I was recently at a Moot, listening to a friend of mine discuss server hardening and thought I’d check out what he was discussing on one of the server’s I run. Lo and behold, I realized that Certbot wasn’t redirecting the url for phpMyAdmin and that it was missing a variety of security layers that I should have implemented. Now, when I tried to initiate the redirect (from http to https), it didn’t work and as it is a live server, I need to wait until I can mess around with Apache a bit more before experimenting with that.
However, there were a few other easy things I could do to harden access to phpMyAdmin. Namely, I could password protect access to the directory and change the URL through which it is accessed. These actions don’t really impact the running of the main site and can be made while live (in my situation.)
(Standard warning: I’m on a headless Ubuntu 16.04 server, so all commands here apply to that environment. Backup your server BEFORE you do any editing. Read through the tutorial before you actually begin to make sure you can go through from start to finish.)
Change phpMyAdmin URL
First, let’s change the URL through which you access phpMyAdmin. What we will actually be doing is changing the alias which directs the request to the proper directory.
sudo nano /etc/phpmyadmin/apache.conf
Change the following line as below to the URL you want to use:
Alias /phpmyadmin /usr/share/phpmyadmin
Alias /SOMEOTHERNAME /usr/share/phpmyadmin
Inside the “Directory /usr/share/phpmyadmin block” make sure the following 3 lines are included (Your files contents are likely a bit different):
<Directory /usr/share/phpmyadmin> Options FollowSymLinks DirectoryIndex index.php AllowOverride All <IfModule mod_php.c> <RequireAny> Require all granted </RequireAny> <IfModule mod_mime.c>
Make sure Apache is reading the phpMyAdmin configuration: (you could also check the file to see if this Include exists already – it did in mine so I just took off the comment marker #)
echo "Include /etc/phpmyadmin/apache.conf" >> /etc/apache2/apache2.conf
Restart Apache: (this is where any active users on a live site may see a hiccup.)
systemctl restart apache2
Configure Apache to allow .htaccess overrides
First, enable the use of .htaccess file overrides by editing the Apache configuration file. Edit the linked file that has been placed in the Apache configuration directory:
sudo nano /etc/apache2/conf-available/phpmyadmin.conf
Add an AllowOverride All directive within the <Directory /usr/share/phpmyadmin> section of the configuration file, like this:
Options FollowSymLinks DirectoryIndex index.php AllowOverride All . . .
Save and close the file then restart Apache as above.
Create an .htaccess File
The file must be created within the application directory. Create the necessary file and open it in a text editor with root privileges:
sudo nano /usr/share/phpmyadmin/.htaccess
Enter the following information:
AuthName "Restricted Access" AuthUserFile /etc/phpmyadmin/.htpasswd
Let’s go over what each of these lines mean:
- AuthType Basic: This line specifies the authentication type that we are implementing. This type will implement password authentication using a password file.
- AuthName: This sets the message for the authentication dialog box. You should keep this generic so that unauthorized users won’t gain any information about what is being protected.
- AuthUserFile: This sets the location of the password file that will be used for authentication. This should be outside of the directories that are being served. We will create this file shortly.
- Require valid-user: This specifies that only authenticated users should be given access to this resource. This is what actually stops unauthorized users from entering.
When finished, save and close the file.
Create a .htpasswd file for Authentication
As we have specified a location for our password file, we need to create it.
You may need an additional package to complete this process. Install it from the default repositories:
sudo apt-get install apache2-utils
This will make the htpasswd utility available.
The location that we selected for the password file was “/etc/phpmyadmin/.htpasswd.” Create the file and pass it an initial user by typing:
sudo htpasswd -c /etc/phpmyadmin/.htpasswd SECRET_USER_NAME
You will be prompted to select and confirm a password for the user you are creating. Afterwards, the file is created with the hashed password that you entered.
Now, when you access your phpMyAdmin subdirectory, you will be prompted for the additional account name and password that you just configured. Remember to use the URL you created in the redirect above.
After entering the Apache authentication, you’ll be taken to the regular phpMyAdmin authentication page to enter your other credentials.
These steps will add a few layers of security to help you harden your server. If something doesn’t go right, leave a comment and we’ll see if we can’t work it out.