We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
[GUIDE] Secure PhpMyAdmin
-
- Posts: 2
- Joined: Mon Feb 19, 2018 7:52 pm
- Os: Ubuntu 15x
- Web: apache + nginx
Re: [GUIDE] Secure PhpMyAdmin
I tried the following to allow only direct link from vesta control panel :
But I get a 500 error page. I did some research to understand the conditions here but can't get my head around them.
I did change the default /phpmyadmin to something secure to no avail.
I'm using ubuntu 16.04 and created the .htaccess in /usr/share/phpmyadmin/
Code: Select all
RewriteEngine On
RewriteCond %{HTTP_REFERER} !(www.)?mydomain.com
RewriteRule .* - [F]
I did change the default /phpmyadmin to something secure to no avail.
I'm using ubuntu 16.04 and created the .htaccess in /usr/share/phpmyadmin/
Re: [GUIDE] Secure PhpMyAdmin
for brute force protection
try this instead :
https://www.mysterydata.com/secure-phpm ... cp-centos/
try this instead :
https://www.mysterydata.com/secure-phpm ... cp-centos/
-
- Posts: 2
- Joined: Mon May 07, 2018 6:08 pm
- Os: CentOS 6x
- Web: apache + nginx
Re: [GUIDE] Secure PhpMyAdmin
Hello, does anyone tell me that I can apply this in nginx + php-fpm?
Thank you.
Thank you.
Re: [GUIDE] Secure PhpMyAdmin
restart apach2:
MySQL root passwort can be found in:
Code: Select all
apachectl restart
Code: Select all
/root/.my.cnf
/usr/local/vesta/conf/mysql.conf
Re: [GUIDE] Secure PhpMyAdmin
Hello!
I made .htaccess in folder /usr/share/phpMyAdmin
From Vesta i can go to site.ru/phpmyadmin/ - it's ok,
but when i try to log in to the base, i have:
Does anybody know, how to fix it?
I made .htaccess in folder /usr/share/phpMyAdmin
Code: Select all
RewriteEngine On
RewriteCond %{HTTP_REFERER} !()?site.ru
RewriteRule .* - [F]
but when i try to log in to the base, i have:
I think it is due to HTTP_REFERER doesn't transmit to index.php scriptForbidden
You don't have permission to access /phpmyadmin/index.php on this server.
Does anybody know, how to fix it?
Re: [GUIDE] Secure PhpMyAdmin
CentOS - Downgraded php7.4.5 to 7.3
End up with 403 Forbidden Error.
you saved my day!
End up with 403 Forbidden Error.
you saved my day!
erldcrtz wrote: ↑Tue Jun 10, 2014 9:42 amI have compiled some tips to add extra layer of protection to your phpmyadmin. Vesta Control Panel is really good but it seems like its lacking in the security department so I want to help as much as possible.
Add htaccess login (extra login)
more info: https://degreesofzero.com/article/how-t ... admin.html
Change the default /phpmyadmin alias to something like /phpmyadmin-vcn0vgu02j0239f
more info: viewtopic.php?f=10&t=5264 (thanks john)
check your config locations here: http://vestacp.com/docs/#config-log-loc ... hel-centos
Alternative (most recommended)
Enable SSL on phpmyadmin and access only from name server
1. create web domain using your name server (server1.myserver.com) with SSL support and nginx
2. edit /etc/httpd/conf.d/phpMyAdmin.conf (centos 6) and delete the following (see below) and save
3. edit /home/admin/conf/web/shttpd.conf from step 1(see above) and paste the following (see below) before this line </VirtualHost> and saveCode: Select all
Alias /phpMyAdmin /usr/share/phpMyAdmin Alias /phpmyadmin /usr/share/phpMyAdmin <Directory /usr/share/phpMyAdmin/> Order Deny,Allow Deny from All Allow from All </Directory> <Directory /usr/share/phpMyAdmin/scripts/> Order Deny,Allow Deny from All Allow from All </Directory>
4. restart apache serverCode: Select all
Alias /phpmyadmins-GENERATE-RANDOM-PASS-CODE-HERE /usr/share/phpMyAdmin <Directory /usr/share/phpMyAdmin/> AllowOverride All SSLRequireSSL Options +Includes -Indexes +ExecCGI </Directory> <Directory /usr/share/phpMyAdmin/scripts/> AllowOverride All SSLRequireSSL Options +Includes -Indexes +ExecCGI </Directory>
5. you may now access your phpmyadmin with SSL from only the domain name you made.Code: Select all
https://server1.myserver.com/phpmyadmins-GENERATE-RANDOM-PASS-CODE-HERE
Force SSL Connection on phpmyadmin
1. go to folder /usr/share/phpMyAdmin (centos 6)
2 create file config.inc.php and put the following code below and saveCode: Select all
<?php $cfg['ForceSSL'] = true; ?>
Add nameserver referral access only (you can only access phpmyadmin by clicking it from the control panel) also uses htaccess
1. open /usr/share/phpMyAdmin (centos 6)
2. create .htaccess file and paste the following code below (replacing the proper domain info server1.yourdomain.com)
3. update the phpmyadmin link from vesta control panel viewtopic.php?f=10&t=5264Code: Select all
RewriteEngine On RewriteCond %{HTTP_REFERER} !(server1.)?yourdomain.com RewriteRule .* - [F]
now that you have that in place. you wont be able to access phpmyadmin directly in your web browser. you need to click the phpmyadmin link from vesta control panel
Re: [GUIDE] Secure PhpMyAdmin
Thank you for this manual.
I would also suggest to add some Javascript challenge to the phpmyadmin login page.
Bots and bruteforce attackers know how to use SSL and sometimes could guess the modified path / alias.
I would also suggest to add some Javascript challenge to the phpmyadmin login page.
Bots and bruteforce attackers know how to use SSL and sometimes could guess the modified path / alias.