Hello, I am looking for a way to secure phpmyadmin. Code: # cat /var/log/ispconfig/httpd/*/access.log | egrep -wi 'pma_user=root|pma_password' | awk '{print $1 "\ " $4 "\ " $5 "\ " $7}' 45.40.249.100 [13/Jan/2019:06:28:01 +0100] /phpmyadmin/index.php?pma_username=root&pma_password=P@$$w0rd&server=1 35.237.159.161 [13/Jan/2019:13:39:43 +0100] /phpmyadmin/index.php?lang=en&pma_username=popa3d&pma_password=popa3d I would like to know if it is possible to block these brute force attacks. I am considering to block the IP's when the pma_password is not equal to the current root password. I am hoping someone has something like that operational and is willing to share. Thanks! Code: I am running: Debian Linux Version 9.6 ISPConfig Version: 3.1.13
Hello. In my opinion the best way to protect all sensitive services, apps, admin panels is to block everything except few IPs. If You dont have public IP, You can order VPN with public IP. Than You go to nano /etc/apache2/conf-enabled/phpmyadmin.conf and add: <Directory /usr/share/phpmyadmin> order deny,allow deny from all allow from YOUR.PUBLIC.IP The other option also very good is to make SSH proxy using tunelling. You connect to VPS server via SSH and tunel remote port 80 to 8080 than You can setup in firefox PROXY for 8080 and securely tunel all traffic via SSH to VPS. After SSH connection Your location IP is VPS-IP. Than You can simply secure traffic limiting to this specific IP or... if You connect to VPS which has PHPMYADMIN you can just open firefox with proxy enabled and type: https://localhost/phpmyadmin It is simply done on Windows using tunelier https://www.bitvise.com/ssh-client tutorial for SSH PROXY: https://www.bitvise.com/ssh-web-browsing IMO this is the best way. Because even If you setup some kind of fail2ban or super security features... server always have to process this traffic and You can just save CPU/RAM... cheers
I think using LE SSL with specific port is enough especially when you want your user to access it as well from elsewhere. You can use different name for it too simply using symlink and open that name and port with ssl in its vhost.
As @c3n notes, if you can block access entirely you're better off, but if you need phpmyadmin for customers, here's a fail2ban config for debian 9 (which you could tighten up to match /phpmyadmin urls as well if you follow @ahrasis's suggestion to rename it). Jail in /etc/fail2ban/jail.local: Code: [phpmyadmin] enabled = true port = http,https logpath = %(apache_access_log)s /var/www/clients/client*/web*/log/access.log maxretry = 3 findtime = 600 bantime = 3600 And create /etc/fail2ban/filter.d/phpmyadmin.local with: Code: # Fail2ban config file for phpmyadmin filter # # Author: Jesse Norell # [Definition] # in practice the scans all appear to end in /scripts/setup.php, # you can restrict to that if you wish pmare1 = (php-?(my-?)?(sql-?)?(admin|db|manager?)) pmare2 = ((php-?)?my-?(sql-?)?(admin|db|manager?)) pmare3 = ((php-?)(my-?)?sql-?(admin|db|manager?)) pmare4 = (web-?(admin-?)?(sql-?)?(db)?|pma) pmare5 = (web|xampp)/(%(pmare1)s|%(pmare2)s|%(pmare3)s) pmare6 = (phpmyadmin[^/]|.+/plugins/portable-phpmyadmin) pmaregex = (?i)/?((%(pmare1)s|%(pmare2)s|%(pmare3)s|%(pmare4)s|%(pmare5)s)/scripts/setup.php|%(pmare6)s) failregex = ^[^ ]* <HOST> .*"(GET|POST) /(?:%(pmaregex)s)[^"]*" [34] # disallowed paths (appended to /phpmyadmin/) pmabadreq = scripts/setup.php # ignore legitimate phpmyadmin requests if you use it, # eg. on a debian server that is (lowercase) /phpmyadmin ignoreregex = ^.* "(GET|POST) /phpmyadmin/(?!%(pmabadreq)s) ^.* "GET /phpmyadmin HTTP/.\.." 3
Thanks all Your help is very much appreciated and helpful I decided to implement the following changes: change name of Alias phpmyadmin into something else only allow access from certain IPs only allow access via SSL I will add (and test) the fail2ban config as soon as possible - as some users (with dynamic IP addresses) will require access in feature. And this is something I do not want to overlook. Thanks again. Code: # phpMyAdmin default Apache configuration Alias /ssl-padm /usr/share/phpmyadmin Code: <Directory /usr/share/phpmyadmin> Order deny,allow Deny from all Allow from 127.0.0.1 Allow from ::1 Allow from 86.xx.yyy.zz Allow from 31.xxx.yyy.zzz Allow from 83.xxx.yyy.zzz Code: SSLRequireSSL
Hello Jesse, Thanks for your reply. I reverted back to "/phpmyadmin" and restarted Apache2. Next I added the filter and the config. For some reason this doesn't seem to work. Also after restarting Apache2 and Fail2Ban. I did test this from different internet connections. I guess I need some help. Is there anything I could post here for troubleshooting? Thanks.
What specifically is not working? The ip restrictions (ie. you can't access it from your ip addr, or you can from somewhere you shouldn't) or something with fail2ban ?
go to phpmyadmin login panel... type dummy login/password to generate failed login - do it twice... than check: fail2ban-client status phpmyadmin after minute you should see failed attempts and banned count... showing something different than 0 ... if it is still zero. Than it means You propably access phpmyadmin via main host which is not logged in /var/www/clients/client*/web*/log/access.log for example You got http://static-ip/phpmyadmin than you should search in /var/www/apache2/access.log if still doesn't work try to purge remove fail2ban and install again. I noticed that sometimes while upgrading from debian 8 to 9 fail2ban is broken and needs to reinstall...