Setting up and Safeguarding phpMyAdmin on an Ubuntu 16.04 server
Overview
What is phpMyAdmin?
phpMyAdmin is a web-based tool for MySQL or MariaDB written in PHP. It is designed to perform various tasks such as creating, editing, deleting, and updating a database easily using a graphical interface, which is in contrast to a command-line-based database system.
In this guide, I will demonstrate how to set up and fine-tune phpMyAdmin for security on an Ubuntu 16.04 server.
Note: The following guide provides only basic security measures and does not guarantee a foolproof security method for your application, server, or network. Always exercise caution!
Requirements
To secure phpMyAdmin on your Ubuntu 16.04 server, ensure you have the following:
- A VPS server from blendhosting.com, available for order at https://www.blendhosting.com/vps/.
- An SSH client, such as Bitvise[1] or Putty[2].
- Proficiency in the Linux command line is beneficial.
- It is assumed that you have already installed a LAMP server on your system. If not, refer to the guide on installing a LAMP server using Ubuntu[3].
phpMyAdmin Installation Guide
Let’s begin by installing phpMyAdmin from our default Ubuntu repository. Follow these steps by first updating our local packages using apt and then installing phpMyAdmin.
apt-get update
apt-get install phpmyadmin php-mbstring php-gettext
During the installation process, you will be prompted with a few questions to configure phpMyAdmin properly. Answer these questions to finalize the installation.
1. For the server, please select **Apache 2**.
2. Select **yes** when asked whether to use *dbconfig-common*.
3. Enter your own database administrators password on the next step.
4. Confirm your administrator password on the succeeding step and confirm a password for *phpMyAdmin* application itself.
Next, enable PHP mcrypt and mbstring extensions by running the following commands:
sudo phpenmod mcrypt
sudo phpenmod mbstring
Next, restart Apache for the server to recognize the changes.
sudo systemctl restart apache2
You can access the phpMyAdmin web interface using the following web address:
http:///phpMyAdmin
Now, log in to the web interface using your root username and the password you configured earlier.
Upon logging in, you will see the phpMyAdmin web interface that looks like the following:
Protection of phpMyAdmin
Installing and running phpMyAdmin on an Ubuntu server is a straightforward process, and we can complete the installation quickly. However, our task is not complete until we secure phpMyAdmin from potential attackers. As an internet-facing web interface, phpMyAdmin is susceptible to attacks and is often targeted due to its identifiable nature. To enhance security, we need to implement specific measures to reduce the likelihood of attacks.
Give Apache permission to override.htaccess.
To enhance the security of phpMyAdmin, the first step is to allow .htaccess file overrides by reconfiguring Apache.
Let’s edit the phpMyAdmin.conf file using the following command:
sudo nano /etc/apache2/conf-available/phpMyAdmin.conf
Next, add an AllowOverride All directive to the file within the phpMyAdmin directory section.
Options FollowSymLinks
DirectoryIndex index.php
AllowOverride All
. . .
After adding the line, save and close the file.
Now, restart Apache to apply the changes.
sudo systemctl restart apache2.htaccess File Creation
Now that we have enabled .htaccess override in Apache, we need to create one to implement some security measures.
Let’s create our .htaccess file within the application directory of phpMyAdmin by typing:
sudo nano /usr/share/phpMyAdmin/.htaccess
Open the file and enter the necessary code to secure our phpMyAdmin:
AuthType Basic
AuthName "Secure Server"
AuthUserFile /etc/phpMyAdmin/.htpasswd
Require valid-user
These commands are part of the configuration for basic authentication using .htaccess:
- AuthType Basic: This signifies the use of a username-password combination for security.
- AuthName: This sets a message in the login dialog box with the message “Secure Server”.
- AuthUserFile: It specifies the location of the .htpasswd file that contains the authorized usernames and passwords.
- Require valid-user: This command indicates that only authenticated users should have access to the webpage.
After finishing, save and close the file.
Make sure you have a.htpasswd file for security verification
In the guide above, we have identified the location of our .htpasswd file through the use of the AuthUserFile directive. However, to complete the security procedure, we need an additional package. Let’s install apache2-utils from our default repository.
Apache2-utils enables .htpasswd access and .htdigest authentication in Apache, along with other useful tools for securing an Apache server.
sudo apt-get install apache2-utils
After installation, let’s create our .htpasswd file.
As we selected /etc/phpMyAdmin/ as the location for our .htpasswd file, we will create a file named .htpasswd in that directory and add a user using the following command:
sudo htpasswd -c /etc/phpMyAdmin/.htpasswd username
You will be prompted to create a password for the particular user you have just created.
Once done, if you want to add another user, you can do so without using the `-c` flag, as shown below:
sudo htpasswd /etc/phpMyAdmin/.htpasswd another_user
Upon revisiting your phpMyAdmin web address, an authentication login prompt will appear. Enter the username and password you configured earlier to proceed.
This concludes the installation and basic security setup for phpMyAdmin. While the process is straightforward, it’s crucial not to become complacent. Hackers are persistent, and their methods are ever-evolving. Depending on the situation, additional security measures may be necessary.
I hope you found this tutorial helpful. If you have any suggestions or comments, please feel free to share them below.
[1]: https://www.bitvise.com/ssh-client-download
[2]: http://www.putty.org/
[3]: https://www.blendhosting.com/kb/set-up-an-ubuntu-14-04/