security and access to /phpmyadmin on 3.3.1

Discussion in 'Installation/Configuration' started by Krikey, Feb 15, 2026 at 4:08 PM.

Tags:
  1. Krikey

    Krikey New Member

    I've noticed that users can access the login page for phpmyadmin from any domain that's hosted on the server. ie example.com/phpmyadmin
    I'm not sure if this has always been the case as I've always used the link and icon presented within ISPConfig. Whilst both are just public links, what are your thoughts on security of having this for each and every domain that's hosted as it presents as multiple attack surfaces?
    How would one go about limiting access to only the URL thats listed in the ISPConfig control panel?
     
    Krikey, Feb 15, 2026 at 4:08 PM
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That's the default alias of your OS and not from ISPConfig.

    This has always be the case on Debian and Ubuntu systems with Apache and is not ISPConfig related.

    If you don't want to have it, remove the global phpmyadmin alias of the operating system.

    As this is not an alias from ISPConfig, so this is nothing that you do from within ISPConfig. Grep for /phpmyadmin in /etc/apache2 directory to find the alias and comment it out. ISPconfig makes phpmyadmin available through the apps vhost, which is on port 8081, so you must cange the phmyadmin URL to port 8081 in ISPConfig then under System > Interface > main config so your phpmyadmin icon keeps working.
     
    till, Feb 15, 2026 at 4:24 PM
    #2
  3. Krikey

    Krikey New Member

    Thanks for speedy replies.
    I've limited access by disabling the apache phpmyadmin.conf and then adding the following to /etc/apache2/sites-available/ispconfig.vhost
    Alias /phpmyadmin /usr/share/phpmyadmin
    <Directory /usr/share/phpmyadmin>
    Require all granted
    </Directory>

    Do you know if there are any plans to provide additional protection to phpmyadmin limiting its access only to authorised and logged in users?
     
    Krikey, Feb 15, 2026 at 4:57 PM
    #3
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    No, we do not plan that at the moment. Actually, there are no real-world issues with the way it is now. Just take care that you have secure MySQL passwords for our databases.
     
    till, Feb 15, 2026 at 5:02 PM
    #4
    Krikey likes this.
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    But if you feel insecure without additional protection for phpmyadmin, you can always add e.g. a second authentication layer with .htaccess/.htpasswd in front of it and tell your users to use a certain password first before logging into phpmyadmin.
     
    till, Feb 15, 2026 at 5:08 PM
    #5
  6. Krikey

    Krikey New Member

    I guess coming from Plesk (dirty word?) I was hoping for a similarly limited attack surface for phpmyadmin access. Of course, the client could simply install phpmyadmin themselves but then that's up to them.
    That's not to say Plesk is more secure than ISPConfig but I'd like to reduce the amount of potential access so perhaps httpd auth is the answer.
     
    Krikey, Feb 15, 2026 at 5:28 PM
    #6
  7. Krikey

    Krikey New Member

    I've got a working version of limiting access to phpmyadmin only to logged in users. It modifies (as above) a couple of existing config files but also adds a file called /usr/local/ispconfig/interface/web/auth_check.php to carry out the session checks along with a /usr/share/phpmyadmin/.user.ini file to allow the file to run successfully.
     
    Krikey, Feb 15, 2026 at 6:58 PM
    #7

Share This Page