Oct 29, 2012

Hide phpMyAdmin and Restrict Access by IP

A lot of us have to manage LAMP servers. If you don't know what that is it's a Linux Apache MySQL PHP server. Many of us like to manage the MySQL database part with phpMyAdmin because it allows for an easy to use web interface to make managing MySQL well... Easier. The problem is that if you use phpMyAdmin open on the internet, bad guys will be looking for it. If a bad guy can break into phpMyAdmin, then they can screw with your databases and that's a bad thing.

Two ways you can prevent that is by changing the virtual directory used to manage phpMyAdmin and another is to restrict access to that virtual directory by IP address. Here's what you need to do.

  • Edit /etc/apache2/conf.d/phpmyadmin.conf with your favorite text editor
  • Change Alias /phpmyadmin /usr/share/phpmyadmin to Alias /db /usr/share/phpmyadmin
  • Then add the following under DirectoryIndex index.php

    Order Deny,Allow
    Deny from all
    Allow from 192.168.1.0/24


  • Save the file then restart Apache by running:

    #sudo service apache2 restart
The example above allows for an entire range to access phpMyAdmin. If you need to add multiple ranges just add another Allow line below with a different range. You can also use single IP addresses.

That's it, now only those who you want to have access can get in, and those same people will need to know the new virtual directory as well. By the way, if you haven't figured it out you have to browse to http://servername/db to access phpMyAdmin.

I also want to point out that you should be protecting your phpMyAdmin logon with SSL. You can get a free SSL certificate from StartSSL. You can also force SSL using PHP as well.



Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam