Do you use phpmyadmin?

[mousepad111]

How do you prevent users from reaching the login page? I currently access webmin through example.com:10000, and phpmyadmin example.com/phpmyadmin. I would rather not have users be able to access the log in through the same page. Do you edit file permissions?

[kelvinn]

You could easily setup a .htaccess file (using apache's basic auth) to at least prevent them for seeing anything in the directory. Try changing webmin to a non-standard port. You could also setup a sub-domain and only allow admin stuff on that domain (I know this is all a little bit of security through obscurity, but every bit helps).

[jasonaward]

A couple of additions on this:

1) Kelvin's subdomain suggestion is a good idea. In addition, for phpmyadmin, I suggest placing the phpmyadmin directory within a second level directory.

example.com/administration/phpmyadmin/

2) .htaccess is a vital level of security. Use obscure usernames and passwords for .htaccess access.

3) Access everything over SSL. Either create your own certs, or buy a cert. Very cheap certs can be purchased which are great for purposes like this (though not so great for other purposes like ecommerce). I recommend namecheap.com for very cheap certs (about the least expensive I've found). Either way, SSL prevents even the .htaccess traffic from being sent over plain text.

4) Limit what you can do through webmin.

And there's nothing wrong with security through obscurity --- of course the first layer of security is a proper secured configuration, but obscurity simply makes it (often tremendously) more difficult to guess things like username and passwords.

[takscape]

Another way is that you can configure .htaccess to accept connections only from 127.0.0.1 and always access phpmyadmin via SSH tunnel.

[charles]

I have phpmyadmin set up to be accessible only over ssl, similar to what jasonaward suggests. In addition, I use a different (and non-public) domain name for admin, similar to what kelvinn suggests, meaning that there are no traversable links or guessable subdomains.

Two more suggestions: Change the 'directory' that the phpmyadmin sw lives in to a name completely unrelated to phpmyadmin (e.g., moms_stuff), and be sure that directory indexing is off.

[skavoovie]

Takscape's suggestion is the best solution - tunnel via SSH and allow access only from localhost. Obscurity helps, but is not security -- it's only security until someone decides to spend more than 1 second testing your VPS. You have to decide how much you can risk getting owned.

SSL is a must for secure transport if you're not tunneling, but remember that SSL itself does nothing for you from a security perspective. It only keeps your data from being clear text in the wild. It offers zero protection against an actual compromise, especially if you're leaving your entire database's front door wide open (or side door if you're just obscuring).

If you don't like the tunneling solution, htaccess authentication is the next best solution. You really MUST access it via SSL exclusively in this instance. If at all possible, you should consider blocking all access to the port via iptables, and when you need to use it, add an explicit allow for the IP you're connecting from on a temporary basis. This way, no one can access it except your specific host when you actually need to be using it. Once done, delete the rule from iptables.

Also, don't forget to configure phpMyAdmin to require you to log in to MySQL, rather than just granting immediate access. That is one more layer of authentication.

[mousepad111]

Thanks for all the great tips guys, I'll get started on implementing some of these solutions asap. I had a surprisingly difficult time finding info. on this specific security topic.

skavoovie: In reference to the last line in your post, I've set a password for root, and set privileges for a "webuser" granting them only select, update, etc. Is this what you are referring to?

[skavoovie]

Be sure to make a back-up copy of your config.inc.php before tinkering.

If I remember correctly, it's this line that adds the authentication functionality:

$cfg['Servers'][$i]['auth_type'] = 'http';


if it is already present it will probably be defined as 'config' something else. By changing it to 'http', you must specify an existing MySQL username and password, just like you would from the command-line, before you can access the databases.

When making this change, you may have to leave the manually specified username and password blank, I can't remember off the top of my head w/o checking.

[mousepad111]

I've been trying to setup the security measures recommended in this thread and ran into a couple walls. Im running ubuntu 7.1, with the latest pma, mysql, apache2 via apt-get. I made the following changes in /etc/myphpadmin/config.inc.php

$cfg['PmaAbsoluteUri'] = 'https://example.com/obfuscation/phpmyadmin';

$cfg['Servers'][$i]['auth_type'] = 'http';

The problem is these changes are not having any effect after restarting mysql and apache. Sorry, if this is a basic question, but how am I suppose to load pma's config to have the changes take affect.

Figuring out the above, would allow pma access via browser using ssl.

My second question relates to the recommendations to use ssh to access pma. This is similar to using putty to connect to my server via command line, correct? If this is the case, does that not defeat the purpose of using a gui to interact with mysql? I've googled tuts on ssh vs ssl, securing pma, but I still think I am missing some basic points of the entire security picture. Could someone please point me in the right direction... at least, pertaining to using ssh with myphpadmin gui? Thanks.

[skavoovie]

You actually don't need to restart apache or mysql. You might need to restart your browser if the session is being cached.

If you haven't defined $i in your config, try this instead, I forgot to make the change before I pasted the config line:

Code:

$cfg['Servers'][1]['auth_type'] = 'http';

Also, be sure to enable SSL-only with this option:

Code:

$cfg['ForceSSL'] = true;

not just that base URI option you have configured.