Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

[GUIDE] Secure PhpMyAdmin

https://forum.vestacp.com/viewtopic.php?f=11&t=5271

Page 3 of 3

Re: [GUIDE] Secure PhpMyAdmin

Posted: Mon Feb 19, 2018 8:03 pm
by gospelsinger
I tried the following to allow only direct link from vesta control panel :

Code: Select all

RewriteEngine On
RewriteCond %{HTTP_REFERER} !(www.)?mydomain.com
RewriteRule .* - [F]
But I get a 500 error page. I did some research to understand the conditions here but can't get my head around them.

I did change the default /phpmyadmin to something secure to no avail.

I'm using ubuntu 16.04 and created the .htaccess in /usr/share/phpmyadmin/

Re: [GUIDE] Secure PhpMyAdmin

Posted: Sun Apr 08, 2018 6:56 pm
by sandy
for brute force protection
try this instead :
https://www.mysterydata.com/secure-phpm ... cp-centos/

Re: [GUIDE] Secure PhpMyAdmin

Posted: Thu May 10, 2018 1:09 pm
by microonline
Hello, does anyone tell me that I can apply this in nginx + php-fpm?

Thank you.

Re: [GUIDE] Secure PhpMyAdmin

Posted: Mon Aug 13, 2018 10:19 am
by canoodle
restart apach2:

Code: Select all

apachectl restart
MySQL root passwort can be found in:

Code: Select all

/root/.my.cnf
/usr/local/vesta/conf/mysql.conf

Re: [GUIDE] Secure PhpMyAdmin

Posted: Sun Mar 08, 2020 12:46 pm
by mihacb
Hello!
I made .htaccess in folder /usr/share/phpMyAdmin

Code: Select all

RewriteEngine On
RewriteCond %{HTTP_REFERER} !()?site.ru
RewriteRule .* - [F]
From Vesta i can go to site.ru/phpmyadmin/ - it's ok,
but when i try to log in to the base, i have:
Forbidden
You don't have permission to access /phpmyadmin/index.php on this server.
I think it is due to HTTP_REFERER doesn't transmit to index.php script

Does anybody know, how to fix it?

Re: [GUIDE] Secure PhpMyAdmin

Posted: Fri May 01, 2020 1:30 am
by anuradhan
CentOS - Downgraded php7.4.5 to 7.3
End up with 403 Forbidden Error.

you saved my day!
erldcrtz wrote:
Tue Jun 10, 2014 9:42 am
 I have compiled some tips to add extra layer of protection to your phpmyadmin. Vesta Control Panel is really good but it seems like its lacking in the security department so I want to help as much as possible.

Add htaccess login (extra login)
more info: https://degreesofzero.com/article/how-t ... admin.html

Change the default /phpmyadmin alias to something like /phpmyadmin-vcn0vgu02j0239f
more info: viewtopic.php?f=10&t=5264 (thanks john)
check your config locations here: http://vestacp.com/docs/#config-log-loc ... hel-centos



Alternative (most recommended)


Enable SSL on phpmyadmin and access only from name server
1. create web domain using your name server (server1.myserver.com) with SSL support and nginx
2. edit /etc/httpd/conf.d/phpMyAdmin.conf (centos 6) and delete the following (see below) and save

Code: Select all

Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin

<Directory /usr/share/phpMyAdmin/>
   Order Deny,Allow
   Deny from All
   Allow from All
</Directory>

<Directory /usr/share/phpMyAdmin/scripts/>
   Order Deny,Allow
   Deny from All
   Allow from All
</Directory>
3. edit /home/admin/conf/web/shttpd.conf from step 1(see above) and paste the following (see below) before this line </VirtualHost> and save

Code: Select all

Alias /phpmyadmins-GENERATE-RANDOM-PASS-CODE-HERE /usr/share/phpMyAdmin

<Directory /usr/share/phpMyAdmin/>
        AllowOverride All
        SSLRequireSSL
        Options +Includes -Indexes +ExecCGI
</Directory>

<Directory /usr/share/phpMyAdmin/scripts/>
        AllowOverride All
        SSLRequireSSL
        Options +Includes -Indexes +ExecCGI
</Directory>
4. restart apache server
5. you may now access your phpmyadmin with SSL from only the domain name you made.

Code: Select all

https://server1.myserver.com/phpmyadmins-GENERATE-RANDOM-PASS-CODE-HERE

Force SSL Connection on phpmyadmin
1. go to folder /usr/share/phpMyAdmin (centos 6)
2 create file config.inc.php and put the following code below and save

Code: Select all

<?php $cfg['ForceSSL'] = true; ?>

Add nameserver referral access only (you can only access phpmyadmin by clicking it from the control panel) also uses htaccess
1. open /usr/share/phpMyAdmin (centos 6)
2. create .htaccess file and paste the following code below (replacing the proper domain info server1.yourdomain.com)

Code: Select all

RewriteEngine On
RewriteCond %{HTTP_REFERER} !(server1.)?yourdomain.com
RewriteRule .* - [F]
3. update the phpmyadmin link from vesta control panel viewtopic.php?f=10&t=5264

now that you have that in place. you wont be able to access phpmyadmin directly in your web browser. you need to click the phpmyadmin link from vesta control panel

Re: [GUIDE] Secure PhpMyAdmin

Posted: Sun Oct 17, 2021 12:16 am
by Messiah
Thank you for this manual.
I would also suggest to add some Javascript challenge to the phpmyadmin login page.
Bots and bruteforce attackers know how to use SSL and sometimes could guess the modified path / alias.
All times are UTC
Page 3 of 3
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/