How to Protect and Secure PHPMyAdmin in Production Server?

Posted by

What is phpMyAdmin?

A cross-platform, free, open-source, and PHP-based web programme called phpMyAdmin provides a straightforward, robust, and practical browser-based graphical user interface (GUI) for working with MySQL databases. It simplifies the process of establishing, maintaining and configuring MySQL databases simpler and much more efficiently.

Why Secure phpMyAdmin?

Developers and system administrators use phpMyAdmin extensively in both development and production settings. Given the type of data it is used to create and maintain, it is consequently essential to safeguard.

phpMyAdmin Features

Some of the main functions of phpMyAdmin are as follows:

  • Execute standard SQL queries.
  • Create, modify and remove users and user permissions.
  • Create, modify and remove databases, tables, rows and fields.
  • Search for objects in databases and tables.
  • Backup your MySQL databases.

Before you Begin

You need a Linux server running the following services in order to install and secure phpMyAdmin:

  • Apache2
  • MySQL 8 or above
  • PHP

The three necessary pieces of software are also often known as a LAMP stack. On Ubuntu 20.04, perform the subsequent procedures to install all the prerequisite software:

  1. Install Apache 2.4 from the Ubuntu repository:
sudo apt install apache2

2. Install the mysql-server package:

sudo apt install mysql-server

3. Install MySQL support, Apache support, PHP Extension and Application Repository:

sudo apt install php libapache2-mod-php php-mysql

Optionally, install additional cURL, JSON, and CGI support:

sudo apt install php-curl php-json php-cgi

Creating a MySQL User

It is usually advised to avoid utilizing the root user account and to create a distinct database user for each application.

  1. To create a new MySQL user, you can login to MySQL with the following command:
sudo mysql -u root

2. Enter the following command to create a new user, changing the variables user and password to your own values.

CREATE USER 'user'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'password';

3. Give the user administrative rights after creating them. You can accomplish this by executing the subsequent command:

GRANT ALL PRIVILEGES ON *.* TO 'user'@'localhost' WITH GRANT OPTION;

4. Exit MySQL by running the following command:

 exit

Install phpMyAdmin

  1. You may install phpMyAdmin by typing the following command into your terminal:
sudo apt-get install phpmyadmin php-json php-curl php-mbstring php-zip php-gd

2. Indicate the web server technology you’re using, and make sure the default web server is set to Apache.

  1. You will be prompted to use dbconfig-common to configure the database for phpMyAdmin during the installation process. Click “yes” to continue.
  1. Additionally, phpMyAdmin will ask you to provide an application password. To enter phpMyAdmin as an administrator, type a strong, one-of-a-kind password and click OK.
  1. You must enable the PHP mbstring module after installing phpMyAdmin. To do this, type the following command into the terminal:
 sudo phpenmod mbstring

2. After enabling the mbstring module, you will need to restart the apache2 service. To restart the service, run the following command in the terminal:

sudo systemctl restart apache2

Configuring phpMyAdmin To Work With Apache2

It is necessary to build a symlink for some configuration files in order for phpMyAdmin to access them in order to enable phpMyAdmin access with Apache2. The following command can be entered to finish this:

sudo ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf-available/phpmyadmin.conf

Following the creation of the symlinks, apache2 must be restarted and the configuration files activated in phpMyAdmin:

sudo a2enconf phpmyadmin

sudo systemctl reload apache2

You can use the following syntax to open the phpMyAdmin homepage in your web browser after restarting Apache2:

http://<SERVER IP>/phpmyadmin

Using the credentials that were generated at the installation prompt for phpMyAdmin, you can finish logging in.

Changing phpMyAdmin Alias

Changing the default directory alias used to access phpMyAdmin is the first step towards protecting phpMyAdmin. By default, any user can access phpMyAdmin by browsing the server URL: https:///phpmyadmin.

Because attackers are aware of the directory name and have unrestricted access to it, this presents a security risk. To lessen this, you can make a new alias and modify the URL that the login page is viewed by doing the following:

  1. Using your preferred text editor, open the /etc/phpmyadmin/apache.conf file and locate the Alias section, which by default looks like this:

2. As shown in the following file, it is advised to add characters produced by a random string generator to the initial phpmyadmin Alias item in order to modify and create a suffix for the alias name:

File: /etc/phpmyadmin/apache.conf

3. Once the alias has been created, restart apache:

 sudo systemctl reload apache2

The Alias will now be used as the directory used to access the phpMyAdmin home page.

Setting Up Password-Based Authentication

You can additionally integrate a username and password authentication form using the apache2 authentication functionality as an extra security measure. This form will be set up to offer an extra layer of protection over the phpMyAdmin directory/URL.

  1. First, modify the phpMyAdmin apache2 configuration file located in /etc/phpmyadmin/apache.conf by adding the AllowOverride option under the directory configuration. This gives you the ability to override any Apache2 configurations found in the.htaccess file. The following should be reflected in your apache.conf file:

File: /etc/phpmyadmin/apache.conf

2. Now that you have the.htaccess configuration file created in the default phpMyAdmin directory, you can configure Apache2 authentication. It is necessary to generate the file /usr/share/phpmyadmin/.htaccess. Following file creation, you can create the authentication configuration using the steps outlined below:

File: /usr/share/phpmyadmin/.htaccess

3. You must now create the user and password for the authentication form after creating the settings. The.htaccess file with the credentials will be kept at /etc/phpmyadmin/.htpasswd, as mentioned in the /usr/share/phpmyadmin/.htaccess file. Using the htpasswd software, create the user and password as follows, substituting with the desired username:

sudo htpasswd -c /etc/phpmyadmin/.htpasswd <user>

You will be prompted to specify a new secure password. It is recommended that this password is unique from the phpMyAdmin password.

4. You can now restart apache2 to apply the configuration and activate the additional layer of authentication.

 sudo systemctl reload apache2

Restricting Access to a Specific IP Address

Restricting access to phpMyAdmin to a particular IP address or range of IP addresses is another security precaution you can take. This is a great security setup if your IP address is static; if it’s dynamic, you risk being locked out whenever the IP address changes.

Use the steps listed below to configure IP-based restriction:

  1. Under the /usr/share/phpmyadmin directory configuration, IP-based access and restriction can be set in the /etc/phpmyadmin/apache.conf file. Add the following settings, shown below, to the file to restrict access to a particular IP or subnet and allow access to all other IPs. Be careful to replace the IP address with one or more of your own IP addresses.

File: /etc/phpmyadmin/apache.conf

The full configuration file should now be similar to the following:

File: /etc/phpmyadmin/apache.conf

2. After adding your IP address configuration, restart apache2 to apply it:

 sudo systemctl reload apache2

All access will be blocked by this setup, with the exception of those who match or own the IP address you have provided. An undefined IP address will obtain a Forbidden response if it tries to access phpMyAdmin.

Custom PHP Configuration

To further enhance the security of phpMyAdmin, you can apply particular PHP configurations by changing the cookie authentication parameters and removing any server or system information.

  1. You will need to edit the /etc/phpmyadmin/config.inc.php file in order to add our unique PHP options. You must include the following in the area of the file designated for a custom configuration:

File: /etc/phpmyadmin/config.inc.php

By altering the default cookie validity time, these configuration options will cause users to be automatically logged out after a certain amount of time. Additionally, it will keep users from erasing databases and will leave server details out of phpMyAdmin.

  1. After adding the configurations, restart apache2 to apply the changes:
 sudo systemctl reload apache2
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x