Hello, I am testing with a small server with only two domains with 3 email accounts each. I followed the tutorial of The Perfect Server - Debian 10 Apache I try to be strong in security and I don't have much knowledge, so I was wondering if it is necessary to install phpMyAdmin and if doing so gives a little more security or if it is necessary for the correct operation according to the tutorial The Perfect Server - Debian 10 Apache Thank you Expand: htf_report ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Debian GNU/Linux 10 (buster) [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.1.15p2 ##### VERSION CHECK ##### [INFO] php (cli) version is 7.3.11-1~deb10u1 ##### PORT CHECK ##### [WARN] Port 22 (SSH server) seems NOT to be listening ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 773) [INFO] I found the following mail server(s): Postfix (PID 1055) [INFO] I found the following pop3 server(s): Dovecot (PID 487) [INFO] I found the following imap server(s): Dovecot (PID 487) [INFO] I found the following ftp server(s): PureFTP (PID 839) ##### LISTENING PORTS ##### (only () Local (Address) [anywhere]:25 (1055/master) [localhost]:953 (450/named) [anywhere]:22080 (530/sshd) [anywhere]:993 (487/dovecot) [anywhere]:995 (487/dovecot) [localhost]:10023 (816/postgrey) [localhost]:10024 (1060/amavisd-new) [localhost]:10025 (1055/master) [localhost]:10026 (1060/amavisd-new) [localhost]:10027 (1055/master) [anywhere]:587 (1055/master) [localhost]:11211 (476/memcached) [anywhere]:110 (487/dovecot) [anywhere]:143 (487/dovecot) [anywhere]:465 (1055/master) [anywhere]:21 (839/pure-ftpd) ***.***.***.***:53 (450/named) ***.***.***.***:53 (450/named) [localhost]:53 (450/named) *:*:*:*::*:25 (1055/master) *:*:*:*::*:953 (450/named) *:*:*:*::*:443 (773/apache2) *:*:*:*::*:22080 (530/sshd) *:*:*:*::*:993 (487/dovecot) *:*:*:*::*:995 (487/dovecot) *:*:*:*::*:10024 (1060/amavisd-new) *:*:*:*::*:10026 (1060/amavisd-new) *:*:*:*::*:3306 (623/mysqld) *:*:*:*::*:587 (1055/master) [localhost]10 (487/dovecot) [localhost]43 (487/dovecot) *:*:*:*::*:8080 (773/apache2) *:*:*:*::*:80 (773/apache2) *:*:*:*::*:465 (1055/master) *:*:*:*::*:8081 (773/apache2) *:*:*:*::*:21 (839/pure-ftpd) *:*:*:*::*:53 (450/named) ##### IPTABLES ##### Chain INPUT (policy ACCEPT) target prot opt source destination f2b-postfix-sasl tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25,465,587,143,993,110,995 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain f2b-postfix-sasl (1 references) target prot opt source destination REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable RETURN all -- [anywhere]/0 [anywhere]/0
Phpmyadmin only provides a web interface that make easier to work with mysql databases. With no phpmyadmin you could work with mysql from command line, which is less friendly. In regards of security, phpmyadmin does not help security in anyway. Indeed, it could be a potential risk, like any other web open to internet, as it could be the target of attacks, but this shouldn't be a problem if you set it up properly.
Thanks, I will skip the installation of phpmyadmin and roundcube that are not necessary for this server test.
I would advice you to install PHPMyAdmin when you are going to install for real, since it's a easy and fast tool to check and change database values - there are cases where you can for example change a setting for all users only through the database and not in the panel, and PMA is a really good tool to do such things.
Thanks, I will follow your advice - Could you guide me on how to properly ensure PMA? Expand: I only have this information: Add AllowOverride All to phpmyadmin.conf nano /etc/apache2/conf-available/phpmyadmin.conf # phpMyAdmin default Apache configuration Alias / phpmyadmin / usr / share / phpmyadmin <Directory / usr / share / phpmyadmin> Options FollowSymLinks DirectoryIndex index.php AllowOverride All Add to .htaccess: nano /usr/share/phpmyadmin/.htaccess AuthType Basic AuthName "Restricted Files" AuthUserFile /etc/phpmyadmin/.htpasswd Require valid-user deny from all allow from 192.34.45.23 Create new username and password htpasswd -c /etc/phpmyadmin/.htpasswd new user - I would also like to know how I add PMA to fail2ban correctly?
Just follow the Perfect Server guide, it's in there. You can use Internet Search Engines to find a tutorial of how to use a F2B filter for PMA (this sentence makes me think of @Taleman )
I'm sorry, you're right, I'll find out how to do it correctly. But I have followed the Perfect Server guide and receive visits from attempts to enter PMA, so I wanted to try asking for some security suggestions. Greetings and thanks for answering.
You will get such visits for all software and services on your server, that's normal for any system that's connected to the internet. Use a long and secure password for your mysql users to avoid issues.
You can either restrict the access to PMA by IP or add it to Fail2Ban. To add it to Fail2Ban, any online tutorial is sufficient. To restrict access by IP, edit /etc/apache2/conf-available/phpmyadmin.conf and add: Code: Order Deny,Allow Deny from all Allow from YOUR_IP Allow from YOUR_SECOND_IP
Obviously if you only allow your own IP, your customers can't use PMA, which may be fine (your call). If you do allow public access, you can limit potential abuse by not allowing administrative accounts (root, ispconfig, debian-sys-maint) to use mysql, eg. on one such debian server I have this in /etc/phpmyadmin/config.inc.php: Code: ... /* Configure according to dbconfig-common if enabled */ if (!empty($dbname)) { ... /* Uncomment the following to enable logging in to passwordless accounts, * after taking note of the associated security risks. */ // $cfg['Servers'][$i]['AllowNoPassword'] = TRUE; // Disallow login from root and ispconfig users $cfg['Servers'][$i]['AllowRoot'] = FALSE; $cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow'; $cfg['Servers'][$i]['AllowDeny']['rules'] = array( 'deny ispconfig from all', 'deny debian-sys-maint from all', ); /* Advance to next server for rest of config */ $i++; } ... You can just change the line disallowing root access temporarily if/when you need to use PMA yourself, then change it back when you're done. Or even get creative and set that based on the client's IP address (so it is set TRUE for your IP, FALSE for everyone else). On the pro's and con's of your setup, not allowing public access at all (restrict by ip if you need it) is of course more secure, as vulnerabilities in the php code can't be abused then. But using all of the above recommendations, plus other measures you might take (eg. mod_security could be used) and keeping your phpmyadmin install up to date might well be a good tradeoff. (FWIW, we have IP restrictions for accessing phpmyadmin on our control panel node, where I do occasionally use it as root to examine/fix ISPConfig. For customers we have phpmyadmin installed on their web server, without IP restriction but no root logins, fail2ban, etc.)