..
Uncategories Install and Secure PhpMyAdmin on Ubuntu 14.10 Server

Install and Secure PhpMyAdmin on Ubuntu 14.10 Server

PhpMyAdmin is an Open Source administrative web interface for MySQL server written in PHP designed for users to easily interact and perform MySQL database tasks such as manage databases users and permissions, create, modify or delete databases or execute SQL statements.
This tutorial will provide a short guide on how you can install and secure PhpMyAdmin web interface on Ubuntu 14.10 by changing Setup directory username and password and moving the web administration interface URL address from non-secure HTTP transactions to a dedicated SSL Virtual Host which will use a custom DNS subdomain entry.

REQUIREMENTS

STEP ONE – Install PhpMyAdmin
1.      To install PhpMyAdmin on Ubuntu 14.10 from the distribution repositories binary packages, use the apt-getPackage Management Tool by issuing the following command:
sudo apt-get install phpmyadmin
 
install phpmyadmin
install phpmyadmin

During the installation process the installer will prompt you some questions in order to configure PhpMyAdmin with the correct settings. Choose apache2 as the server which will be automatically configured to run PhpMyAdmin, then chooseNo on Configure database for phpmyadmin with dbconfig-common as illustrated in the following screenshots.
configure phpmyadmin with apache
configure phpmyadmin with apache

configure phpmyadmin without dbconfig-common
configure phpmyadmin without dbconfig-common

2.     After the installation finishes you can access the PhpMyAdmin web interface by opening a browser at your server’s IP Address or domain name followed by the /phpmyadmin string as the below examples suggests.
http://192.168.1.11/phpmyadmin
http://domain.tld/phpmyadmin
visit phpmyadmin web interface
visit phpmyadmin web interface

To log in on PhpMyAdmin interface use MySQL root username and the administrative password set for MySQL root user during the installation.
PhpMyAdmin interface
PhpMyAdmin interface

STEP TWO – Add Password for PhpMyAdmin Setup Web Tool
3.      New installations of PhpMyAdmin provides a setup directory located on /usr/share/phpMyAdmin/setup through which you can create custom configurations for the web interface that will be written on/var/lib/phpmyadmin/config.inc.php file by issuing the pma-configure command. This setup directory requires server authentication in order to be accessed, but the directory admin password is not set by default on installation. To be able to access the phpmyadmin setup directory you must set a password for the default admin user at the following system path where the htpasswd file is located: /etc/phpmyadmin/htpasswd.setup.
To set the password use the htpasswd utility provided by apache2-utils package by issuing the following command:
sudo htpasswd /etc/phpmyadmin/htpasswd.setup admin
 
set phpmyadmin setup directory password
set phpmyadmin setup directory password

For security concerns you should delete the default admin user and add your custom username and password tohtpasswd.setup file by issuing the following command:
sudo htpasswd -c /etc/phpmyadmin/htpasswd.setup your_username
 
change htpasswd user
change htpasswd user

4.      After the PhpMyAdmin Setup interface username and password had been set, visit the PhpMyAdmin Setup tool interface at the following URL address:
http://192.168.1.11/phpmyadmin/setup/
http://www.domain.tld/phpmyadmin/setup/

To log in to PhpMyAdmin Setup interface use the username and the password setup earlier.
visit phpmyadmin setup
visit phpmyadmin setup

setup interface
setup interface

STEP THREE – Change PhpMyAdmin Setup Permissions
5.      Once logged in to PhpMydmin Setup interface you will notice an error message saying that you don’t have permissions to access or modify Phpmyadmin configuration. The configurations made using this web tool will be written on /var/lib/phpmyadmin/config.inc.php file, file which is not writable by default due to security concerns. In order to use this tool and make custom PhpMyAdmin configurations run the below command to give writable permissions to/var/lib/phpmyadmin/config.inc.php file.
sudo pma-configure
 
run pma-configure
run pma-configure

6.     After the /var/lib/phpmyadmin/config.inc.php file has writable permissions, refresh your browser and start configure PhpMyAdmin with your custom settings. Remember that all saved settings will be overwritten to this file.
phpmyadmin setup
phpmyadmin setup

In case case there are some issues with the new settings and you can’t access PhpMyAdmin interface anymore you can always revert changes by blanking the file with the following command:
sudo cat /dev/null > /var/lib/phpmyadmin/config.inc.php

