Saturday, 17 December 2011 07:20
Written by Michael Wood
These instructions were perfomed on an Ubuntu 11.10 machine via SSH.
So, I was messing around with phpMyAdmin and noticed the directory
/usr/share/phpmyadmin/setup. I browse to
http://mydomainname.com/phpmyadmin/setup and it immediately asks for credentials to login. First, phpMyAdmin
has already been setup...why leave the setup directory on the server
when it's not needed?
I then delete the setup folder from /usr/share/phpmyadmin/setup
sudo rm -rf /usr/share/phpmyadmin/setup
Now, by default you can simply just access the web interface of
phpMyAdmin by browsing to
http://mydomainname.com/phpmyadmin I want this directory on my server to have an extra layer of
protection. I know that you have to login to the phpMyAdmin interface
first, but I'm a security conscience guy. Why not have more security
added when you can?
We will take a look at the phpMyAdmin default Apache configuration file.
I browse to the directory /etc/phpmyadmin and take a look at the file
apache.conf
Here is the output of apache.conf:
# phpMyAdmin default Apache configuration
Alias /phpmyadmin /usr/share/phpmyadmin
Options FollowSymLinks
DirectoryIndex index.php
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_flag register_globals Off
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
php_admin_value open_basedir
/usr/share/phpmyadmin/:/etc/
phpmyadmin/:/var/lib/
phpmyadmin/
# Authorize for setup
AuthType Basic
AuthName "phpMyAdmin Setup"
AuthUserFile /etc/phpmyadmin/htpasswd.setup
Require valid-user
# Disallow web access to directories that don't need it
libraries>
Order Deny,Allow
Deny from All
lib>
Order Deny,Allow
Deny from All
Ok, so what I'm going to try and accomplish here is load the module
"mod_authn_file.c" (this is like adding a .htacess file into the
/usr/share/phpmyadmin directory)
Here is my edited /etc/phpmyadmin/apache.conf file:
Note: If you notice I have added lines starting below "DirectoryIndex index.php"
In the line "AuthUserFile /data/user-access/.htpasswd" this is where
my default .htpasswd file is for my .htaccess files. If you want to
see how this works and is setup check out the article here:
https://codersresource.com/linux/web-server/controlling-directory-access-with-an-htaccess-file I also commented out all the lines under the "Authorize setup" section
(no need for it)
# phpMyAdmin default Apache configuration
Alias /phpmyadmin /usr/share/phpmyadmin
Options FollowSymLinks
DirectoryIndex index.php
AuthType Basic
AuthName "Restricted Access!"
AuthUserFile /data/user-access/.htpasswd
Require valid-user
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_flag register_globals Off
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
php_admin_value open_basedir
/usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/
# Authorize for setup
#
#
# AuthType Basic
# AuthName "phpMyAdmin Setup"
# AuthUserFile /etc/phpmyadmin/htpasswd.setup
#
# Require valid-user
# # Disallow web access to directories that don't need it
libraries>
Order Deny,Allow
Deny from All
lib>
Order Deny,Allow
Deny from All
After you have made the changes above, save the file. Then restart Apache:
sudo /etc/init.d/apache2 restartf
Now if you browse to
http://mydomainname.com/phpmyadmin Apache will
prompt you for a username and password...just an extra layer of
security ;)