Andrei Andrei - 4 years ago 269
SQL Question

How to secure phpMyAdmin

I have noticed that there are strange requests to my website trying to find phpmyadmin, like

/phpmyadmin/
/pma/


etc.

Now I have installed PMA on Ubuntu via apt and would like to access it via webaddress different from /phpmyadmin/. What can I do to change it?

Thanks




Update

For Ubuntu 9.10 and Apache2, the corresponding setting is located in the file
/etc/apache2/conf.d/phpmyadmin.conf
which is a link to
/etc/phpmyadmin/apache.conf
. The file contains

Alias /phpmyadmin /usr/share/phpmyadmin


where the first
/phpmyadmin
should be changed to something different if one wants to avoid the unnecessary activity, e.g.:

Alias /secret /usr/share/phpmyadmin

Answer Source

The biggest threat is that an attacker could leverage a vulnerability such as; directory traversal, or using SQL Injection to call load_file() to read the plain text username/password in the configuration file and then Login using phpmyadmin or over tcp port 3306. As a pentester I have used this attack pattern to compromise a system.

Here is a great way to lock down phpmyadmin:

  • DO NOT ALLOW REMOTE ROOT LOGINS! Instead phpmyadmin can be configured to use "Cookie Auth" to limit what user can access the system. If you need some root privileges, create a custom account that can add/drop/create but doesn't have grant or file_priv.
  • Remove file_priv permissions from every account. file_priv is one of the most dangerous privileges in MySQL because it allows an attacker to read files or upload a backdoor.
  • Whitelist IP address who have access to the phpmyadmin interface. Here is an example .htaccess reulset:
Order deny,allow
Deny from all
allow from 199.166.210.1
  • Do not have a predictable file location like: http://127.0.0.1/phpmyadmin. Vulnerability scanners like Nessus/Nikto/Acunetix/w3af will scan for this.

  • Firewall off tcp port 3306 so that it cannot be accessed by an attacker.

  • Use HTTPS, otherwise data and passwords can be leaked to an attacker. If you don't want to fork out the $30 for a cert, then use a self-signed. You'll accept it once, and even if it was changed due to a MITM you'll be notified.
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download