Wednesday, November 7, 2012

Secure PHPMyAdmin

In this tutorial we will see the principles on how to secure our phpMyAdmin. PHP has a lot of badly coded scripts which can be abused by malicious users, but there are some basic things we can do to make PHP more secure.

About phpMyAdmin
phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user interface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability to directly execute any SQL statement.


(Note: For the Purpose of this tutorial we will use BackBox (Based on Ubuntu) as OS and the latest installation of PHP and phpMyAdmin. There are no guarantees or absolutes for PHP security things, so proceed at your own risk.) 

Installing phpMyAdmin

We will install the current version of phpMyAdmin on our system using the following command:
apt-get install phpmyadmin
We will be asked from Package Configuration which server should be automatically configured to run phpMyAdmin. We select our webserver and we click ok "OK".


Next we choose the "Yes" option. If you are an advanced database administrator and you want to perform this configuration manually or if your database has already been installed and configured you should refused this option.



On the next step we will provide a password for the administrator account.



Next we will provide a password for the MySQL application




Configuring phpMyAdmin

phpmyadmin.conf file by default located on /etc/php5/apache2/php.ini but running the above we will have fully details in wihich directory we can find it.
root@liatsisfotis:~# locate phpmyadmin.conf
/etc/apache2/conf.d/phpmyadmin.conf
So, we open the php.ini file using an editor:
sudo nano /etc/apache2/conf.d/phpmyadmin.conf
We will change the alias line to something very unique. We do that by modifying the following line:
Alias /phpmyadmin /usr/share/phpmyadmin
to
Alias /securepanel /usr/share/phpmyadmin
(Note: The Alias "securepanel" is an example of my phpmyadmin directory. You can use whatever alias you want instead of phpmyadmin.)

Next we will add on the bellow Directory block the following lines which will require https, the authentication name and type and the require user for log in.
< Directory /usr/share/phpmyadmin> 

          Options Indexes FollowSymLinks 
          DirectoryIndex index.php 
          AllowOverride All

          RewriteEngine On 
          RewriteCond %{HTTPS} off 
          RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

          # Deny all hosts unless an implicit Allow command is included.
          # Order Allow, Deny 
          # Allow from 127.0.0.1

          AuthUserFile /etc/phpmyadmin/.htpasswd 
          AuthName Hello 
          AuthType Basic
          require user admin

</Directory>
Next, we must make this passwords file and create a user with a password. On the terminal we type the following:
htpasswd –c /etc/phpmyadmin/.htpasswd admin
(Note:The –c parameter creates the /etc/phpmyadmin/passwords file. We can replace the admin username with something yours. For example htpasswd –c /etc/phpmyadmin/.htpasswd liatsisfotis)

Finally we restart Apache2 WebServer to enable the changes
/etc/init.d/apache2 restart
or
apache2ctl configtest
apache2ctl restart

Tip

To locate if an option located into a file we can type the following command:
grep Alias /etc/apache2/conf.d/phpmyadmin.conf
Typing the above command we 'll have the following result. So we have full information about the option and the content of it.
Alias /phpmyadmin /usr/share/phpmyadmin

Conclusion 

The are a lot of ways and things we can do to secure our PHP. This tutorial describes the basic things we can do to make PHP more secure. The best way is to try every parameter in a localhost web server to figure out what the option does before proceed to the main web server / PHP Configuration file.

Designed and Created by Liatsis Fotis for liatsisfotis.com