Securing phpMyAdmin on Ubuntu 10.04

This will be the first in a number of tutorials which I plan to post regarding IT topics and solutions to problems which I run into both in a business environment and personal tinkering.

I currently run a Linux home server for the purpose of website development and testing prior to making content available online. However, it occurred to me following installation that the ‘www.hostname.tld/phpMyAdmin’ directory, while requiring authentication, is open to the internet and likewise, subject to brute force attacks. This tutorial will attempt to offer a number of solutions to securing such an installation.

Installation and Securing Mysql

The tutorial assumes a default Ubuntu 10.04 Installation with both apache and mysql installed (phpMyAdmin is a front-end for mysql).
The very first task in securing both phpMyAdmin and mysql should be to change the mysql root password. By default, Ubuntu uses no password for the root user. This is absolutely insecure. So, how does one set the mysql password? It’s actually fairly simple. Reach a shell and enter the following commands. The string of x’s following password can be supplemented with a password of your choice. Obviously, the complexity of one’s password will dictate how affective this procedure has been.

mysql -u root
set password for root@localhost = password('xxxxxxx');
flush privileges;
quit;

Now that mysql is secure, install the phpMyAdmin front-end. The installation is fairly simple. Once again, shell access will be required. Assuming your server installation has internet access, issue the following command. The ‘sudo’ at the beginning of the command provides the user with temporary root privileges and will ask for the current user’s password (assuming this user is included in sudoers, beyond the scope of my tutorial).

sudo apt-get install phpmyadmin

To complete the installation, one must have access to their mysql root password and the ip address or hostname of the mysql server (local loopbacks like localhost or 127.0.0.1 will generally suffice). Once the installation is complete, the phpMyAdmin interface should be accessible through a web browser. A screenshot of how this may appear is provided.

Securing phpMyAdmin

Now that phpMyAdmin is installed, it should be apparent that the www.hostname.tld/phpMyAdmin website directory is not something which should be visible to the general public. This tutorial will show two methods for securing the directory and making it inaccessible to unwanted hosts. The first denies or allows hosts based on IP address or hostname. The second, employs apache’s built-in user authentication.

To begin, all configuration changes should be made to the file: /etc/phpmyadmin/apache.conf

Simply open this file with root privileges using a text-editor of your choice and find the <Directory>  …  </Directory> tags. All edits will go within this area.

Host-based Security

To enable host-based security, or rather the denial or allowing of hosts based on IP / hostname, one line must be added between the aforementioned tags.

Order Allow, Deny

This command establishes the default behavior of the security. If allow comes before deny, apache will deny all traffic by default while making exceptions for Allow commands. The converse of this, ‘Deny, Allow’, will allow all traffic by default and only deny hosts for which a Deny command exists. Now, an explanation of both Allow and Deny commands.
A specific host may be allowed using the following command:

Allow from 192.168.1.4

Or, an entire subnet may be allowed using either of the following:

Allow from 192.168.1.0/24
Allow from 192.168.1.0/255.255.255.0

To make these statements Deny hosts, simply replace the Allow with Deny. Also, hostnames may be used instead of ip addresses, however this is not recommended as the system must perform a lookup every time the page is accessed. Below, is an example of my section in the apache.conf file.

# phpMyAdmin default Apache configuration
Alias /phpmyadmin /usr/share/phpmyadmin

Options FollowSymLinks
DirectoryIndex index.php

# Deny all hosts unless an implicit Allow command is included.
# In this case, Allow from 192.168.1.0/24.

Order Allow,Deny
Allow from 192.168.1.0/24

AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_flag register_globals Off
php_value include_path .

Finally, once any changes are made to the apache.conf file, apache must be restarted to enable the changes. From a command shell, enter the following to verify and enable your changes.

sudo apache2ctl configtest
sudo apache2ctl restart

User-based Security

The second option for securing the phpMyAdmin directory is to password-protect the directory with a username and password. This may seem silly since phpMyAdmin already requires a password, but it’s an additional level of defense to keep users away from your databases.

The configuration begins as follows and should be placed between the aforementioned <Directory> tags in /etc/phpmyadmin/apache.conf :

AuthType Basic
AuthName "phpMyAdmin Authentication"
AuthUserFile /etc/phpmyadmin/passwords
Require user admin

This command is fairly simple. AuthType enables password protection and AuthName provides a name for the particular instance. AuthUserFile specifies the file which holds usernames and passwords. The final line, Require user … specifies which user has access to this directory. Next, we must make this passwords file and create a user with a password. Open a shell and issue the following:

sudo htpasswd –c /etc/phpmyadmin/passwords admin

Following the entering of this command, the system will prompt you for a password for the specified user. The –c parameter creates the /etc/phpmyadmin/passwords file, it is not necessary if the file already exists. Further, the admin username can be supplemented with a username of your choice. For example, I might enter: htpasswd –c /etc/phpmyadmin/passwords npier

Finally, once any changes are made to the apache.conf file, apache must be restarted to enable the changes. From a command shell, enter the following to verify and enable your changes.

sudo apache2ctl configtest
sudo apache2ctl restart

Further Thoughts
SSL encryption would also provide additional security as all passwords submitted in this tutorial are sent in clear text and are capable of being ‘sniffed’ with a network analyzer. This is sometimes referred to as “the man in the middle.” I’m including a link to an excellent documentation for enabling this on Ubuntu server: https://help.ubuntu.com/8.04/serverguide/C/httpd.html#https-configuration

Please feel free to provide any feedback regarding this post. It is my wish that these instructions will pose little issue for many users.