We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on Vesta 2.0 and expect to release it by the end of 2024. Read more about it: https://vestacp.com/docs/vesta-2-development
[GUIDE] Secure PhpMyAdmin
Re: [GUIDE] Secure PhpMyAdmin
I fixed this:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !(panel.)?next2support.com
RewriteRule .* - [F]
But again if I tried to login from VestaCP link the massage appear again:
Internal Server Error
What I'm doing wrong? I what to access the phpymyadmin only from vestacp link, not from: http://next2support.com/phpmyadmin/ for example.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !(panel.)?next2support.com
RewriteRule .* - [F]
But again if I tried to login from VestaCP link the massage appear again:
Internal Server Error
What I'm doing wrong? I what to access the phpymyadmin only from vestacp link, not from: http://next2support.com/phpmyadmin/ for example.
-
- Posts: 21
- Joined: Thu Jun 04, 2015 9:22 am
Re: [GUIDE] Secure PhpMyAdmin
I think it is more simple: (ubuntu 14.04)
Check this file >> /etc/phpmyadmin/config-db.php
it is:
what we have to do is, login inside phpmyadmin using root and create a database phpmyadmin. and then add a new user phpmyadmin with same password some pass will here. and add this user to phpmyadmin database. Finally we have to import example/create_tables.sql table.
Logout and login again. errors gone !
Check this file >> /etc/phpmyadmin/config-db.php
it is:
Code: Select all
<?php
##
## database access settings in php format
## automatically generated from /etc/dbconfig-common/phpmyadmin.conf
## by /usr/sbin/dbconfig-generate-include
## Thu, 01 Mar 2016 08:48:52 -0500
##
## by default this file is managed via ucf, so you shouldn't have to
## worry about manual changes being silently discarded. *however*,
## you'll probably also want to edit the configuration file mentioned
## above too.
##
$dbuser='phpmyadmin';
$dbpass='some pass will here';
$basepath='';
$dbname='phpmyadmin';
$dbserver='';
$dbport='';
$dbtype='mysql';
Logout and login again. errors gone !
Re: [GUIDE] Secure PhpMyAdmin
I already do that! But this problem appear only when I put this in my .htaccess file:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !(panel.)?next2support.com
RewriteRule .* - [F]
if not everything work fine! But I want to connect phpmyadmin only from VestaCP link.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !(panel.)?next2support.com
RewriteRule .* - [F]
if not everything work fine! But I want to connect phpmyadmin only from VestaCP link.
Re: [GUIDE] Secure PhpMyAdmin
Add nameserver referral access only (you can only access phpmyadmin by clicking it from the control panel) also uses htaccess
anyone knows how to do this if using nginx-phpfpm ?
i saw one but dont know where to put my url on the code below. Can someone please add eg. if my server name is https://pong.pandabb.com
anyone knows how to do this if using nginx-phpfpm ?
i saw one but dont know where to put my url on the code below. Can someone please add eg. if my server name is https://pong.pandabb.com
Code: Select all
location ~/([a-zA-Z0-9\.\-]*)/* {
set $match "$1::$http_referer";
if ($match !~* ^(.+)::http[s]*://[www]*[.]*\1.*$ ) {
return 403;
}
}
-
- Posts: 1
- Joined: Fri Apr 07, 2017 1:02 pm
Re: [GUIDE] Secure PhpMyAdmin
All these precautions are good, but I have applied an extra security layer which is best to stop brute-forcing.
Example:-
create a php function that gets user ip.
