Improving the security of PHPMyAdmin and rspamd (UI)

Discussion in 'Tips/Tricks/Mods' started by Th0m, Mar 6, 2021.

  1. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Disallow access for certain database users in PHPMyAdmin
    Add this to the end of the PHPMyAdmin config (/usr/share/phpmyadmin/config.inc.php):
    Code:
    // Disallow login from root and ispconfig users
    $cfg['Servers'][$i]['AllowRoot'] = FALSE;
    $cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow';
    $cfg['Servers'][$i]['AllowDeny']['rules'] = array(
        'deny ispconfig from all',
        'deny debian-sys-maint from all',
    );
    (Thanks @Jesse Norell for this snippet)

    Only allow certain IP addresses to access PHPMyAdmin:
    This guide explains how to do this with Apache2.
    Code:
    sudo nano /etc/apache2/conf-available/phpmyadmin.conf
    Add this under <Directory /usr/share/phpmyadmin>:
    Code:
    AllowOverride AuthConfig
    Now restart Apache2:
    Code:
    sudo systemctl restart apache2
    Open a .htaccess file in the PHPMyAdmin web folder:
    Code:
    sudo nano /usr/share/phpmyadmin/.htaccess
    Add this:
    Code:
    # Allow access from trusted IP addresses:
    <RequireAny>
     Require all denied
     Require ip 93.184.216.34
     Require ip 10.0.64.0/24
    </RequireAny>
    Change the IP address/range to the IP addresses you want to allow.

    Two-factor authentication for PHPMyAdmin
    You can set up two-factor authentication by logging in to PHPMyAdmin and going to settings -> Two-factor authentication.

    Only allow certain IP addresses to access rspamd:
    This guide explains how to do this with Apache2.
    Go to the site you created for your host (for example, mx1.example.com) in the ISPConfig panel. If you followed one of the guides to set up rspamd on the forum, the following snippet has to be used:
    Code:
    <Location /rspamd>
    <RequireAny>
     Require all denied
     Require ip 93.184.216.34
     Require ip 10.0.64.0/24
    </RequireAny>
    </Location>
    Change the IP address/range to the IP addresses you want to allow.

    Make sure to disable the Apps vhost so others can't access it through server1.example.com:8081/rspamd. In the panel, go to System -> Server Config -> server1.example.com -> Web -> Apps Vhost Settings -> Uncheck the "Apps-vhost enabled" checkbox. (Thanks @30uke for mentioning this!)
     
    Last edited: Dec 25, 2021
  2. Wade John Beckett

    Wade John Beckett Member HowtoForge Supporter

    Would there be an option for NGINX?
     
    ahrasis likes this.
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I don't use nginx, so I currently don't have a example for this.
     
    Wade John Beckett likes this.
  4. concept21

    concept21 Active Member

    Nice.

    It seems that Russian bloc is the biggest investors of Ngnix. :cool:

    I like Apache2 myself. It has much more options, easier to configure and now the newest event mpm - very fast! :D
     
    Wade John Beckett likes this.
  5. 30uke

    30uke Active Member HowtoForge Supporter

    Please note: I did follow the guide "https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/" and I did notice rspamd is set at [System] > [Server Config] > [...] > [Mail]
    Take note of "Rspamd URL" and "Rspamd Password"
    rspamd is defined in /etc/apache2/sites-available/apps.vhost and starts with <Location /rspamd>
    I did change the portion
    Code:
      <Location /rspamd>
            Order allow,deny
            Allow from all
      </Location>
    
    into
    Code:
      <Location /rspamd>
      <RequireAny>
        Require all denied
        Require ip 86.nn.nnn.86
        Require ip 2001:nnn:nnnn:73::/64
      </RequireAny>
      </Location>
    Note: IP addresses have been redacted by masking with "n"...
     
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Good point, I have the Apps vhost disabled so this is no problem for me but as it is enabled by default, I will add this to the thread tomorrow.
     
    30uke likes this.
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I have updated the post, thanks @30uke!
     
    30uke likes this.
  8. Steini86

    Steini86 Active Member

    IMHO, this snippet should also be used for the phpmyadmin case. As the Apache config has to be altered anyway, there is no need to additionally create a .htaccess file. Just place it directly in the config.
     
  9. 30uke

    30uke Active Member HowtoForge Supporter

    In this case: yes. I don't see another way. But I guess best is to avoid this as it might nog survive an update of ISPconfig - but I am not sure if that's true. @Th0m? What would be best practice?
     
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    iirc this did not work so I used the .htaccess. Not sure. Should test it after the holidays.
     
  11. Steini86

    Steini86 Active Member

    This file is not managed by ispconfig, so it will survive updates. However, it is installed via the apt package manager and will not survive an phpmyadmin update if(!) the user chooses to overwrite config files. But that will also affect the current version (and in both cases you will probably not notice this)
     
    Th0m likes this.
  12. 30uke

    30uke Active Member HowtoForge Supporter

    Good point. Very good point. Thanks.
     
    Steini86 likes this.
  13. fredwave

    fredwave New Member

    Can we have a video of this particular event? how you did yours.
     
  14. Alex Mamatuik

    Alex Mamatuik Member

    Guys, is there same thing can be applied to the mail system to allow access from specific ip addresses only?
     
  15. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Surely, but that works in a completely different way. Just restrict access to certain IP adresses in the firewall on the IMAP and POP3 ports (but not port 25 if you want to be able to receive from other servers)
     
  16. Alex Mamatuik

    Alex Mamatuik Member

    Could you demonstrate some working template?
    Plain syntax portion without an explanation is more, than enough.
     
  17. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    That really depends on your system and network setup.
     
  18. Alex Mamatuik

    Alex Mamatuik Member

Share This Page