Securing phpMyAdmin on Ubuntu with Apache2 and MySQL

Hardening phpMyAdmin || Securing phpMyAdmin

PHPMYADMIN is a popular web-based administration tool for managing MySQL databases. However, its default setup can pose security risks if not properly configured. In this guide, we'll walk through the steps to secure phpMyAdmin on Ubuntu using Apache2 and MySQL.


Download Link


Step 1: Install MySQL Server


First, we need to install MySQL Server on our Ubuntu system:



sudo apt install mysql-server -y



After installing MySQL Server, we'll need to create a user with appropriate privileges:



sudo mysql -u root

CREATE USER 'user'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'password';

GRANT ALL PRIVILEGES ON *.* TO 'user'@'localhost' WITH GRANT OPTION;



Replace 'user' and 'password' with your desired username and password.


Step 2: Install Apache2 and phpMyAdmin


Next, we'll install Apache2, phpMyAdmin, and other necessary packages:



sudo apt-get install apache2 apache2-utils mcrypt php libapache2-mod-php php-curl php-json php-cgi php-mbstring php-zip php-gd php-mysql php-mysqli phpmyadmin -y




Step 3: Enable PHP mbstring module


Enable the PHP mbstring module, which is required for phpMyAdmin:



sudo phpenmod mbstring

sudo systemctl restart apache2



Step 4: Configure phpMyAdmin with Apache2


Create a symlink for phpMyAdmin configuration files:



sudo ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf-available/phpmyadmin.conf



Enable the phpMyAdmin configuration and reload Apache:


sudo a2enconf phpmyadmin

sudo systemctl reload apache2



Step 5: Change phpMyAdmin Alias


Changing the default directory alias adds an extra layer of security. Edit the Apache configuration file:



sudo nano /etc/phpmyadmin/apache.conf


Replace the default Alias with a custom one:


Alias /custom_alias /usr/share/phpmyadmin


Save the file and restart Apache:


sudo systemctl reload apache2



Step 6: Set up Password Based Authentication


Add authentication to phpMyAdmin using Apache's .htaccess file:



sudo nano /usr/share/phpmyadmin/.htaccess



Add the following configuration:



AuthType Basic

AuthName "Restricted Access"

AuthUserFile /etc/phpmyadmin/.htpasswd

Require valid-user




Create a username and password for authentication:



sudo htpasswd -c /etc/phpmyadmin/.htpasswd username



Replace 'username' with your desired username. You'll be prompted to set a password.


Restart Apache to apply the changes:



sudo systemctl reload apache2



Step 7: Restrict Access to Specific IP Address


If desired, restrict access to phpMyAdmin to specific IP addresses:



sudo nano /etc/phpmyadmin/apache.conf



Add the following configuration within the Directory block:



Order Deny,Allow

Deny from All

Allow from 192.168.1.1



Replace '192.168.1.1' with your allowed IP address.


Restart Apache for the changes to take effect:


The full configuration file should now be similar to the following:


Alias /custom_alias /usr/share/phpmyadmin



Alias /custom_alias /usr/share/phpmyadmin


<Directory /usr/share/phpmyadmin>

    Options SymLinksIfOwnerMatch

    DirectoryIndex index.php

    AllowOverride All

    AllowOverride All

    # limit libapache2-mod-php to files and directories necessary by pma

    <IfModule mod_php7.c>

        php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp

        php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/php/php-php-gettext/:/usr/share/javascript/:/usr/share/php/tcpdf/:/usr/share/doc/phpmyadmin/:/usr/share/php/phpseclib/:/usr/share/php/PhpMyAdmin/:/usr/share/php/Symfony/:/usr/share/php/Twig/:/usr/share/php/Twig-Extensions/:/usr/share/php/ReCaptcha/:/usr/share/php/Psr/Container/:/usr/share/php/Psr/Cache/:/usr/share/php/Psr/Log/:/usr/share/php/Psr/SimpleCache/

