amuck-landowner

phpMyAdmin Security

D. Strout

Resident IPv6 Proponent
Going through some logs just now and I saw a few interesting entries such as:



[Wed May 01 04:18:18 2013] [error] [client 198.7.63.79] File does not exist: /var/www/w00tw00t.at.blackhats.romanian.anti-sec:)
[Wed May 01 04:18:18 2013] [error] [client 198.7.63.79] File does not exist: /var/www/phpMyAdmin
[Wed May 01 04:18:18 2013] [error] [client 198.7.63.79] File does not exist: /var/www/phpmyadmin
[Wed May 01 04:18:18 2013] [error] [client 198.7.63.79] File does not exist: /var/www/pma
[Wed May 01 04:18:18 2013] [error] [client 198.7.63.79] File does not exist: /var/www/myadmin
[Wed May 01 04:18:19 2013] [error] [client 198.7.63.79] File does not exist: /var/www/MyAdmin
[Wed May 01 04:18:20 2013] [error] [client 198.7.63.79] File does not exist: /var/www/scripts
[Wed May 01 04:18:20 2013] [error] [client 198.7.63.79] File does not exist: /var/www/admin
[Wed May 01 04:18:23 2013] [error] [client 198.7.63.79] File does not exist: /var/www/admin
[Wed May 01 04:18:23 2013] [error] [client 198.7.63.79] File does not exist: /var/www/db
[Wed May 01 04:18:23 2013] [error] [client 198.7.63.79] File does not exist: /var/www/dbadmin
[Wed May 01 04:18:26 2013] [error] [client 198.7.63.79] File does not exist: /var/www/mysql
[Wed May 01 04:18:35 2013] [error] [client 198.7.63.79] File does not exist: /var/www/phpMyAdmin
[Wed May 01 04:18:44 2013] [error] [client 198.7.63.79] File does not exist: /var/www/pma
[Wed May 01 04:18:47 2013] [error] [client 198.7.63.79] File does not exist: /var/www/xampp
Those are a few of the 85 log lines of "not found" from that IP (with Leaseweb in Manassas, VA, incidentally) trying to get through to admin programs over a period of 1 minute and 26 seconds, tipping the maxclients number just once. They're never going to find phpMyAdmin that way. I keep it in a subfolder of the /var/www folder named "dne" (do not enter), with access denied to all clients* except a few from a specific IP range. I'm curious what y'all do to protect things like phpMyAdmin that bots try to find on your server.

I do have an interesting method of revenge, though. On one server I used to have, I did the same pma setup, but then in /var/www/phpmyadmin I put an index.htm that had an embedded YouTube video. http://www.youtube.com/watch?v=dQw4w9WgXcQ, in fact.

*Offtopic, but is anyone else bothered by how a lowercase "C" and a lowercase "L" side by side look like a lowercase "D"?
 
Last edited by a moderator:

WebSearchingPro

VPS Peddler
Verified Provider
Couldn't a fail2ban rule be created to block anyone who tries to access multiple directories that don't exist. 

I'm curious how this could be prevented too.
 

MCH-Phil

New Member
Verified Provider
Couldn't a fail2ban rule be created to block anyone who tries to access multiple directories that don't exist. 

I'm curious how this could be prevented too.
CSF allows for this :p

You will fill up iptables pretty quickly with this and hosting more then a handful of domains.  If anyone doesn't realize. :D
 
Last edited by a moderator:

Feefty

New Member
i'm not sure if this is effective but what i did is hashed the folder name and bookmarked it. i'm using dynamic ip so i can't use the ip restriction thing.
 

blergh

New Member
Verified Provider
I usually just chmod it when i need it, usually works. If you need permanent access you should probably rename the dir + password-prompt + fail2ban it.
 

D. Strout

Resident IPv6 Proponent
i'm using dynamic ip so i can't use the ip restriction thing.
I have a dynamic IP too, but it doesn't change very often, maybe once a week. So when it does I SSH in and change the allowed IP. chmodding works too I suppose.
 

mikho

Not to be taken seriously, ever!
I use adminer.php that I move in and out of a web accesible directory.
 

acd

New Member
Auth cookie in nginx location similar to this:

https://gist.github.com/rnorth/2031652

Super easy to set up a login page that issues the cookies and makes the files and a cron job to clean out old ones.

edit: for the record, I don't have any actual phpMyAdmin installs, I just do this for any script I don't want to modify and needs to be "secured" in the loosest sense of the word.
 
Last edited by a moderator:

Mon5t3r

New Member
I'm still wondering why somebody/some control panel still use phpmyadmin for their default db management. :| (mostly i always use adminer and/or sqlbuddy for all my clients)
 
Last edited by a moderator:

wlanboy

Content Contributer
It depends. I do prefer desktop clients too. SSH into the box to get access to the MySQL server listening only on localhost.

But if someone else needs access to the db ... well you won't give them ssh or openvpn keys.

Easiest way to secure phpMyAdmin: Create .htaccess file and limit the access to a user/password combination.

Running phpMyAdmin as a public service is a bad idea.
 

vanarp

Active Member
I use Tuxlite script that offers the ability to turn it On and Off as needed. Basically it creates symbolic links when turned On and drops them when turned Off.
 
Top
amuck-landowner