How to Secure phpMyAdmin on Ubuntu

Looking through my servers logs I noticed that I was attracting quite a lot of vulnerability scanners trying to access my phpMyAdmin directory.  Being ever the killjoy I am I had to secure the directories.  I’m already running Fail2Ban on Ubuntu but thought I should tighten it up even more to prevent any zero day exploits that may come out.

I’m already familiar with creating an SSH tunnel so thought if I tied everything down to localhost only, it meant that any attackers would first have to hack my SSH passwords before they could even access the MySQL databases.  But to be fair if that ever did happen I’d probably have more to worry about than just protecting my databases…

Also it had the knock on benefit that all my traffic with phpMyAdmin would be encrypted without the need of SSL certificates.  I’ve already made it so MySQL only listens to localhost for connections, so phpMyAdmin was the only vulnerability I had exposed.

Log on to your shell as normal.

From you command line type in:

nano /etc/phpmyadmin/apache.conf

From here we want to put a couple of lines in between the <Directory></Directory> tags:

Order Allow,Deny
Allow from 127.0.0.1

What this line boils down to is only accept connections from the loopback address (127.0.0.1 or localhost).  If a connection comes from anywhere that isn’t localhost then deny the connection.

My finished apache2.conf file looks like this between the <Directory></Directory> tags:

<Directory /usr/share/phpmyadmin>

        Order Allow,Deny

        Allow from 127.0.0.1

        Options FollowSymLinks

        DirectoryIndex index.php

        <IfModule mod_php5.c>

                AddType application/x-httpd-php .php

                php_flag magic_quotes_gpc Off

                php_flag track_vars On

                php_flag register_globals Off

                php_admin_flag allow_url_fopen Off

                php_value include_path .

                php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp

                php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/

        </IfModule>

</Directory>

Reload apache:

sudo /etc/init.d/apache2 restart

Now load up your phpMyAdmin page from somewhere other than localhost and you should see a denied page.  To connect make sure you connect with SSH.  Take that script kiddies.