    </IfModule>

    Order Deny,Allow

    Deny from All

    Allow from 192.168.1.1

</Directory>


# Disallow web access to directories that don't need it

<Directory /usr/share/phpmyadmin/templates>

    Require all denied

</Directory>

<Directory /usr/share/phpmyadmin/libraries>

    Require all denied

</Directory>



sudo systemctl reload apache2



Step 8: Custom PHP Configuration


For additional security, customize PHP settings in phpMyAdmin's configuration file:


sudo nano /etc/phpmyadmin/config.inc.php



Add custom PHP configurations:



/* Custom Security Configuration */

$cfg['LoginCookieValidity'] = 14400;

$cfg['LoginCookieRecall'] = false;

$cfg['AllowUserDropDatabase'] = false;

$cfg['ShowServerInfo'] = false;

$cfg['RestrictPaths'] = yes;



Save the file and restart Apache:



sudo systemctl reload apache2



By following these steps, you'll have secured your phpMyAdmin installation on Ubuntu, enhancing the overall security of your MySQL databases.

Securing phpMyAdmin on Apache Server: A Comprehensive Guide

phpMyAdmin is a popular web-based tool for managing MySQL and MariaDB databases. While it's incredibly useful for database administration tasks, it's essential to ensure its security to prevent unauthorized access to sensitive data. In this guide, we'll walk through the steps to secure phpMyAdmin on an Apache web server.


Step 1: Edit Apache Configuration


sudo nano /etc/apache2/sites-available/000-default.conf

In the Apache configuration file, add the following Alias directive to allow access to phpMyAdmin:


Alias /citpl-phpmyadmin /usr/share/phpmyadmin

Step 2: Set Permissions and Ownership

sudo chown www-data:www-data /etc/phpmyadmin/.htpasswd

sudo chmod 640 /etc/phpmyadmin/.htpasswd

sudo chown -R www-data:www-data /etc/phpmyadmin

sudo chmod -R 750 /etc/phpmyadmin

sudo chmod 750 /etc/phpmyadmin


Step 3: Enable Apache Modules

sudo a2enmod auth_basic

sudo a2enmod authn_file

sudo a2enmod rewrite


Step 4: Reload AppArmor and Apache

sudo systemctl reload apparmor

sudo systemctl restart apache2


Step 5: Monitor Logs for Errors

sudo systemctl status apparmor.service

sudo journalctl -xeu apparmor.service

sudo apachectl configtest

sudo tail -f /var/log/apache2/error.log


Step 6: Configure Authentication

sudo nano /usr/share/phpmyadmin/.htaccess

Add the following lines to the `.htaccess` file:

AuthType Basic

AuthName "Restricted Area"

AuthUserFile /etc/phpmyadmin/.htpasswd

Require valid-user


Step 7: Restrict Access with AppArmor

sudo nano /etc/apparmor.d/usr.sbin.apache2

Add the following line to restrict access to the `.htpasswd` file:

/etc/phpmyadmin/.htpasswd r,


Step 8: Configure phpMyAdmin Directory

sudo nano /etc/apache2/conf-available/phpmyadmin.conf

Add the following configuration to the file:


# phpMyAdmin default Apache configuration


# Alias for accessing phpMyAdmin

Alias /citpl-phpmyadmin /usr/share/phpmyadmin


# Directory configuration for phpMyAdmin

<Directory /usr/share/phpmyadmin>

    Options SymLinksIfOwnerMatch

    DirectoryIndex index.php


    # PHP settings for phpMyAdmin

    <IfModule mod_php7.c>

        php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp

        php_admin_value open_basedir /usr/share/phpmyadmin/:/usr/share/doc/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/:/usr/share/javascript/

    </IfModule>


    # PHP 8+ settings for phpMyAdmin

    <IfModule mod_php.c>

        php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp

        php_admin_value open_basedir /usr/share/phpmyadmin/:/usr/share/doc/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/:/usr/share/javascript/

    </IfModule>

</Directory>


# Disallow web access to directories that don't need it

<Directory /usr/share/phpmyadmin/templates>

    Require all denied

</Directory>

<Directory /usr/share/phpmyadmin/libraries>

    Require all denied

</Directory>





Conclusion


Securing phpMyAdmin is crucial for protecting your database from unauthorized access. By following these steps, you can ensure that phpMyAdmin is properly configured and accessible only to authorised users. Remember to regularly update and review your security measures to keep your data safe.