In this tutorial you will see the principles of how to secure the PHP tool, phpMyAdmin. PHP has a lot of badly coded scripts which can be abused by malicious users, but there are some basic things we can do to make PHP more secure.
About phpMyAdmin
phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user interface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability to directly execute any SQL statement.
(Note: For the Purpose of this tutorial we will use BackBox (Based on Ubuntu) as the OS and the latest installation of PHP and phpMyAdmin. There are no guarantees or absolutes for PHP security things, so proceed at your own risk.)
Installing phpMyAdmin
You will install the current version of phpMyAdmin on our system using the following command:
apt-get install phpmyadmin
We will be asked from Package Configuration which server should be automatically configured to run phpMyAdmin. We select our webserver and we click OK.
Next choose the Yes option. If you are an advanced database administrator and you want to perform this configuration manually or if your database has already been installed and configured you should refuse this option.
On the next step you will provide a password for the administrator account.
Next you will provide a password for the MySQL application
Configuring phpMyAdmin
The phpmyadmin.conf file by default is located in /etc/php5/apache2/php.ini but running the code below will give full details of which directory you can find it in.
root@liatsisfotis:~# locate phpmyadmin.conf /etc/apache2/conf.d/phpmyadmin.conf
So, open the php.ini file using an editor:
sudo nano /etc/apache2/conf.d/phpmyadmin.conf
Change the alias line to something unique. Do that by modifying the following line:
Alias /phpmyadmin /usr/share/phpmyadmin
to
Alias /securepanel /usr/share/phpmyadmin
(Note: The Alias “securepanel” is an example of my phpmyadmin directory. You can use whatever alias you want instead of phpmyadmin.)
Next you will add on the below Directory block, the following lines which will require https, the authentication name and type and the require user for log in.
< Directory /usr/share/phpmyadmin>
Options Indexes FollowSymLinks
DirectoryIndex index.php
AllowOverride All
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
# Deny all hosts unless an implicit Allow command is included.
# Order Allow, Deny
# Allow from 127.0.0.1
AuthUserFile /etc/phpmyadmin/.htpasswd
AuthName Hello
AuthType Basic
require user admin
</Directory>
Next, you must make this passwords file and create a user with a password. On the terminal type the following:
htpasswd –c /etc/phpmyadmin/.htpasswd admin
(Note:The –c parameter creates the /etc/phpmyadmin/passwords file. You can replace the admin username with something yours. For example htpasswd –c /etc/phpmyadmin/.htpasswd liatsisfotis)
Finally we restart Apache2 WebServer to enable the changes
/etc/init.d/apache2 restart
or
apache2ctl configtest apache2ctl restart
Tip
To find out if an option located into a particular file we can type the following command:
grep Alias /etc/apache2/conf.d/phpmyadmin.conf
Typing the above command you’ll have the following result. So you have full information about the option and the content of it.
Alias /phpmyadmin /usr/share/phpmyadmin
Conclusion
There is a lot of ways and things you can do to secure your PHP. This tutorial describes the basic things you can do to make PHP more secure. The best way is to try every parameter in a localhost web server to figure out what the option does before proceeding to the main web server / PHP Configuration file.
Designed and Created by Liatsis Fotis for liatsisfotis.com
© 2013 Liatsis Fotis
