Hardening phpmyadmin

Discussion in 'Installation/Configuration' started by 30uke, Jan 13, 2019.

  1. 30uke

    30uke Active Member HowtoForge Supporter

    I am looking for a way to secure phpmyadmin.
    # cat /var/log/ispconfig/httpd/*/access.log | egrep -wi 'pma_user=root|pma_password' | awk '{print $1 "\ " $4 "\ " $5 "\ " $7}' [13/Jan/2019:06:28:01 +0100] /phpmyadmin/index.php?pma_username=root&[email protected]$$w0rd&server=1 [13/Jan/2019:13:39:43 +0100] /phpmyadmin/index.php?lang=en&pma_username=popa3d&pma_password=popa3d
    I would like to know if it is possible to block these brute force attacks.
    I am considering to block the IP's when the pma_password is not equal to the current root password.
    I am hoping someone has something like that operational and is willing to share. Thanks!

    I am running:
    Debian Linux Version  9.6
    ISPConfig Version: 3.1.13
    Last edited: Jan 13, 2019
  2. c3n

    c3n Member

    In my opinion the best way to protect all sensitive services, apps, admin panels is to block everything except few IPs. If You dont have public IP, You can order VPN with public IP. Than You go to
    nano /etc/apache2/conf-enabled/phpmyadmin.conf
    and add:
    <Directory /usr/share/phpmyadmin>
    order deny,allow
    deny from all
    allow from YOUR.PUBLIC.IP

    The other option also very good is to make SSH proxy using tunelling. You connect to VPS server via SSH and tunel remote port 80 to 8080 than You can setup in firefox PROXY for 8080 and securely tunel all traffic via SSH to VPS. After SSH connection Your location IP is VPS-IP. Than You can simply secure traffic limiting to this specific IP or... if You connect to VPS which has PHPMYADMIN you can just open firefox with proxy enabled and type: https://localhost/phpmyadmin
    It is simply done on Windows using tunelier https://www.bitvise.com/ssh-client
    tutorial for SSH PROXY:
    IMO this is the best way. Because even If you setup some kind of fail2ban or super security features... server always have to process this traffic and You can just save CPU/RAM... cheers
    30uke likes this.
  3. ahrasis

    ahrasis Well-Known Member

    I think using LE SSL with specific port is enough especially when you want your user to access it as well from elsewhere. You can use different name for it too simply using symlink and open that name and port with ssl in its vhost.
    30uke likes this.
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    As @c3n notes, if you can block access entirely you're better off, but if you need phpmyadmin for customers, here's a fail2ban config for debian 9 (which you could tighten up to match /phpmyadmin urls as well if you follow @ahrasis's suggestion to rename it).

    Jail in /etc/fail2ban/jail.local:
    enabled  = true
    port = http,https
    logpath  = %(apache_access_log)s
    maxretry = 3
    findtime = 600
    bantime  = 3600
    And create /etc/fail2ban/filter.d/phpmyadmin.local with:
    # Fail2ban config file for phpmyadmin filter
    # Author: Jesse Norell
    # in practice the scans all appear to end in /scripts/setup.php,
    # you can restrict to that if you wish
    pmare1 = (php-?(my-?)?(sql-?)?(admin|db|manager?))
    pmare2 = ((php-?)?my-?(sql-?)?(admin|db|manager?))
    pmare3 = ((php-?)(my-?)?sql-?(admin|db|manager?))
    pmare4 = (web-?(admin-?)?(sql-?)?(db)?|pma)
    pmare5 = (web|xampp)/(%(pmare1)s|%(pmare2)s|%(pmare3)s)
    pmare6 = (phpmyadmin[^/]|.+/plugins/portable-phpmyadmin)
    pmaregex = (?i)/?((%(pmare1)s|%(pmare2)s|%(pmare3)s|%(pmare4)s|%(pmare5)s)/scripts/setup.php|%(pmare6)s)
    failregex = ^[^ ]* <HOST> .*"(GET|POST) /(?:%(pmaregex)s)[^"]*" [34]
    # disallowed paths (appended to /phpmyadmin/)
    pmabadreq = scripts/setup.php
    # ignore legitimate phpmyadmin requests if you use it,
    # eg. on a debian server that is (lowercase) /phpmyadmin
    ignoreregex = ^.* "(GET|POST) /phpmyadmin/(?!%(pmabadreq)s)
                ^.* "GET /phpmyadmin HTTP/.\.." 3
    zauliuz and 30uke like this.
  5. 30uke

    30uke Active Member HowtoForge Supporter

    Thanks all :) Your help is very much appreciated and helpful :)
    I decided to implement the following changes:
    • change name of Alias phpmyadmin into something else
    • only allow access from certain IPs
    • only allow access via SSL
    I will add (and test) the fail2ban config as soon as possible - as some users (with dynamic IP addresses) will require access in feature. And this is something I do not want to overlook. Thanks again.

    # phpMyAdmin default Apache configuration
    Alias /ssl-padm /usr/share/phpmyadmin
    <Directory /usr/share/phpmyadmin>
        Order deny,allow
        Deny from all
        Allow from
        Allow from ::1
        Allow from 86.xx.yyy.zz
        Allow from 31.xxx.yyy.zzz
        Allow from 83.xxx.yyy.zzz
  6. 30uke

    30uke Active Member HowtoForge Supporter

    Hello Jesse, Thanks for your reply. I reverted back to "/phpmyadmin" and restarted Apache2. Next I added the filter and the config. For some reason this doesn't seem to work. Also after restarting Apache2 and Fail2Ban. I did test this from different internet connections. I guess I need some help. Is there anything I could post here for troubleshooting? Thanks.
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    What specifically is not working? The ip restrictions (ie. you can't access it from your ip addr, or you can from somewhere you shouldn't) or something with fail2ban ?
  8. c3n

    c3n Member

    go to phpmyadmin login panel... type dummy login/password to generate failed login - do it twice... than check:
    fail2ban-client status phpmyadmin
    after minute you should see failed attempts and banned count... showing something different than 0 ... if it is still zero. Than it means You propably access phpmyadmin via main host which is not logged in
    for example You got http://static-ip/phpmyadmin
    than you should search in
    if still doesn't work try to purge remove fail2ban and install again. I noticed that sometimes while upgrading from debian 8 to 9 fail2ban is broken and needs to reinstall...

Share This Page