Installing & Securing PHPMyAdmin Ubuntu 16.04

    Follow

    Code.png

    OVERVIEW

    What is phpMyAdmin?

    phpMyAdmin is an web-based tool for MySQL or MariaDB written in php. It is intended to perform various task such as creating, editing, deleting and updating a database easily using a graphical interface which is in contrast to a cli based database system.

    In this guide I will show you how you can setup and fine-tune phpMyAdmin for security on an Ubuntu 16.04 server.

    Note: The following guide offers only basic security measures and does not guarantee a foolproof security method for your application, server or network. Always be careful!


    PREREQUISITES

    1. A vps server from vpsserver.com, you can order one at https://www.vpsserver.com/plans/.
    2. An ssh client such as Bitvise or Putty.
    3. Knowledge in linux command line is an advantage.
    4. We will assume that you already have installed LAMP on your server. If not, please follow the guide on installing LAMP server using Ubuntu.

      INSTALLING PHPMYADMIN

      Let us start by installing phpMyAdmin from our default Ubuntu repo. We can do the following steps by updating our local packages first using apt and then installing phpMyAdmin afterwards.

    apt-get update
    
    apt-get install phpmyadmin php-mbstring php-gettext
    

    You will be asked a few questions to finalize your installation correctly.

     1. For the server, please select **Apache 2**.  
     2. Select **yes** when asked whether to use *dbconfig-common*.
     3. Enter your own database administrators password on the next step.
     4. Confirm your administrator password on the succeeding step and confirm a password for *phpMyAdmin* application itself.
    

    Next, we will enable PHP mcrypt and mbstring extensions with the following commands:
    sudo phpenmod mcrypt
    sudo phpenmod mbstring

    Next, we will need to restart apache for the server to recognize the changes.
    sudo systemctl restart apache2

    You can now access the phpMyAdmin web interface on the following web address:
    http://<you_public_ip_or_domain_name>/phpMyAdmin

    You can now login to the web interface using your root username and the password you configured earlier.

     

    SECURING PHPMYADMIN

    Installing and running phpMyAdmin on Ubuntu server is fairly easy, we are able to finish installation in no time but we are not finished until we have secured phpMyAdmin from potential attackers. Since phpMyAdmin is an internet facing web interface, it has become one of the most attacked application ever owing to the fact that it is fairly easy to identify a phpMyAdmin server.

    To secure phpMyAdmin we will have to devise some security measures to decrease the probability of attacks.

    ENABLE APACHE TO ALLOW .HTACCESS OVERRIDE

    To secure phpMyAdmin first we need to allow .htaccess file overrides by reconfiguring apache.

    Let us edit the file phpMyAdmin.conf by following the command below:
    sudo nano /etc/apache2/conf-available/phpMyAdmin.conf

    Next, we will need to add an AllowOverride All directive to the file within the phpMyAdmin directory section.

    <Directory /usr/share/phpMyAdmin>
        Options FollowSymLinks
        DirectoryIndex index.php
        AllowOverride All
        . . .
    

    After adding the line, please save and close the file.

    Restart apache to finalize the changes.sudo systemctl restart apache2

    CREATING AN .HTACCESS FILE

    Since we have enabled .htaccess override in apache we will now need to create one to implement some security measures.

    Let us create our .htaccess file within the application directory of phpMyAdmin by typing:
    sudo nano /usr/share/phpMyAdmin/.htaccess

    Let us open the file and enter the necessary code to secure our phpMyAdmin:

    AuthType Basic
    AuthName "Secure Server"
    AuthUserFile /etc/phpMyAdmin/.htpasswd
    Require valid-user
    

    What are the parts of this commands:
    AuthType Basic - means we will use a username password combination for this security. 
    AuthName - This sets a message in the login dialog box with a message "Secure Server".
    AuthUserFile - the location of the .htpasswd file that contains the authorized username and password.
    Require valid-user - Specifies that only authenticated user should be able to given access to the webpage.

    After finishing, please save and close the file.

    CREATE AN .HTPASSWD FILE FOR SECURITY AUTHENTICATION

    In the guide above we have determined the location of our .htpasswd file through our use of the AuthUserFile directive. But we will need an additional package to be able to complete the security procedure. Let us as apache2-utils from our default repository.

    Apache2-utils enables an .htpasswd access and .htdigest authentication in apache as well as other useful tools for securing an apache server.

    sudo apt-get install apache2-utils
    

    After installation, let us now create our .htpasswd file.

    The location that we selected for our .htpasswd file is at /etc/phpMyAdmin/. So we will create a file named .htpasswd in that particular directory as well as adding a user by following the below command:
    sudo htpasswd -c /etc/phpMyAdmin/.htpasswd username

    You will be asked to create a password for the particular user you have created.

    once done and you want to create another user you can do so without using a -c flag like below:
    sudo htpasswd /etc/phpMyAdmin/.htpasswd another_user

    When you access your phpMyAdmin web address again, you will be prompted with a authentication login. Just enter the username and password you just configured and you are good to go.
    ___

    Thats it. installation and basic security for phpMyAdmin is fairly easy to do, but never be contented with what you have, hackers are on the loose and their methods are constantly evolving. Futher security measures may be needed depending on the situation

    Was this article helpful?
    1 out of 1 found this helpful

    Comments

    Powered by Zendesk