I have noticed that there are strange requests to my website trying to find phpmyadmin, like <pre class="prettyprint"><code>/phpmyadmin/ /pma/ </code></pre> etc. Now I have installed PMA on Ubuntu via apt and would like to access it via webaddress different from /phpmyadmin/. What can I do to change it? Thanks <hr> Update For Ubuntu 9.10 and Apache2, the corresponding setting is located in the file <code>/etc/apache2/conf.d/phpmyadmin.conf</code> which is a link to <code>/etc/phpmyadmin/apache.conf</code>. The file contains <pre class="prettyprint"><code>Alias /phpmyadmin /usr/share/phpmyadmin </code></pre> where the first <code>/phpmyadmin</code> should be changed to something different if one wants to avoid the unnecessary activity, e.g.: <pre class="prettyprint"><code>Alias /secret /usr/share/phpmyadmin </code></pre>

The biggest threat is that an attacker could leverage a vulnerability such as; directory traversal, or using SQL Injection to call <code>load_file()</code> to read the plain text username/password in the configuration file and then Login using phpmyadmin or over tcp port 3306. As a pentester I have used this attack pattern to compromise a system. Here is a great way to lock down phpmyadmin: <ul> <li>PhpMyAdmin lacks strong bruteforce protection, so you must use a long randomly generated password.</li> <li> DO NOT ALLOW REMOTE ROOT LOGINS! Instead phpmyadmin can be configured to use "Cookie Auth" to limit what user can access the system. If you need some root privileges, create a custom account that can add/drop/create but doesn't have <code>grant</code> or <code>file_priv</code>.</li> <li>Remove <code>file_priv</code> permissions from every account. <code>file_priv</code> is one of the most dangerous privileges in MySQL because it allows an attacker to read files or upload a backdoor.</li> <li>Whitelist IP address who have access to the phpmyadmin interface. Here is an example .htaccess reulset:</li> </ul> <blockquote> <pre class="prettyprint"><code>Order deny,allow Deny from all allow from 199.166.210.1 </code></pre> </blockquote> <ul> <li> Do not have a predictable file location like: <code>http://127.0.0.1/phpmyadmin</code>. Vulnerability scanners like Nessus/Nikto/Acunetix/w3af will scan for this. </li> <li> Firewall off tcp port 3306 so that it cannot be accessed by an attacker. </li> <li> Use HTTPS, otherwise data and passwords can be leaked to an attacker. If you don't want to fork out the $30 for a cert, then use a self-signed. You'll accept it once, and even if it was changed due to a MITM you'll be notified. </li> </ul>

How to secure phpMyAdmin

I have noticed that there are strange requests to my website trying to find phpmyadmin, like

/phpmyadmin/ /pma/

etc.

Now I have installed PMA on Ubuntu via apt and would like to access it via webaddress different from /phpmyadmin/. What can I do to change it?

Thanks

Update

For Ubuntu 9.10 and Apache2, the corresponding setting is located in the file /etc/apache2/conf.d/phpmyadmin.conf which is a link to /etc/phpmyadmin/apache.conf. The file contains

Alias /phpmyadmin /usr/share/phpmyadmin

where the first /phpmyadmin should be changed to something different if one wants to avoid the unnecessary activity, e.g.:

Alias /secret /usr/share/phpmyadmin

Is phpMyAdmin a security risk?

It depends. If you can get all the access to PhpMyAdmin through SSL only, and enforce strong password security on the web site, it can be secure. Otherwise it's opening your entire DB server to the world in clean view.

Should phpMyAdmin be publicly accessible?

phpmyadmin is too much of a beast to secure. You'd need mod_security and a week of time debugging the alerts just to disable half of the rules to ensure the functionality of phpmyadmin. Conclusion: Don't make it publicly accessible.

Does phpMyAdmin require Apache?

How to Install phpMyAdmin on Windows 10. As the requirements state, you're going to need a web server with PHP and a database to use phpMyAdmin. While you can undoubtedly download Apache, PHP, and MySQL manually, there's a much simpler option to get a server up and running on a Windows computer.

The biggest threat is that an attacker could leverage a vulnerability such as; directory traversal, or using SQL Injection to call load_file() to read the plain text username/password in the configuration file and then Login using phpmyadmin or over tcp port 3306. As a pentester I have used this attack pattern to compromise a system.

Here is a great way to lock down phpmyadmin:

PhpMyAdmin lacks strong bruteforce protection, so you must use a long randomly generated password.
DO NOT ALLOW REMOTE ROOT LOGINS! Instead phpmyadmin can be configured to use "Cookie Auth" to limit what user can access the system. If you need some root privileges, create a custom account that can add/drop/create but doesn't have grant or file_priv.
Remove file_priv permissions from every account. file_priv is one of the most dangerous privileges in MySQL because it allows an attacker to read files or upload a backdoor.
Whitelist IP address who have access to the phpmyadmin interface. Here is an example .htaccess reulset:

Order deny,allow Deny from all allow from 199.166.210.1

Do not have a predictable file location like: http://127.0.0.1/phpmyadmin. Vulnerability scanners like Nessus/Nikto/Acunetix/w3af will scan for this.
Firewall off tcp port 3306 so that it cannot be accessed by an attacker.
Use HTTPS, otherwise data and passwords can be leaked to an attacker. If you don't want to fork out the $30 for a cert, then use a self-signed. You'll accept it once, and even if it was changed due to a MITM you'll be notified.

How to secure phpMyAdmin

Tags:

security

php

mysql

ubuntu

phpmyadmin

Andrei

People also ask

1 Answers

rook

Recent Activity

Donate For Us

How to secure phpMyAdmin

Tags:

security

php

mysql

ubuntu

phpmyadmin

Andrei

People also ask

1 Answers

rook

Related questions

Recent Activity

Donate For Us