats server1?


Something like this:
RewriteCond %{HTTP_REFERER} !^(www.)?pandabb.com

lemonadv
Posts: 6
Joined: Thu Feb 25, 2016 10:18 pm

Re: [GUIDE] Secure PhpMyAdmin

Postby lemonadv » Tue Mar 01, 2016 9:45 pm

Could you someone help me with this:

Add nameserver referral access only (you can only access phpmyadmin by clicking it from the control panel) also uses htaccess
1. open /usr/share/phpMyAdmin (centos 6)
2. create .htaccess file and paste the following code below (replacing the proper domain info server1.yourdomain.com)

CODE: SELECT ALL
RewriteEngine On
RewriteCond %{HTTP_REFERER} !(server1.)?yourdomain.com
RewriteRule .* - [F]


3. update the phpmyadmin link from vesta control panel viewtopic.php?f=10&t=5264

now that you have that in place. you wont be able to access phpmyadmin directly in your web browser. you need to click the phpmyadmin link from vesta control panel


I do the steps, but when I try to access the phpmyadmin from my VestaCP the message appear: Internal Server Error
My vestaCP is located to: panel.mydomain.com, so I change the .htaccess with:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !(panel)?mydomain.com
RewriteRule .* - [F]

But I can't access phpmyadmin not from VestaCP, nor from mydomain.com/phpmyadmin

What I'm doing wrong?

tjebbeke
Collaborator
Posts: 735
Joined: Mon May 11, 2015 8:43 am
Contact:

Re: [GUIDE] Secure PhpMyAdmin

Postby tjebbeke » Wed Mar 02, 2016 7:53 am

lemonadv wrote:Could you someone help me with this:

Add nameserver referral access only (you can only access phpmyadmin by clicking it from the control panel) also uses htaccess
1. open /usr/share/phpMyAdmin (centos 6)
2. create .htaccess file and paste the following code below (replacing the proper domain info server1.yourdomain.com)

CODE: SELECT ALL
RewriteEngine On
RewriteCond %{HTTP_REFERER} !(server1.)?yourdomain.com
RewriteRule .* - [F]


3. update the phpmyadmin link from vesta control panel viewtopic.php?f=10&t=5264

now that you have that in place. you wont be able to access phpmyadmin directly in your web browser. you need to click the phpmyadmin link from vesta control panel


I do the steps, but when I try to access the phpmyadmin from my VestaCP the message appear: Internal Server Error
My vestaCP is located to: panel.mydomain.com, so I change the .htaccess with:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !(panel)?mydomain.com
RewriteRule .* - [F]

But I can't access phpmyadmin not from VestaCP, nor from mydomain.com/phpmyadmin

What I'm doing wrong?


If I take a quick look at your htaccess, I see that you are missing a '.' after panel.
Example:

Code: Select all

RewriteCond %{HTTP_REFERER} !(server1.)?yourdomain.com

Your code:

Code: Select all

RewriteCond %{HTTP_REFERER} !(panel)?mydomain.com


Return to “Web Server”



Who is online

Users browsing this forum: No registered users and 6 guests