Looking through my servers logs I noticed that I was attracting quite a lot of vulnerability scanners trying to access my phpMyAdmin directory. Being ever the killjoy I am I had to secure the directories. I’m already running Fail2Ban on Ubuntu but thought I should tighten it up even more to prevent any zero day exploits that may come out.
I’m already familiar with creating an SSH tunnel so thought if I tied everything down to localhost only, it meant that any attackers would first have to hack my SSH passwords before they could even access the MySQL databases. But to be fair if that ever did happen I’d probably have more to worry about than just protecting my databases…
Also it had the knock on benefit that all my traffic with phpMyAdmin would be encrypted without the need of SSL certificates. I’ve already made it so MySQL only listens to localhost for connections, so phpMyAdmin was the only vulnerability I had exposed.
Log on to your shell as normal.
From you command line type in:
nano /etc/phpmyadmin/apache.conf
From here we want to put a couple of lines in between the <Directory></Directory> tags:
Order Allow,Deny
Allow from 127.0.0.1
What this line boils down to is only accept connections from the loopback address (127.0.0.1 or localhost). If a connection comes from anywhere that isn’t localhost then deny the connection.
My finished apache2.conf file looks like this between the <Directory></Directory> tags:
<Directory /usr/share/phpmyadmin>Order Allow,DenyAllow from 127.0.0.1Options FollowSymLinksDirectoryIndex index.php<IfModule mod_php5.c>AddType application/x-httpd-php .phpphp_flag magic_quotes_gpc Offphp_flag track_vars Onphp_flag register_globals Offphp_admin_flag allow_url_fopen Offphp_value include_path .php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmpphp_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/</IfModule></Directory>
Reload apache:
sudo /etc/init.d/apache2 restart
Now load up your phpMyAdmin page from somewhere other than localhost and you should see a denied page. To connect make sure you connect with SSH. Take that script kiddies.
No Comment