How to secure phpmyadmin installation?

Almost people install phpmyadmin to manage mysql database and then they forget to secure it. It ‘s very important to do this part to make sure no one can touch to your phpmyadmin panel.

phpmyadmin-secure

Install phpmyadmin

If you didn’t install phpmyadmin on ubuntu then you can install it by this simple command line

[code lang=”shell”]sudo apt-get install phpmyadmin[/code]

Setup public phpmyadmin URL

After install phpmyadmin you can’t access it via public URL, let’s do these things to make it work

sudo nano /etc/apache2/apache2.conf

Add the phpmyadmin config to the file:

Include /etc/phpmyadmin/apache.conf

then restart apache:

sudo service apache2 restart

Secure PHPmyadmin access

This is the main step for us to secure phpmyadmin
Security
Unfortunately older versions of phpMyAdmin have had serious security vulnerabilities including allowing remote users to eventually exploit root on the underlying virtual private server. One can prevent a majority of these attacks through a simple process: locking down the entire directory with Apache’s native user/password restrictions which will prevent these remote users from even attempting to exploit older versions of phpMyAdmin.

Set Up the .htaccess File

To set this up start off by allowing the .htaccess file to work within the phpmyadmin directory. You can accomplish this in the phpmyadmin configuration file:

sudo nano /etc/phpmyadmin/apache.conf
Under the directory section, add the line “AllowOverride All” under “Directory Index”, making the section look like this:

[code lang=”shell”]
Options FollowSymLinks
DirectoryIndex index.php
AllowOverride All
[…]

[/code]

Configure the .htaccess file

With the .htaccess file allowed, we can proceed to set up a native user whose login would be required to even access the phpmyadmin login page.

Start by creating the .htaccess page in the phpmyadmin directory:

sudo nano /usr/share/phpmyadmin/.htaccess
Follow up by setting up the user authorization within .htaccess file. Copy and paste the following text in:

[code lang=”shell”]

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/apache2/.phpmyadmin.htpasswd
Require valid-user
Below you’ll see a quick explanation of each line

[/code]

  • AuthType: This refers to the type of authentication that will be used to the check the passwords. The passwords are checked via HTTP and the keyword Basic should not be changed.
  • AuthName: This is text that will be displayed at the password prompt. You can put anything here.
  • AuthUserFile: This line designates the server path to the password file (which we will create in the next step.)
  • Require valid-user: This line tells the .htaccess file that only users defined in the password file can access the phpMyAdmin login screen.

Create the htpasswd file

Now we will go ahead and create the valid user information.

Start by creating a htpasswd file. Use the htpasswd command, and place the file in a directory of your choice as long as it is not accessible from a browser. Although you can name the password file whatever you prefer, the convention is to name it .htpasswd.

sudo htpasswd -c /etc/apache2/.phpmyadmin.htpasswd username

A prompt will ask you to provide and confirm your password.

Once the username and passwords pair are saved you can see that the password is encrypted in the file.

FInish up by restarting apache:

sudo service apache2 restart

Accessing phpMyAdmin

phpMyAdmin will now be much more secure since only authorized users will be able to reach the login page. Accessing youripaddress/phpmyadmin should display a screen like this.

screen

Fill it in with the username and password that you generated. After you login you can access phpmyadmin with the MySQL username and password.