How to check my phpmyadmin is secure on ubuntu server?

Useful Tips to Secure PhpMyAdmin Login Interface

  1. Change Default PhpMyAdmin Login URL
/etc/phpmyadmin/apache.conf

------------ On CentOS/RHEL and Fedora ------------ 
# vi /etc/httpd/conf.d/phpMyAdmin.conf

------------ On Debian and Ubuntu ------------ 
# /etc/phpmyadmin/apache.conf

Then add a new one as follows:
# Alias /phpmyadmin /usr/share/phpmyadmin
Alias /my /usr/share/phpmyadmin

------------ On Debian and Ubuntu ------------ 
# echo "Include /etc/phpmyadmin/apache.conf" >> /etc/apache2/apache2.conf
     ------------ On CentOS/RHEL and Fedora ------------ 
# systemctl restart nginx
# systemctl restart php-fpm

------------ On CentOS/RHEL and Fedora ------------ 
# systemctl restart httpd

------------ On Debian and Ubuntu ------------ 
# systemctl restart apache2

------------ On Debian and Ubuntu ------------ 
# systemctl restart nginx
# systemctl restart php5-fpm
  1. Enable HTTPS on PhpMyAdmin

  1. Password Protect on PhpMyAdmin
Add these lines to the Apache configuration file (/etc/apache2/sites-available/000-default.conf or /etc/httpd/conf/httpd.conf):

/etc/apache2/sites-available/000-default.conf – On Ubuntu
<Directory /usr/share/phpmyadmin>
    AuthType Basic
    AuthName "Restricted Content"
    AuthUserFile /etc/apache2/.htpasswd
    Require valid-user
</Directory>
/etc/httpd/conf/httpd.conf – On CentOS
 
<Directory /usr/share/phpmyadmin>
    AuthType Basic
    AuthName "Restricted Content"
    AuthUserFile /etc/httpd/.htpasswd
    Require valid-user
</Directory>
Then use htpasswd to generate a password file for an account that will be authorized to access the phpmyadmin login page. We will use /etc/apache2/.htpasswd and tecmint in this case:

---------- On Ubuntu/Debian Systems ---------- 
# htpasswd -c /etc/apache2/.htpasswd tecmint

---------- On CentOS/RHEL Systems ---------- 
# htpasswd -c /etc/httpd/.htpasswd tecmint
Enter password twice and then change the permissions and ownership of the file. This is to prevent anyone not in the www-data or apache group from being able to read .htpasswd:

# chmod 640 /etc/apache2/.htpasswd

---------- On Ubuntu/Debian Systems ---------- 
# chgrp www-data /etc/apache2/.htpasswd 

---------- On CentOS/RHEL Systems ---------- 
# chgrp apache /etc/httpd/.htpasswd 
Open your phpmyadmin url and you’ll see the authentication dialog before accessing the login page.
  1. Disable root Login to PhpMyAdmin
/etc/phpmyadmin/config.inc.php
/* Authentication type */
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['AllowRoot'] = false;

------------- On CentOS/RHEL Systems -------------
# systemctl restart httpd.service

------------- On Debian/Ubuntu Systems -------------
# systemctl restart apache2.service
  1. Prevent remote usage of phpmyadmin

  1. Change password frequently

  1. Check configuration /etc/phpmyadmin



Leave a Reply