Page 1 of 3

[GUIDE] Secure PhpMyAdmin

Posted: Tue Jun 10, 2014 9:42 am
by erldcrtz
I have compiled some tips to add extra layer of protection to your phpmyadmin. Vesta Control Panel is really good but it seems like its lacking in the security department so I want to help as much as possible.

Add htaccess login (extra login)
more info: https://degreesofzero.com/article/how-t ... admin.html

Change the default /phpmyadmin alias to something like /phpmyadmin-vcn0vgu02j0239f
more info: viewtopic.php?f=10&t=5264 (thanks john)
check your config locations here: http://vestacp.com/docs/#config-log-loc ... hel-centos



Alternative (most recommended)


Enable SSL on phpmyadmin and access only from name server
1. create web domain using your name server (server1.myserver.com) with SSL support and nginx
2. edit /etc/httpd/conf.d/phpMyAdmin.conf (centos 6) and delete the following (see below) and save

Code: Select all

Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin

<Directory /usr/share/phpMyAdmin/>
   Order Deny,Allow
   Deny from All
   Allow from All
</Directory>

<Directory /usr/share/phpMyAdmin/scripts/>
   Order Deny,Allow
   Deny from All
   Allow from All
</Directory>
3. edit /home/admin/conf/web/shttpd.conf from step 1(see above) and paste the following (see below) before this line </VirtualHost> and save

Code: Select all

Alias /phpmyadmins-GENERATE-RANDOM-PASS-CODE-HERE /usr/share/phpMyAdmin

<Directory /usr/share/phpMyAdmin/>
        AllowOverride All
        SSLRequireSSL
        Options +Includes -Indexes +ExecCGI
</Directory>

<Directory /usr/share/phpMyAdmin/scripts/>
        AllowOverride All
        SSLRequireSSL
        Options +Includes -Indexes +ExecCGI
</Directory>
4. restart apache server
5. you may now access your phpmyadmin with SSL from only the domain name you made.

Code: Select all

https://server1.myserver.com/phpmyadmins-GENERATE-RANDOM-PASS-CODE-HERE

Force SSL Connection on phpmyadmin
1. go to folder /usr/share/phpMyAdmin (centos 6)
2 create file config.inc.php and put the following code below and save

Code: Select all

<?php $cfg['ForceSSL'] = true; ?>

Add nameserver referral access only (you can only access phpmyadmin by clicking it from the control panel) also uses htaccess
1. open /usr/share/phpMyAdmin (centos 6)
2. create .htaccess file and paste the following code below (replacing the proper domain info server1.yourdomain.com)

Code: Select all

RewriteEngine On
RewriteCond %{HTTP_REFERER} !(server1.)?yourdomain.com
RewriteRule .* - [F]
3. update the phpmyadmin link from vesta control panel viewtopic.php?f=10&t=5264

now that you have that in place. you wont be able to access phpmyadmin directly in your web browser. you need to click the phpmyadmin link from vesta control panel

Re: [GUIDE] Secure PhpMyAdmin

Posted: Tue Jun 24, 2014 3:53 pm
by imperio
Hi, erldcrtz
Thank you. I hope it's help our users

Re: [GUIDE] Secure PhpMyAdmin

Posted: Thu Oct 16, 2014 7:46 pm
by krok
How can i set it up with debian?

Re: [GUIDE] Secure PhpMyAdmin

Posted: Mon Feb 09, 2015 11:32 am
by alex809
This is a very good Guide.
Which i plan to use if however someone can explain this part:
3. update the phpmyadmin link from vesta control panel viewtopic.php?f=10&t=5264
I am a little confused to how to do this part as he did not explain that part and what to do with that topic.

I get that your supposed to update the link to phpmyadmin in the theme using those instructions however the thing is this guide changes phpmyadmin to work from a sub domain and then he links it to a seperate thread that just changes the alias and he doesn't provide any further code to actually update the code.. and therefore makes it kind of hard to finish the guide.

I am quite confused as to what to do exactly and what to change in the theme for the rest of the guide to actually work properly. If someone could explain this and provide some more information on how to update it to reflect the rest of this guide and load phpmyadmin correctly only from referral of the VestaCP panel then i would be very grateful :)

Thanks

Re: [GUIDE] Secure PhpMyAdmin

Posted: Tue Mar 03, 2015 4:53 pm
by erldcrtz
alex809 wrote:This is a very good Guide.
Which i plan to use if however someone can explain this part:
3. update the phpmyadmin link from vesta control panel viewtopic.php?f=10&t=5264
I am a little confused to how to do this part as he did not explain that part and what to do with that topic.

I get that your supposed to update the link to phpmyadmin in the theme using those instructions however the thing is this guide changes phpmyadmin to work from a sub domain and then he links it to a seperate thread that just changes the alias and he doesn't provide any further code to actually update the code.. and therefore makes it kind of hard to finish the guide.

