I have noticed that there are strange requests to my website trying to find phpmyadmin, like <pre class="prettyprint"><code>/phpmyadmin/ /pma/ </code></pre> etc. Now I have installed PMA on Ubuntu via apt and would like to access it via webaddress different from /phpmyadmin/. What can I do to change it? Thanks <hr> Update For Ubuntu 9.10 and Apache2, the corresponding setting is located in the file <code>/etc/apache2/conf.d/phpmyadmin.conf</code> which is a link to <code>/etc/phpmyadmin/apache.conf</code>. The file contains <pre class="prettyprint"><code>Alias /phpmyadmin /usr/share/phpmyadmin </code></pre> where the first <code>/phpmyadmin</code> should be changed to something different if one wants to avoid the unnecessary activity, e.g.: <pre class="prettyprint"><code>Alias /secret /usr/share/phpmyadmin </code></pre>

The biggest threat is that an attacker could leverage a vulnerability such as; directory traversal, or using SQL Injection to call <code>load_file()</code> to read the plain text username/password in the configuration file and then Login using phpmyadmin or over tcp port 3306. As a pentester I have used this attack pattern to compromise a system. Here is a great way to lock down phpmyadmin: <ul> <li>PhpMyAdmin lacks strong bruteforce protection, so you must use a long randomly generated password.</li> <li> DO NOT ALLOW REMOTE ROOT LOGINS! Instead phpmyadmin can be configured to use "Cookie Auth" to limit what user can access the system. If you need some root privileges, create a custom account that can add/drop/create but doesn't have <code>grant</code> or <code>file_priv</code>.</li> <li>Remove <code>file_priv</code> permissions from every account. <code>file_priv</code> is one of the most dangerous privileges in MySQL because it allows an attacker to read files or upload a backdoor.</li> <li>Whitelist IP address who have access to the phpmyadmin interface. Here is an example .htaccess reulset:</li> </ul> <blockquote> <pre class="prettyprint"><code>Order deny,allow Deny from all allow from 199.166.210.1 </code></pre> </blockquote> <ul> <li> Do not have a predictable file location like: <code>http://127.0.0.1/phpmyadmin</code>. Vulnerability scanners like Nessus/Nikto/Acunetix/w3af will scan for this. </li> <li> Firewall off tcp port 3306 so that it cannot be accessed by an attacker. </li> <li> Use HTTPS, otherwise data and passwords can be leaked to an attacker. If you don't want to fork out the $30 for a cert, then use a self-signed. You'll accept it once, and even if it was changed due to a MITM you'll be notified. </li> </ul>

How to secure phpMyAdmin

Tags:

security

php

mysql

ubuntu

phpmyadmin

I have noticed that there are strange requests to my website trying to find phpmyadmin, like

/phpmyadmin/ /pma/

etc.

Now I have installed PMA on Ubuntu via apt and would like to access it via webaddress different from /phpmyadmin/. What can I do to change it?

Thanks

Update

For Ubuntu 9.10 and Apache2, the corresponding setting is located in the file /etc/apache2/conf.d/phpmyadmin.conf which is a link to /etc/phpmyadmin/apache.conf. The file contains

Alias /phpmyadmin /usr/share/phpmyadmin

where the first /phpmyadmin should be changed to something different if one wants to avoid the unnecessary activity, e.g.:

Alias /secret /usr/share/phpmyadmin

734

asked Apr 13 '10 16:04

Andrei

1 Answers

The biggest threat is that an attacker could leverage a vulnerability such as; directory traversal, or using SQL Injection to call load_file() to read the plain text username/password in the configuration file and then Login using phpmyadmin or over tcp port 3306. As a pentester I have used this attack pattern to compromise a system.

Here is a great way to lock down phpmyadmin:

PhpMyAdmin lacks strong bruteforce protection, so you must use a long randomly generated password.
DO NOT ALLOW REMOTE ROOT LOGINS! Instead phpmyadmin can be configured to use "Cookie Auth" to limit what user can access the system. If you need some root privileges, create a custom account that can add/drop/create but doesn't have grant or file_priv.
Remove file_priv permissions from every account. file_priv is one of the most dangerous privileges in MySQL because it allows an attacker to read files or upload a backdoor.
Whitelist IP address who have access to the phpmyadmin interface. Here is an example .htaccess reulset:

Order deny,allow Deny from all allow from 199.166.210.1

Do not have a predictable file location like: http://127.0.0.1/phpmyadmin. Vulnerability scanners like Nessus/Nikto/Acunetix/w3af will scan for this.
Firewall off tcp port 3306 so that it cannot be accessed by an attacker.
Use HTTPS, otherwise data and passwords can be leaked to an attacker. If you don't want to fork out the $30 for a cert, then use a self-signed. You'll accept it once, and even if it was changed due to a MITM you'll be notified.

answered Oct 07 '22 23:10

rook

Related questions
                            
                                How do search engines find relevant content?
                            
                                PHP Readonly Properties?
                            
                                How to switch layout files in Zend Framework?
                            
                                Exception: Serialization of 'Closure' is not allowed
                            
                                Can I embed a .png image into an HTML page?
                            
                                PDO bindParam vs. execute
                            
                                php return 500 error but no error log
                            
                                How to install jQuery with Composer?
                            
                                Is time() a good salt?
                            
                                How to dump SoapClient request for debug?
                            
                                How can I fetch all items from a DynamoDB table without specifying the primary key?
                            
                                Creating DateTime from timestamp in PHP < 5.3
                            
                                How do I use PHPUnit with CodeIgniter?
                            
                                How to distinguish command-line and web-server invocation? [duplicate]
                            
                                How to reverse htmlentities()?
                            
                                htmlentities in PHP but preserving html tags
                            
                                How to extend access token validity since offline_access deprecation
                            
                                PHP Fatal Error Failed opening required File
                            
                                Check if two PHP datetime objects are set to the same date ( ignoring time )
                            
                                Service Applications and Google Analytics API V3: Server-to-server OAuth2 authentication?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With