Page 1 of 1

Securing phpMyAdmin with htaccess

PostPosted: Fri May 15, 2020 8:20 am
by carpenox
I just did it so i figured I'd share the process unless someone wants to do it:

Code: Select all

####Securing phpMyAdmin#####

nano /etc/apache2/conf.d/phpMyAdmin.conf

###change the following:

<Directory /usr/share/phpMyAdmin>

    Options FollowSymLinks
    AllowOverride All   #This was "None"

    <IfVersion < 2.4>
        Order Deny,Allow
        Allow from all
    </IfVersion>


###save and exit

nano /usr/share/phpMyAdmin/.htaccess

####Enter the following:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/phpMyAdmin/.htpasswd
Require valid-user

###save and exit

zypper install apache2-utils

htpasswd -c /etc/phpMyAdmin/.htpasswd whatever.username.u.want
Password: enter the password u want

##restart apache
service apache restart or systemctl restart apache

###go to your phpmyadmin

http://server.ip/phpMyAdmin


##Enjoy



If anyone tries it please let me know if it works for u so i know if i need to alter the instructions at all, thx

-Nox

Re: Securing phpMyAdmin with htaccess

PostPosted: Fri May 15, 2020 9:18 am
by williamconley
If I recall correctly, turning on .htaccess is a universal setting. It's either ON for all directories on all sites ... or it's not. But once you turn it on, the system now must check every folder for the presence of that file. On heavily used systems this can present a load issue.

However, you can use a .conf setup that does not involve any .htaccess files:

Code: Select all
# Protect phpMyAdmin folder from attacks
# use htpasswd2 /srv/www/passwd/phpmyadmin newuser to add new users
# (and delete unauthorized users from that file)
# requires service apache2 restart to take effect
<Directory /srv/www/htdocs/phpMyAdmin>
        AllowOverride None
       <IfModule !mod_access_compat.c>
               Require valid-user
       </IfModule>
       <IfModule mod_access_compat.c>
               Order allow,deny
               Allow from all
       </IfModule>
        AuthType Basic
        AuthName "phpMyAdmin -- Authorized Managers Only -- "
        AuthUserFile /srv/www/passwd/phpmyadmin
        Require valid-user
</Directory>


Depending on your version and conf files, we generally place this directly beneath the end of Directory "/srv/www/cgi-bin" in default-server.conf, although there is now a conf.d/phpMyAdmin.conf file which may be a better fit, we just haven't moved it there yet.

.htaccess is really designed for use by those who only have FTP access to their sites because they have a web host service and don't actually control the entire server.

Re: Securing phpMyAdmin with htaccess

PostPosted: Fri May 15, 2020 10:52 am
by carpenox
i just figured for those were MIGHT use the default cron and 1234 for some reason lol, they may want to secure their shit better

Re: Securing phpMyAdmin with htaccess

PostPosted: Fri May 15, 2020 12:49 pm
by williamconley
pretty much everyone does. which is why we use whitelisting and (of course) lock phpmyadmin.

but DO note that port 3306 (if open) will still supply this information free of charge. just because you cut off the pretty web interface does not mean mysql is now secure. 8-)

options include closing port 3306 to non-vicidial server IPs and using the mysql permissions IP limiter in the same way. both is good.

Re: Securing phpMyAdmin with htaccess

PostPosted: Fri May 15, 2020 4:14 pm
by carpenox
Yea i have all ports locked except to IP allow except for 80, 81, 443 and 446
I do need to switch back over to whitelist instead of black now that i have the dynportal working again.
Thanks Bill

Re: Securing phpMyAdmin with htaccess

PostPosted: Fri May 15, 2020 4:25 pm
by williamconley
Is that lockdown applicable to local IPs as well? A local agent with access to port 3306 ... well, actually anyone local or not with access to port 3306 gets all your data. Kinda handy if you want to use mysql workbench but awkward if the person using the workbench is not You. lol

Re: Securing phpMyAdmin with htaccess

PostPosted: Fri May 15, 2020 6:49 pm
by carpenox
They're in no one local on that server but me. I would have to be remotely exploited or possibly man in the middled and its not like i have sensitive info on there. Plus I am a certified cyber security tech, thats what i do for a living mainly. Plus im back getting my bachelors in computer science specializing in cyber security and networknig. I just got my CCNA theu the school, ive had my a+ and network pro, next is C|EH (ethical hacker). but seriously if someone gets into my box, they are good as fuck, but they will regret it, cause the amount of fun id have hunting them down would consume my time. like i find entertainment in that shit, i have a honeypot setup on another server that i leave services open that are "exploitable" and i practice my forensics and trackign down on the few that ive had try so far.

Re: Securing phpMyAdmin with htaccess

PostPosted: Fri May 15, 2020 9:03 pm
by williamconley
They're is no one local on that server but me.

Good.
Now: Do any agents have access to port 3306? Or any administrators? or ONLY port 80?
Next: Of course, if someone "gains" access to port 3306, it would be very cool for the IP restriction in MySQL to be in place. Even better if the password wasn't 1234 AND the IP restriction per user were in place. Then all your bases are covered.

We have dozens of honey pot servers. And we've added automated IP and Subnet lockouts that share with each other. One attack on one honey pot and lockout occurs systemwide.

Re: Securing phpMyAdmin with htaccess

PostPosted: Fri May 15, 2020 10:17 pm
by carpenox
i am the only one that has access to any port except 80, 81, 443 and 446. 127.0.0.1 is the only ip that has access to other ports and my vpn ip. and i think im gonna close 80 and 81 and redirect all to SSL and mysql uses *DJ(hef7HW98!er type passwords, all 12 characters and i dont use cron, custom, etc