I am quite confused as to what to do exactly and what to change in the theme for the rest of the guide to actually work properly. If someone could explain this and provide some more information on how to update it to reflect the rest of this guide and load phpmyadmin correctly only from referral of the VestaCP panel then i would be very grateful :)

Thanks

sorry for the late reply

read under "THEME/UI EDIT Link" viewtopic.php?f=10&t=5264

in other words edit these files and update the links of phpmyadmin to the new one you created

/usr/local/vesta/web/templates/admin/list_db.html
if ($data[$key]['TYPE'] == 'mysql') $db_admin_link = "http://".$http_host."/phpmyadmin/";


/usr/local/vesta/web/templates/user/list_db.html
if ($data[$key]['TYPE'] == 'mysql') $db_admin_link = "http://".$http_host."/phpmyadmin/";

Re: [GUIDE] Secure PhpMyAdmin

Posted: Fri May 08, 2015 8:57 am
by drsdre
Unfortunately adding the alias and directory in step 3 did not work me. But alternatively (although a bit less secure) you can also add a symlink to phpmyadmin from the secure directory.

In /home/admin/web/<domain-name>/public_shtml (provided you selected public_shtml as the directory in SSL setup of domain) execute:

Code: Select all

ln -s /usr/share/phpmyadmin/ phpmyadmin-YOUR-SECRET-CODE
Open phpMyAdmin with:

Code: Select all

https://<domain-name>/phpmyadmin-YOUR-SECRET-CODE
Andre

Re: [GUIDE] Secure PhpMyAdmin

Posted: Sat Aug 08, 2015 8:01 am
by pandabb
Hello newbie here can you please hel me with this one?
RewriteCond %{HTTP_REFERER} !(server1.)?yourdomain.com

If my domain is pandabb.com how do i put here ? whats server1?

ex. my hostname is cute.pandabb.com

Re: [GUIDE] Secure PhpMyAdmin

Posted: Tue Aug 11, 2015 9:12 am
by skurudo
pandabb wrote:
RewriteCond %{HTTP_REFERER} !(server1.)?yourdomain.com
If my domain is pandabb.com how do i put here ? whats server1?
Something like this:
RewriteCond %{HTTP_REFERER} !^(www.)?pandabb.com

Re: [GUIDE] Secure PhpMyAdmin

Posted: Tue Mar 01, 2016 9:45 pm
by lemonadv
Could you someone help me with this:
Add nameserver referral access only (you can only access phpmyadmin by clicking it from the control panel) also uses htaccess
1. open /usr/share/phpMyAdmin (centos 6)
2. create .htaccess file and paste the following code below (replacing the proper domain info server1.yourdomain.com)

CODE: SELECT ALL
RewriteEngine On
RewriteCond %{HTTP_REFERER} !(server1.)?yourdomain.com
RewriteRule .* - [F]


3. update the phpmyadmin link from vesta control panel viewtopic.php?f=10&t=5264

now that you have that in place. you wont be able to access phpmyadmin directly in your web browser. you need to click the phpmyadmin link from vesta control panel
I do the steps, but when I try to access the phpmyadmin from my VestaCP the message appear: Internal Server Error
My vestaCP is located to: panel.mydomain.com, so I change the .htaccess with:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !(panel)?mydomain.com
RewriteRule .* - [F]

But I can't access phpmyadmin not from VestaCP, nor from mydomain.com/phpmyadmin

What I'm doing wrong?

Re: [GUIDE] Secure PhpMyAdmin

Posted: Wed Mar 02, 2016 7:53 am
by tjebbeke
lemonadv wrote:Could you someone help me with this:
Add nameserver referral access only (you can only access phpmyadmin by clicking it from the control panel) also uses htaccess
1. open /usr/share/phpMyAdmin (centos 6)
2. create .htaccess file and paste the following code below (replacing the proper domain info server1.yourdomain.com)

CODE: SELECT ALL
RewriteEngine On
RewriteCond %{HTTP_REFERER} !(server1.)?yourdomain.com
RewriteRule .* - [F]


3. update the phpmyadmin link from vesta control panel viewtopic.php?f=10&t=5264

now that you have that in place. you wont be able to access phpmyadmin directly in your web browser. you need to click the phpmyadmin link from vesta control panel
I do the steps, but when I try to access the phpmyadmin from my VestaCP the message appear: Internal Server Error
My vestaCP is located to: panel.mydomain.com, so I change the .htaccess with:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !(panel)?mydomain.com
RewriteRule .* - [F]

But I can't access phpmyadmin not from VestaCP, nor from mydomain.com/phpmyadmin

What I'm doing wrong?
If I take a quick look at your htaccess, I see that you are missing a '.' after panel.
Example:

Code: Select all

RewriteCond %{HTTP_REFERER} !(server1.)?yourdomain.com
Your code:

Code: Select all

RewriteCond %{HTTP_REFERER} !(panel)?mydomain.com