7.      When your done configuring the settings hit the Apply or Save button, then, secure PhpMyAdmin again by reverting permissions for /var/lib/phpmyadmin/config.inc.php file using the following command:
sudo pma-secure
 
secue PhpMyAdmin
secue PhpMyAdmin

STEP FOUR – Create a PhpMyAdmin SSL Subdomain
8.      During the installation of PhpMyAdmin the installer automatically creates and enables an Alias Apache configuration file which is located on /etc/apache2/conf-enabled/phpmyadmin.conf file. This configuration file provides as way through which the clients can access PhpMyAdmin web interface just by appending /phpmyadmin string at the end of every URL domain, subdomain or IP Address like in the below examples:
http://domain.tld/phpmyadmin
http://www.domain.tld/phpmyadmin
http://subdomain.domain.tld/phpmyadmin
http://server-IP/phpmyadmin
This type of behaviour can impose some seriously security issues because everyone can try using the /phpmyadminstring at the end of your domain name and scan the PhpMyAdmin web interface for already known vulnerabilities, or even try to brute-force the MySQL root password.
In order to change this behaviour you must crate a dedicated SSL subdomain through which you will access and manage phpmyadmin web interface by using the power of Apache Virtual Hosting.
So, before you start creating the virtual host for PhpMyAdmin, first assure that you disable Phpmyadmin Aliasconfiguration by issuing the following commands:
sudo a2disconf phpmyadmin
sudo service apache2 restart
 
disable phpmyadmin configuration
disable phpmyadmin configuration

9.     Next, assuming that your domain is called ubuntu.lan and you want to access PhpMyAdmin web interface atphpadm.ubuntu.lan subdomain, go to your DNS server and add a CNAME or A record that will point to this specific subdomain.  Then, create an Apache SSL Virtual Host configuration file for Phpmyadmin on sites-available path with the below server configurations by issuing the following command:
sudo nano /etc/apache2/sites-available/phpmyadmin-ssl.conf

phpmyadmin-ssl.conf file excerpt:

  1. <IfModule mod_ssl.c>

  2.     <VirtualHost *:443>

  3.        ServerAdmin webmaster@localhost

  4.        ServerName phpadm.lamp.lan

  5.        DocumentRoot "/usr/share/phpmyadmin"



  7.        ErrorLog ${APACHE_LOG_DIR}/phpmyadmin.lan-ssl-error.log

  8.        CustomLog ${APACHE_LOG_DIR}/phpmyadmin.lan-ssl-access.log combined



  10.        SSLEngine on

  11.        SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem

  12.        SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key



  14.         <Directory /usr/share/phpmyadmin>

  15.                 Options FollowSymLinks

  16.                 DirectoryIndex index.php

  17.                                                 

  18.                 <IfModule mod_php5.c>

  19.         AddType application/x-httpd-php .php

  20.         php_flag magic_quotes_gpc Off

  21.         php_flag track_vars On

  22.         php_flag register_globals Off

  23.         php_admin_flag allow_url_fopen Off

  24.         php_value include_path .

  25.         php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp

  26.         php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/javascript/

  27.                 </IfModule>

  28.         </Directory>



  30. # Authorize for setup

  31. <Directory /usr/share/phpmyadmin/setup>

  32.     <IfModule mod_authn_file.c>

  33.     AuthType Basic

  34.     AuthName "phpMyAdmin Setup"

  35.     AuthUserFile /etc/phpmyadmin/htpasswd.setup

  36.     Require valid-user

  37.     </IfModule>

  38. </Directory>



  40. # Disallow web access to directories that don't need it

  41. <Directory /usr/share/phpmyadmin/libraries>

  42.     Order Deny,Allow

  43.     Deny from All

  44. </Directory>

  45. <Directory /usr/share/phpmyadmin/setup/lib>

  46.     Order Deny,Allow

  47.     Deny from All

  48. </Directory>



  50.             </VirtualHost>

  51. </IfModule>



Replace ServerName directive to match your DNS record for PhpMyAdmin subdomain accordingly.

10.      After you have created the PhpMyAdmin configuration file for Apache, activate the new virtual host and restart the Apache service in order to reflect changes by issuing the following commands:
sudo a2eniste phpmyadmin-ssl.conf
sudo service apache2 restart
 
enable pphpmyadmin subdomain
enable pphpmyadmin subdomain

11.      Finally, you can access PhpMyAdmin interface by opening a browser and visiting your especially created subdomain (in this case is phpadm.ubuntu.lan) using the HTTPS protocol  as illustrated on the below screenshot.
http://phpadm.ubuntu.lan
visit phpmyadmin SSL subdomain
visit phpmyadmin SSL subdomain

That’s all! This are just a few security measures that you need to take in case you are not comfortable with administering MySQL server from command line and you want to use PhpMyAdmin web interface to interact with the database.

Next
« Prev Post
Previous
Next Post »
Subscribe to: Post Comments (Atom)

Featured post

MUST WATCH INSPIRATIONAL VIDEOS 2017 -PART 1