Nov 18

Unfortunately older versions of phpMyAdmin have had serious security vulnerabilities including allowing remote users to eventually exploit root on the underlying private server. One can prevent a majority of these attacks through a simple process of locking down the entire directory with Apache’s native user/password restrictions. Follow the steps below to prevent these remote users from even attempting to exploit your version of phpMyAdmin.

Set Up the .htaccess File

We have to start off by allowing the .htaccess file to work within the phpmyadmin directory, this is accomplished my modifying the phpmyadmin configuration file.

Putty or SSH into your server and type the command below to get started. Leave the SSH session open you’ll need it again!
sudo nano /etc/phpmyadmin/apache.conf

Under the directory section, add the line “AllowOverride All” under “Directory Index” (without the “s), making the section look like this:

<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php
AllowOverride All

Hit Ctrl X to save and exit nano.

With the .htaccess file allowed, we can proceed to set up a native user whose login would be required to even access the phpmyadmin login page.

From the open putty or SSH session type:
sudo nano /usr/share/phpmyadmin/.htaccess

Now we need to setup user authorization within the new .htaccess file. Copy and paste the following text in:

AuthType Basic
AuthName “Restricted Files”
AuthUserFile /etc/apache2/.phpmyadmin.htpasswd
Require valid-user

Below you’ll see a quick explanation of each line

  • AuthType: This refers to the type of authentication that will be used to the check the passwords. The passwords are checked via HTTP and the keyword Basic should not be changed.
  • AuthName: This is text that will be displayed at the password prompt. You can put anything here.
  • AuthUserFile: This line designates the server path to the password file (which we will create in the next step.)
  • Require valid-user: This line tells the .htaccess file that only users defined in the password file can access the phpMyAdmin login screen.

Now we will go ahead and create the valid user information.
Use the htpasswd command, and place the file in a directory of your choice as long as it is not accessible from a browser. Although you can name the password file whatever you prefer, the convention is to name it .htpasswd.

From the open putty or SSH session type: The username would be a username you want to use!
sudo htpasswd -c /etc/apache2/.phpmyadmin.htpasswd username

A prompt will ask you to provide and confirm your password.
Once the username and passwords pair are saved you can see that the password is encrypted in the file.

Now from the open putty session restart apache:
sudo service apache2 restart

The phpMyAdmin session will now allow only the authorized user to reach the login page. Accessing youripaddress/phpmyadmin should display a login prompt similar to the one below.

Once you enter a valid username and password you can access phpmyadmin with the MySQL username and password.

Leave a Reply

preload preload preload