Takscape's suggestion is the best solution - tunnel via SSH and allow access only from localhost. Obscurity helps, but is not security -- it's only security until someone decides to spend more than 1 second testing your VPS. You have to decide how much you can risk getting owned.
SSL is a must for secure transport if you're not tunneling, but remember that SSL itself does nothing for you from a security perspective. It only keeps your data from being clear text in the wild. It offers zero protection against an actual compromise, especially if you're leaving your entire database's front door wide open (or side door if you're just obscuring).
If you don't like the tunneling solution, htaccess authentication is the next best solution. You really MUST access it via SSL exclusively in this instance. If at all possible, you should consider blocking all access to the port via iptables, and when you need to use it, add an explicit allow for the IP you're connecting from on a temporary basis. This way, no one can access it except your specific host when you actually need to be using it. Once done, delete the rule from iptables.
Also, don't forget to configure phpMyAdmin to require you to log in to MySQL, rather than just granting immediate access. That is one more layer of authentication.
|