phpMyAdmin Security

[D. Strout]

Going through some logs just now and I saw a few interesting entries such as:



[Wed May 01 04:18:18 2013] [error] [client 198.7.63.79] File does not exist: /var/www/w00tw00t.at.blackhats.romanian.anti-sec
[Wed May 01 04:18:18 2013] [error] [client 198.7.63.79] File does not exist: /var/www/phpMyAdmin
[Wed May 01 04:18:18 2013] [error] [client 198.7.63.79] File does not exist: /var/www/phpmyadmin
[Wed May 01 04:18:18 2013] [error] [client 198.7.63.79] File does not exist: /var/www/pma
[Wed May 01 04:18:18 2013] [error] [client 198.7.63.79] File does not exist: /var/www/myadmin
[Wed May 01 04:18:19 2013] [error] [client 198.7.63.79] File does not exist: /var/www/MyAdmin
[Wed May 01 04:18:20 2013] [error] [client 198.7.63.79] File does not exist: /var/www/scripts
[Wed May 01 04:18:20 2013] [error] [client 198.7.63.79] File does not exist: /var/www/admin
[Wed May 01 04:18:23 2013] [error] [client 198.7.63.79] File does not exist: /var/www/admin
[Wed May 01 04:18:23 2013] [error] [client 198.7.63.79] File does not exist: /var/www/db
[Wed May 01 04:18:23 2013] [error] [client 198.7.63.79] File does not exist: /var/www/dbadmin
[Wed May 01 04:18:26 2013] [error] [client 198.7.63.79] File does not exist: /var/www/mysql
[Wed May 01 04:18:35 2013] [error] [client 198.7.63.79] File does not exist: /var/www/phpMyAdmin
[Wed May 01 04:18:44 2013] [error] [client 198.7.63.79] File does not exist: /var/www/pma
[Wed May 01 04:18:47 2013] [error] [client 198.7.63.79] File does not exist: /var/www/xampp
Those are a few of the 85 log lines of "not found" from that IP (with Leaseweb in Manassas, VA, incidentally) trying to get through to admin programs over a period of 1 minute and 26 seconds, tipping the maxclients number just once. They're never going to find phpMyAdmin that way. I keep it in a subfolder of the /var/www folder named "dne" (do not enter), with access denied to all clients* except a few from a specific IP range. I'm curious what y'all do to protect things like phpMyAdmin that bots try to find on your server.

I do have an interesting method of revenge, though. On one server I used to have, I did the same pma setup, but then in /var/www/phpmyadmin I put an index.htm that had an embedded YouTube video. http://www.youtube.com/watch?v=dQw4w9WgXcQ, in fact.

*Offtopic, but is anyone else bothered by how a lowercase "C" and a lowercase "L" side by side look like a lowercase "D"?

 

[WebSearchingPro]

Couldn't a fail2ban rule be created to block anyone who tries to access multiple directories that don't exist. 

I'm curious how this could be prevented too.

 

[MCH-Phil]

Couldn't a fail2ban rule be created to block anyone who tries to access multiple directories that don't exist. 

I'm curious how this could be prevented too.

CSF allows for this

You will fill up iptables pretty quickly with this and hosting more then a handful of domains.  If anyone doesn't realize.

 

[Feefty]

i'm not sure if this is effective but what i did is hashed the folder name and bookmarked it. i'm using dynamic ip so i can't use the ip restriction thing.

 

[blergh]

I usually just chmod it when i need it, usually works. If you need permanent access you should probably rename the dir + password-prompt + fail2ban it.

 

[D. Strout]

i'm using dynamic ip so i can't use the ip restriction thing.

I have a dynamic IP too, but it doesn't change very often, maybe once a week. So when it does I SSH in and change the allowed IP. chmodding works too I suppose.

 

[mikho]

I use adminer.php that I move in and out of a web accesible directory.

 

[VPN.SH]

i'm using dynamic ip so i can't use the ip restriction thing.

Could always setup a VPS to use a VPN and then only allow it from that IP?

 

[mikho]

Could always setup a VPS to use a VPN and then only allow it from that IP?

But then you also need to secure that VPS

 

[acd]

Auth cookie in nginx location similar to this:

https://gist.github.com/rnorth/2031652

Super easy to set up a login page that issues the cookies and makes the files and a cron job to clean out old ones.

edit: for the record, I don't have any actual phpMyAdmin installs, I just do this for any script I don't want to modify and needs to be "secured" in the loosest sense of the word.

 

[Mon5t3r]

I'm still wondering why somebody/some control panel still use phpmyadmin for their default db management. :| (mostly i always use adminer and/or sqlbuddy for all my clients)

 

[vanarp]

I'm still wondering why somebody/some control panel still use phpmyadmin for their default db management. :| (mostly i always use adminer and/or sqlbuddy for all my clients)

 
Why do you think like that?

 

[wlanboy]

It depends. I do prefer desktop clients too. SSH into the box to get access to the MySQL server listening only on localhost.

But if someone else needs access to the db ... well you won't give them ssh or openvpn keys.

Easiest way to secure phpMyAdmin: Create .htaccess file and limit the access to a user/password combination.

Running phpMyAdmin as a public service is a bad idea.

 

[johnlth93]

i simply put a lame basic auth with unusual folder name  <_<

 

[vanarp]

I use Tuxlite script that offers the ability to turn it On and Off as needed. Basically it creates symbolic links when turned On and drops them when turned Off.

 

[Mon5t3r]

Why do you think like that?

 fact, not my thought. Here's some short list for that :

WHM/cPanel : phpmyadmin

Kloxo : phpmyadmin

ISPConfig : phpmyadmin

Froxlor : phpmyadmin

Directadmin : phpmyadmin

Others : don't know.