e.g
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
if you cant find the ip return false because it is not a valid user
if ip found then use geoplugin.net api to get user location via curl
eg:
$ch2 = curl_init();
curl_setopt($ch2, CURLOPT_URL, "http://www.geoplugin.net/json.gp?ip=".$ip);
curl_setopt($ch2, CURLOPT_HEADER, 0);
curl_setopt($ch2, CURLOPT_RETURNTRANSFER, TRUE);
$ip_data_in = curl_exec($ch2); // string
curl_close($ch2);
this piece of code will return json data of the user ip
eg:
{
"geoplugin_request":"104.196.xx.xxx",
"geoplugin_status":200,
"geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>.",
"geoplugin_city":"Mountain View",
"geoplugin_region":"CA",
"geoplugin_areaCode":"650",
"geoplugin_dmaCode":"807",
"geoplugin_countryCode":"US",
"geoplugin_countryName":"United States",
"geoplugin_continentCode":"NA",
"geoplugin_latitude":"37.4192",
"geoplugin_longitude":"-122.0574",
"geoplugin_regionCode":"CA",
"geoplugin_regionName":"California",
"geoplugin_currencyCode":"USD",
"geoplugin_currencySymbol":"$",
"geoplugin_currencySymbol_UTF8":"$",
"geoplugin_currencyConverter":1
}
now you can decode the json strings into php array and get the ip location eg: city, region, country
eg:
$ip_data = json_decode($ip_data_in,true);
$ip_data = str_replace('"', '"', $ip_data);
if(isset($ip_data) && !empty($ip_data['geoplugin_countryName'])) {
$user_ip = trim($ip_data['geoplugin_request']);
$city = trim($ip_data['geoplugin_city']);
$region = trim($ip_data['geoplugin_region']);
$country = trim($ip_data['geoplugin_countryName']);
return $userData=array('userIP'=>$user_ip,'userCity'=>$city,'userRegion'=>$region,'userCountry'=>$country,);
}else{
return false;
}
so now the actual logic starts here, normally a server owner uses it home or office internet connection, never change its ISP frequently and also not use of proxy ips to login its server. so all the time server administrator use the same location. In my case my ISP provide mostly use three locations of my country and assign it to my ip.... my country never change but cities are changed when i reboot my router.
so the point is above code will return country and city as well... you can apply these check to restrict unwanted login attempt which is as follow:-
call this function at the very first line of index.php of phpmyadmin within <?php tag
$user_trace=ip_visitor_country();
$allowed_cntry = array('United States');
$allowed_city = array('New York', 'Los Angeles', 'Chicago');
if(!in_array($user_trace['userCity'], $allowed_city) || !in_array($user_trace['userCountry'], $allowed_cntry)){
echo "Access Denied";
die();
}
now the phpmyadmin will be only access in the United States within three locations 'New York', 'Los Angeles', 'Chicago'. other wise it will die the further execution of code.
as you all knows very well brute-force use script to change the ip on every attempt.
so the above code will not give them a single chance to reach at user and password fields...
if you like this method... you can use it and get tension free from brute forcing :)
Thanks
Example:-
create a php function that gets user ip.
e.g
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
if you cant find the ip return false because it is not a valid user
if ip found then use geoplugin.net api to get user location via curl
eg:
$ch2 = curl_init();
curl_setopt($ch2, CURLOPT_URL, "http://www.geoplugin.net/json.gp?ip=".$ip);
curl_setopt($ch2, CURLOPT_HEADER, 0);
curl_setopt($ch2, CURLOPT_RETURNTRANSFER, TRUE);
$ip_data_in = curl_exec($ch2); // string
curl_close($ch2);
this piece of code will return json data of the user ip
eg:
{
"geoplugin_request":"104.196.xx.xxx",
"geoplugin_status":200,
"geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>.",
"geoplugin_city":"Mountain View",
"geoplugin_region":"CA",
"geoplugin_areaCode":"650",
"geoplugin_dmaCode":"807",
"geoplugin_countryCode":"US",
"geoplugin_countryName":"United States",
"geoplugin_continentCode":"NA",
"geoplugin_latitude":"37.4192",
"geoplugin_longitude":"-122.0574",
"geoplugin_regionCode":"CA",
"geoplugin_regionName":"California",
"geoplugin_currencyCode":"USD",
"geoplugin_currencySymbol":"$",
"geoplugin_currencySymbol_UTF8":"$",
"geoplugin_currencyConverter":1
}
now you can decode the json strings into php array and get the ip location eg: city, region, country
eg:
$ip_data = json_decode($ip_data_in,true);
$ip_data = str_replace('"', '"', $ip_data);
if(isset($ip_data) && !empty($ip_data['geoplugin_countryName'])) {
$user_ip = trim($ip_data['geoplugin_request']);
$city = trim($ip_data['geoplugin_city']);
$region = trim($ip_data['geoplugin_region']);
$country = trim($ip_data['geoplugin_countryName']);
return $userData=array('userIP'=>$user_ip,'userCity'=>$city,'userRegion'=>$region,'userCountry'=>$country,);
}else{
return false;
}
so now the actual logic starts here, normally a server owner uses it home or office internet connection, never change its ISP frequently and also not use of proxy ips to login its server. so all the time server administrator use the same location. In my case my ISP provide mostly use three locations of my country and assign it to my ip.... my country never change but cities are changed when i reboot my router.
