[GUIDE] Secure PhpMyAdmin

[lemonadv]

I fixed this:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !(panel.)?next2support.com
RewriteRule .* - [F]

But again if I tried to login from VestaCP link the massage appear again:

Internal Server Error

What I'm doing wrong? I what to access the phpymyadmin only from vestacp link, not from: http://next2support.com/phpmyadmin/ for example.

[www.rinku31]

I think it is more simple: (ubuntu 14.04)

Check this file >> /etc/phpmyadmin/config-db.php

it is:

Code: Select all

<?php
##
## database access settings in php format
## automatically generated from /etc/dbconfig-common/phpmyadmin.conf
## by /usr/sbin/dbconfig-generate-include
## Thu, 01 Mar 2016 08:48:52 -0500
##
## by default this file is managed via ucf, so you shouldn't have to
## worry about manual changes being silently discarded.  *however*,
## you'll probably also want to edit the configuration file mentioned
## above too.
##
$dbuser='phpmyadmin';
$dbpass='some pass will here';
$basepath='';
$dbname='phpmyadmin';
$dbserver='';
$dbport='';
$dbtype='mysql';

what we have to do is, login inside phpmyadmin using root and create a database phpmyadmin. and then add a new user phpmyadmin with same password some pass will here. and add this user to phpmyadmin database. Finally we have to import example/create_tables.sql table.

Logout and login again. errors gone !

[lemonadv]

I already do that! But this problem appear only when I put this in my .htaccess file:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !(panel.)?next2support.com
RewriteRule .* - [F]

if not everything work fine! But I want to connect phpmyadmin only from VestaCP link.

[pandabb]

Add nameserver referral access only (you can only access phpmyadmin by clicking it from the control panel) also uses htaccess

anyone knows how to do this if using nginx-phpfpm ?

i saw one but dont know where to put my url on the code below. Can someone please add eg. if my server name is https://pong.pandabb.com

Code: Select all

location ~/([a-zA-Z0-9\.\-]*)/* {
    set $match "$1::$http_referer";
    if ($match !~* ^(.+)::http[s]*://[www]*[.]*\1.*$ ) {
        return 403;
    }
}

[syedsaqib206]

All these precautions are good, but I have applied an extra security layer which is best to stop brute-forcing.

Example:-
create a php function that gets user ip.
e.g
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}

if you cant find the ip return false because it is not a valid user
if ip found then use geoplugin.net api to get user location via curl
eg:

$ch2 = curl_init();
curl_setopt($ch2, CURLOPT_URL, "http://www.geoplugin.net/json.gp?ip=".$ip);
curl_setopt($ch2, CURLOPT_HEADER, 0);
curl_setopt($ch2, CURLOPT_RETURNTRANSFER, TRUE);
$ip_data_in = curl_exec($ch2); // string
curl_close($ch2);

this piece of code will return json data of the user ip
eg:

{
"geoplugin_request":"104.196.xx.xxx",
"geoplugin_status":200,
"geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>.",
"geoplugin_city":"Mountain View",
"geoplugin_region":"CA",
"geoplugin_areaCode":"650",
"geoplugin_dmaCode":"807",
"geoplugin_countryCode":"US",
"geoplugin_countryName":"United States",
"geoplugin_continentCode":"NA",
"geoplugin_latitude":"37.4192",
"geoplugin_longitude":"-122.0574",
"geoplugin_regionCode":"CA",
"geoplugin_regionName":"California",
"geoplugin_currencyCode":"USD",
"geoplugin_currencySymbol":"&#36;",
"geoplugin_currencySymbol_UTF8":"$",
"geoplugin_currencyConverter":1
}

now you can decode the json strings into php array and get the ip location eg: city, region, country
eg:

$ip_data = json_decode($ip_data_in,true);
$ip_data = str_replace('"', '"', $ip_data);
if(isset($ip_data) && !empty($ip_data['geoplugin_countryName'])) {
$user_ip = trim($ip_data['geoplugin_request']);
$city = trim($ip_data['geoplugin_city']);
$region = trim($ip_data['geoplugin_region']);
$country = trim($ip_data['geoplugin_countryName']);

