phpmyadmin on port 80...

WAS · Post by **WAS** » Thu Feb 12, 2015 7:59 pm

Why is phpmyadmin on port 80 when you have a administrative port open on 8083 by default? It puzzles me greatly.

In a ideal world, no one would use phpmyadmin, but putting it on port 80 with no .htaccess authorization as well is scary.

When I attempt to edit the conf, to listen in on port 8085, it does work, however vestacp is also listening in on port 80 for phpmyadmin, as well as port 8085 will forward to the base web directory of the site when it should go no where.

Why is this, and how to I stop this strange behavior?

Code: Select all

# phpMyAdmin default Apache configuration

Alias /phpmyadmin /usr/share/phpmyadmin

Listen 8085

<Directory /usr/share/phpmyadmin>
	Options FollowSymLinks
	DirectoryIndex index.php

	<IfModule mod_php5.c>
		AddType application/x-httpd-php .php

		php_flag magic_quotes_gpc Off
		php_flag track_vars On
		php_flag register_globals Off
		php_admin_flag allow_url_fopen Off
		php_value include_path .
		php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
		php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext
	</IfModule>

</Directory>

# Authorize for setup
<Directory /usr/share/phpmyadmin/setup>
    <IfModule mod_authn_file.c>
    AuthType Basic
    AuthName "phpMyAdmin Setup"
    AuthUserFile /etc/phpmyadmin/htpasswd.setup
    </IfModule>
    Require valid-user
</Directory>

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/libraries>
    Order Deny,Allow
    Deny from All
</Directory>
<Directory /usr/share/phpmyadmin/setup/lib>
    Order Deny,Allow
    Deny from All
</Directory>

Post by **imperio** » Thu Feb 12, 2015 8:07 pm

8083 - only for Vesta

WAS · Post by **WAS** » Thu Feb 12, 2015 8:13 pm

Could be for many of vesta's administrative scripts. Port is definitely not bound to one script. Having phpmyadmin outside a secure location is inherently a security flaw. Documentation for phpmyadmin is very clear that phpmyadmin is not to be on port 80 in production environments. Have you noticed how phpmyadmin on cpanel and WHM are on the same port as cpanel, so it is as secure as possible? It is fairly easy to brute force phpmyadmins login, and being able to sniff it out right on port 80...

But again, the issue is, why is phpmyadmin still on port 80 when it is listening on 8085? And why does yourdomain.com:8085/ point to port 80?

Edit I was able to get it to work by editing the conf file as follows

Code: Select all

# phpMyAdmin default Apache configuration

Alias /someotheralias  /usr/share/phpmyadmin

Listen 8085

<Directory /usr/share/phpmyadmin>
	Options FollowSymLinks
	DirectoryIndex index.php

	Order allow,deny
	Allow from A_ADMIN_IP
	Allow from 127

	<IfModule mod_php5.c>
		AddType application/x-httpd-php .php

		php_flag magic_quotes_gpc Off
		php_flag track_vars On
		php_flag register_globals Off
		php_admin_flag allow_url_fopen Off
		php_value include_path .
		php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
		php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext
	</IfModule>

</Directory>

# Authorize for setup
<Directory /usr/share/phpmyadmin/setup>
    <IfModule mod_authn_file.c>
    AuthType Basic
    AuthName "phpMyAdmin Setup"
    AuthUserFile /etc/phpmyadmin/htpasswd.setup
    </IfModule>
    Require valid-user
</Directory>

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/libraries>
    Order Deny,Allow
    Deny from All
</Directory>
<Directory /usr/share/phpmyadmin/setup/lib>
    Order Deny,Allow
    Deny from All
</Directory>

Post by **mehargags** » Sat Feb 28, 2015 7:56 am

If security is your concern---
You may want to rename /phpmyadmin to something entirely "un-guessable"

[ TUTORIAL ] How to change the default /phpmyadmin alias
viewtopic.php?f=10&t=5264

bart82 · Post by **bart82** » Mon Jan 04, 2021 9:24 pm

mehargags wrote: ↑
Sat Feb 28, 2015 7:56 am
If security is your concern---
You may want to rename /phpmyadmin to something entirely "un-guessable"

[ TUTORIAL ] How to change the default /phpmyadmin alias
viewtopic.php?f=10&t=5264

Security through obscurity is no security. So simply renaming the alias isn't a great idea. Selecting a different port (e.g. 8085) for this 'adminstrative tool' is a good approach. Especially when you block that port for the outside world using iptables.

The only thing you need to do is edit your /etc/httpd/conf.d/phpMyAdmin.conf (the Apache configuration). Suppose you have phpMyAdmin working properly on port 80 (/phpmyadmin)

Code: Select all

Listen 8085

<VirtualHost *:8085>
   DocumentRoot /usr/share/phpMyAdmin>
   ServerName phpmyadminsite

   Alias /phpMyAdmin /usr/share/phpMyAdmin
   Alias /phpmyadmin /usr/share/phpMyAdmin

   <Directory /usr/share/phpMyAdmin/>
      Order Deny,Allow
      Deny from All
      Allow from All
   </Directory>

  ...etc etc ...
</VirtualHost>

Restart the Apache. For CentOS:

Code: Select all

service httpd restart

Now, Apache will listen on port 8085.
NB: make sure you add port 8085 to your iptables firewall (through VestaCP)

Vesta Control Panel - Forum