so the point is above code will return country and city as well... you can apply these check to restrict unwanted login attempt which is as follow:-
call this function at the very first line of index.php of phpmyadmin within <?php tag
$user_trace=ip_visitor_country();
$allowed_cntry = array('United States');
$allowed_city = array('New York', 'Los Angeles', 'Chicago');
if(!in_array($user_trace['userCity'], $allowed_city) || !in_array($user_trace['userCountry'], $allowed_cntry)){
echo "Access Denied";
die();
}
now the phpmyadmin will be only access in the United States within three locations 'New York', 'Los Angeles', 'Chicago'. other wise it will die the further execution of code.
as you all knows very well brute-force use script to change the ip on every attempt.
so the above code will not give them a single chance to reach at user and password fields...
if you like this method... you can use it and get tension free from brute forcing :)
Thanks
Re: [GUIDE] Secure PhpMyAdmin
Hi, If anyone has problems with the referer thing getting 403 ERR just change http for httpserldcrtz wrote: Add nameserver referral access only (you can only access phpmyadmin by clicking it from the control panel) also uses htaccess
1. open /usr/share/phpMyAdmin (centos 6)
2. create .htaccess file and paste the following code below (replacing the proper domain info server1.yourdomain.com)
Code: Select all
RewriteEngine On RewriteCond %{HTTP_REFERER} !(server1.)?yourdomain.com RewriteRule .* - [F]
Cheers
Re: [GUIDE] Secure PhpMyAdmin
erldcrtz wrote: Alternative (most recommended)
Enable SSL on phpmyadmin and access only from name server
1. create web domain using your name server (server1.myserver.com) with SSL support and nginx
2. edit /etc/httpd/conf.d/phpMyAdmin.conf (centos 6) and delete the following (see below) and save
3. edit /home/admin/conf/web/shttpd.conf from step 1(see above) and paste the following (see below) before this line </VirtualHost> and saveCode: Select all
Alias /phpMyAdmin /usr/share/phpMyAdmin Alias /phpmyadmin /usr/share/phpMyAdmin <Directory /usr/share/phpMyAdmin/> Order Deny,Allow Deny from All Allow from All </Directory> <Directory /usr/share/phpMyAdmin/scripts/> Order Deny,Allow Deny from All Allow from All </Directory>
4. restart apache serverCode: Select all
Alias /phpmyadmins-GENERATE-RANDOM-PASS-CODE-HERE /usr/share/phpMyAdmin <Directory /usr/share/phpMyAdmin/> AllowOverride All SSLRequireSSL Options +Includes -Indexes +ExecCGI </Directory> <Directory /usr/share/phpMyAdmin/scripts/> AllowOverride All SSLRequireSSL Options +Includes -Indexes +ExecCGI </Directory>
5. you may now access your phpmyadmin with SSL from only the domain name you made.Code: Select all
https://server1.myserver.com/phpmyadmins-GENERATE-RANDOM-PASS-CODE-HERE
Hi,
After doing these steps I receive 403 error when I go to the page
Code: Select all
https://server1.myserver.com/phpmyadmins-GENERATE-RANDOM-PASS-CODE-HERE
Thanks,
Re: [GUIDE] Secure PhpMyAdmin
I think this post should be updated because any of those 'tutorials' work..
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: [GUIDE] Secure PhpMyAdmin
I tried to apply this trick. I am running VestaCP v0.98-17 on Ubuntu 16.04.3. The directory path is:erldcrtz wrote: Force SSL Connection on phpmyadmin
1. go to folder /usr/share/phpMyAdmin (centos 6)
2 create file config.inc.php and put the following code below and saveCode: Select all
<?php $cfg['ForceSSL'] = true; ?>
/usr/share/phpmyadmin
Well, I created a new file named config.inc.php and put above code into it.
Next, I tried to visit phpmyadmin with HTTP protocol, it was NOT switched to HTTPS automatically.
Why?
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: [GUIDE] Secure PhpMyAdmin
Ok, finally I found the solution :
Ubuntu uses different configuration file for phpmyadmin. So I have to modify this file:
/etc/phpmyadmin/config.inc.php
and insert following code to the end of this file (just insert a new line):
Then, restart MySQL service by:
[/b]
Now if you visit phpmyadmin via HTTP protocol, it will be redirected to HTTPS automatically. :-)
Ubuntu uses different configuration file for phpmyadmin. So I have to modify this file:
/etc/phpmyadmin/config.inc.php
and insert following code to the end of this file (just insert a new line):
Code: Select all
$cfg['ForceSSL'] = true;
Code: Select all
# systemctl restart mysql
Now if you visit phpmyadmin via HTTP protocol, it will be redirected to HTTPS automatically. :-)