Page 3 of 3
Re: [GUIDE] Secure PhpMyAdmin
Posted: Mon Feb 19, 2018 8:03 pm
by gospelsinger
I tried the following to allow only direct link from vesta control panel :
Code: Select all
RewriteEngine On
RewriteCond %{HTTP_REFERER} !(www.)?mydomain.com
RewriteRule .* - [F]
But I get a 500 error page. I did some research to understand the conditions here but can't get my head around them.
I did change the default /phpmyadmin to something secure to no avail.
I'm using ubuntu 16.04 and created the .htaccess in /usr/share/phpmyadmin/
Re: [GUIDE] Secure PhpMyAdmin
Posted: Sun Apr 08, 2018 6:56 pm
by sandy
Re: [GUIDE] Secure PhpMyAdmin
Posted: Thu May 10, 2018 1:09 pm
by microonline
Hello, does anyone tell me that I can apply this in nginx + php-fpm?
Thank you.
Re: [GUIDE] Secure PhpMyAdmin
Posted: Mon Aug 13, 2018 10:19 am
by canoodle
restart apach2:
MySQL root passwort can be found in:
Code: Select all
/root/.my.cnf
/usr/local/vesta/conf/mysql.conf
Re: [GUIDE] Secure PhpMyAdmin
Posted: Sun Mar 08, 2020 12:46 pm
by mihacb
Hello!
I made .htaccess in folder /usr/share/phpMyAdmin
Code: Select all
RewriteEngine On
RewriteCond %{HTTP_REFERER} !()?site.ru
RewriteRule .* - [F]
From Vesta i can go to site.ru/phpmyadmin/ - it's ok,
but when i try to log in to the base, i have:
Forbidden
You don't have permission to access /phpmyadmin/index.php on this server.
I think it is due to HTTP_REFERER doesn't transmit to index.php script
Does anybody know, how to fix it?
Re: [GUIDE] Secure PhpMyAdmin
Posted: Fri May 01, 2020 1:30 am
by anuradhan
CentOS - Downgraded php7.4.5 to 7.3
End up with 403 Forbidden Error.
you saved my day!
erldcrtz wrote: ↑Tue Jun 10, 2014 9:42 am
I have compiled some tips to add extra layer of protection to your phpmyadmin. Vesta Control Panel is really good but it seems like its lacking in the security department so I want to help as much as possible.
Add htaccess login (extra login)
more info:
https://degreesofzero.com/article/how-t ... admin.html
Change the default /phpmyadmin alias to something like /phpmyadmin-vcn0vgu02j0239f
more info:
viewtopic.php?f=10&t=5264 (thanks john)
check your config locations here:
http://vestacp.com/docs/#config-log-loc ... hel-centos
Alternative (most recommended)
Enable SSL on phpmyadmin and access only from name server
1. create web domain using your name server (server1.myserver.com) with SSL support and nginx
2. edit /etc/httpd/conf.d/phpMyAdmin.conf (centos 6) and delete the following (see below) and save
Code: Select all
Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin
<Directory /usr/share/phpMyAdmin/>
Order Deny,Allow
Deny from All
Allow from All
</Directory>
<Directory /usr/share/phpMyAdmin/scripts/>
Order Deny,Allow
Deny from All
Allow from All
</Directory>
3. edit /home/admin/conf/web/shttpd.conf from step 1(see above) and paste the following (see below) before this line </VirtualHost> and save
Code: Select all
Alias /phpmyadmins-GENERATE-RANDOM-PASS-CODE-HERE /usr/share/phpMyAdmin
<Directory /usr/share/phpMyAdmin/>
AllowOverride All
SSLRequireSSL
Options +Includes -Indexes +ExecCGI
</Directory>
<Directory /usr/share/phpMyAdmin/scripts/>
AllowOverride All
SSLRequireSSL
Options +Includes -Indexes +ExecCGI
</Directory>
4. restart apache server
5. you may now access your phpmyadmin with SSL from only the domain name you made.
Code: Select all
https://server1.myserver.com/phpmyadmins-GENERATE-RANDOM-PASS-CODE-HERE
Force SSL Connection on phpmyadmin
1. go to folder /usr/share/phpMyAdmin (centos 6)
2 create file config.inc.php and put the following code below and save
Add nameserver referral access only (you can only access phpmyadmin by clicking it from the control panel) also uses htaccess
1. open /usr/share/phpMyAdmin (centos 6)
2. create .htaccess file and paste the following code below (replacing the proper domain info server1.yourdomain.com)
Code: Select all
RewriteEngine On
RewriteCond %{HTTP_REFERER} !(server1.)?yourdomain.com
RewriteRule .* - [F]
3. update the phpmyadmin link from vesta control panel
viewtopic.php?f=10&t=5264
now that you have that in place. you wont be able to access phpmyadmin directly in your web browser. you need to click the phpmyadmin link from vesta control panel
Re: [GUIDE] Secure PhpMyAdmin
Posted: Sun Oct 17, 2021 12:16 am
by Messiah
Thank you for this manual.
I would also suggest to add some Javascript challenge to the phpmyadmin login page.
Bots and bruteforce attackers know how to use SSL and sometimes could guess the modified path / alias.