How to secure phpMyAdmin
Solution 1
The biggest threat is that an attacker could leverage a vulnerability such as; directory traversal, or using SQL Injection to call load_file() to read the plain text username/password in the configuration file and then Login using phpmyadmin or over tcp port 3306. As a pentester I have used this attack pattern to compromise a system.
Here is a great way to lock down phpmyadmin:
- PhpMyAdmin lacks strong bruteforce protection, so you must use a long randomly generated password.
-
DO NOT ALLOW REMOTE ROOT LOGINS! Instead phpmyadmin can be configured to use "Cookie Auth" to limit what user can access the system. If you need some root privileges, create a custom account that can add/drop/create but doesn't have
grantorfile_priv. - Remove
file_privpermissions from every account.file_privis one of the most dangerous privileges in MySQL because it allows an attacker to read files or upload a backdoor. - Whitelist IP address who have access to the phpmyadmin interface. Here is an example .htaccess reulset:
Order deny,allow Deny from all allow from 199.166.210.1
-
Do not have a predictable file location like:
http://127.0.0.1/phpmyadmin. Vulnerability scanners like Nessus/Nikto/Acunetix/w3af will scan for this. -
Firewall off tcp port 3306 so that it cannot be accessed by an attacker.
-
Use HTTPS, otherwise data and passwords can be leaked to an attacker. If you don't want to fork out the $30 for a cert, then use a self-signed. You'll accept it once, and even if it was changed due to a MITM you'll be notified.
Solution 2
One of my concerns with phpMyAdmin was that by default, all MySQL users can access the db. If DB's root password is compromised, someone can wreck havoc on the db. I wanted to find a way to avoid that by restricting which MySQL user can login to phpMyAdmin.
I have found using AllowDeny configuration in PhpMyAdmin to be very useful. http://wiki.phpmyadmin.net/pma/Config#AllowDeny_.28rules.29
AllowDeny lets you configure access to phpMyAdmin in a similar way to Apache. If you set the 'order' to explicit, it will only grant access to users defined in 'rules' section. In the rules, section you restrict MySql users who can access use the phpMyAdmin.
$cfg['Servers'][$i]['AllowDeny']['order'] = 'explicit'
$cfg['Servers'][$i]['AllowDeny']['rules'] = array('pma-user from all')
Now you have limited access to the user named pma-user in MySQL, you can grant limited privilege to that user.
grant select on db_name.some_table to 'pma-user'@'app-server'
Solution 3
In newer versions of phpMyAdmin access permissions for user-names + ip-addresses can be set up inside the phpMyAdmin's config.inc.php file. This is a much better and more robust method of restricting access (over hard-coding URLs and IP addresses into Apache's httpd.conf).
Here is a full example of how to switch to white-listing all users (no one outside this list will be allowed access), and also how to restrict user root to the local system and network only.
$cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array(
'deny % from all', // deny everyone by default, then -
'allow % from 127.0.0.1', // allow all local users
'allow % from ::1',
//'allow % from SERVER_ADDRESS', // allow all from server IP
// allow user:root access from these locations (local network)
'allow root from localhost',
'allow root from 127.0.0.1',
'allow root from 10.0.0.0/8',
'allow root from 172.16.0.0/12',
'allow root from 192.168.0.0/16',
'allow root from ::1',
// add more usernames and their IP (or IP ranges) here -
);
Source: How to Install and Secure phpMyAdmin on localhost for Windows
This gives you much more fine-grained access restrictions than Apache's URL permissions or an .htaccess file can provide, at the MySQL user name level.
Make sure that the user you are login in with, has its MySQL Host: field set to 127.0.0.1 or ::1, as phpMyAdmin and MySQL are on the same system.
Solution 4
Another solution is to use the config file without any settings. The first time you might have to include your mysql root login/password so it can install all its stuff but then remove it.
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['extension'] = 'mysql';
Leaving it like that without any apache/lighhtpd aliases will just present to you a log in screen.
You can log in with root but it is advised to create other users and only allow root for local access. Also remember to use string passwords, even if short but with a capital, and number of special character. for example !34sy2rmbr! aka "easy 2 remember"
-EDIT: A good password now a days is actually something like words that make no grammatical sense but you can remember because they funny. Or use keepass to generate strong randoms an have easy access to them
Solution 5
Most likely, somewhere on your webserver will be an Alias directive like this;
Alias /phpmyadmin "c:/wamp/apps/phpmyadmin3.1.3.1/"
In my wampserver / localhost setup, it was in c:/wamp/alias/phpmyadmin.conf.
Just change the alias directive and you should be good to go.
Andrei
Updated on July 08, 2022Comments
-
Andrei almost 2 years
I have noticed that there are strange requests to my website trying to find phpmyadmin, like
/phpmyadmin/ /pma/etc.
Now I have installed PMA on Ubuntu via apt and would like to access it via webaddress different from /phpmyadmin/. What can I do to change it?
Thanks
Update
For Ubuntu 9.10 and Apache2, the corresponding setting is located in the file
/etc/apache2/conf.d/phpmyadmin.confwhich is a link to/etc/phpmyadmin/apache.conf. The file containsAlias /phpmyadmin /usr/share/phpmyadminwhere the first
/phpmyadminshould be changed to something different if one wants to avoid the unnecessary activity, e.g.:Alias /secret /usr/share/phpmyadmin