return $userData=array('userIP'=>$user_ip,'userCity'=>$city,'userRegion'=>$region,'userCountry'=>$country,);
}else{
return false;
}
so now the actual logic starts here, normally a server owner uses it home or office internet connection, never change its ISP frequently and also not use of proxy ips to login its server. so all the time server administrator use the same location. In my case my ISP provide mostly use three locations of my country and assign it to my ip.... my country never change but cities are changed when i reboot my router.
so the point is above code will return country and city as well... you can apply these check to restrict unwanted login attempt which is as follow:-

call this function at the very first line of index.php of phpmyadmin within <?php tag
$user_trace=ip_visitor_country();
$allowed_cntry = array('United States');
$allowed_city = array('New York', 'Los Angeles', 'Chicago');
if(!in_array($user_trace['userCity'], $allowed_city) || !in_array($user_trace['userCountry'], $allowed_cntry)){
echo "Access Denied";
die();
}

now the phpmyadmin will be only access in the United States within three locations 'New York', 'Los Angeles', 'Chicago'. other wise it will die the further execution of code.
as you all knows very well brute-force use script to change the ip on every attempt.
so the above code will not give them a single chance to reach at user and password fields...

if you like this method... you can use it and get tension free from brute forcing :)

Thanks

[soldx]

Add nameserver referral access only (you can only access phpmyadmin by clicking it from the control panel) also uses htaccess
1. open /usr/share/phpMyAdmin (centos 6)
2. create .htaccess file and paste the following code below (replacing the proper domain info server1.yourdomain.com)

Code: Select all

RewriteEngine On
RewriteCond %{HTTP_REFERER} !(server1.)?yourdomain.com
RewriteRule .* - [F]

Hi, If anyone has problems with the referer thing getting 403 ERR just change http for https

Cheers

[BardiaKh]

Alternative (most recommended)


Enable SSL on phpmyadmin and access only from name server
1. create web domain using your name server (server1.myserver.com) with SSL support and nginx
2. edit /etc/httpd/conf.d/phpMyAdmin.conf (centos 6) and delete the following (see below) and save

Code: Select all

Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin

<Directory /usr/share/phpMyAdmin/>
   Order Deny,Allow
   Deny from All
   Allow from All
</Directory>

<Directory /usr/share/phpMyAdmin/scripts/>
   Order Deny,Allow
   Deny from All
   Allow from All
</Directory>

3. edit /home/admin/conf/web/shttpd.conf from step 1(see above) and paste the following (see below) before this line </VirtualHost> and save

Code: Select all

Alias /phpmyadmins-GENERATE-RANDOM-PASS-CODE-HERE /usr/share/phpMyAdmin

<Directory /usr/share/phpMyAdmin/>
        AllowOverride All
        SSLRequireSSL
        Options +Includes -Indexes +ExecCGI
</Directory>

<Directory /usr/share/phpMyAdmin/scripts/>
        AllowOverride All
        SSLRequireSSL
        Options +Includes -Indexes +ExecCGI
</Directory>

4. restart apache server
5. you may now access your phpmyadmin with SSL from only the domain name you made.

Code: Select all

https://server1.myserver.com/phpmyadmins-GENERATE-RANDOM-PASS-CODE-HERE

Hi,
After doing these steps I receive 403 error when I go to the page

Code: Select all

https://server1.myserver.com/phpmyadmins-GENERATE-RANDOM-PASS-CODE-HERE

Can someone help me make this right?

Thanks,

[andresgl]

I think this post should be updated because any of those 'tutorials' work..

[baijianpeng]

Force SSL Connection on phpmyadmin
1. go to folder /usr/share/phpMyAdmin (centos 6)
2 create file config.inc.php and put the following code below and save

Code: Select all

<?php $cfg['ForceSSL'] = true; ?>

I tried to apply this trick. I am running VestaCP v0.98-17 on Ubuntu 16.04.3. The directory path is:

/usr/share/phpmyadmin

Well, I created a new file named config.inc.php and put above code into it.

Next, I tried to visit phpmyadmin with HTTP protocol, it was NOT switched to HTTPS automatically.

Why?

[baijianpeng]

Ok, finally I found the solution :

Ubuntu uses different configuration file for phpmyadmin. So I have to modify this file:

/etc/phpmyadmin/config.inc.php

and insert following code to the end of this file (just insert a new line):

Code: Select all

 $cfg['ForceSSL'] = true;

Then, restart MySQL service by:

Code: Select all

# systemctl restart mysql

[/b]

Now if you visit phpmyadmin via HTTP protocol, it will be redirected to HTTPS automatically. :-)