Secure setup for phpMyAdmin

Recently I had to install phpMyAdmin on a new server that serves several WordPress websites.

phpMyAdmin has always given one a few security headaches, not least because in it's natural state it runs in http. Anyone knowing the ip address can simply type in the ipaddress/phpmyadmin into a browser and it will open exposing your mysql database to a potential brute force hack attempt.

While there are many forums that give instructions on how make phpMyAdmin run in https and then to protect it by means of a .htaccess file with htpasswd. These methods work but to my mind they are not simple and straight forward, there is always the chance that you forget a step like adding ForceSSL = yes to the the phpmyadmin/config.inc.php file or some other mistake of that nature, and while you are happy that you have phpmyadmin running in https, the hacker will still get http access. Even if ForceSSL is on he will still know that there is a web interface to your mysqldatabase, which gives him a target or objective, and he is not concerned whether he has to use http or https!. 

Here is a far simpler method … and more secure.

In Debian or Ubuntu, after running apt-get install phpmyadmin

Modify the DNS for the domain so that there are A records for * and @ that point to your IP address without any servername. This effectively gives DNS for any subdomain you choose to create without the need to specifically name the subdomain in your DNS records.

Now with certbot and letsencrypt create a wildcard SSL certificate for your domain. This means that you have a certificate for any subdomain that runs on that server.

Now in your apache2/sites-enabled create a virtualhost.conf file for somestrangename.mydomain.com pointing to /usr/share/phpmyadmin as the document root.

Here is what I have used:

<VirtualHost *:443>
UseCanonicalName    Off
ServerAdmin admin@mydomain.com
ServerName somestrangename.mydomain.com

    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
    SSLStrictSNIVHostCheck off

VirtualDocumentRoot /usr/share/phpmyadmin

</VirtualHost>

In case you have already activated phpmyadmin in the normal way which sets it to run in http. Remove the symlink in /etc/apache2/conf-enabled that points to phpmyadmin and then go to /etc/apache2/apache2.conf and hash out the line that reads:  Include /etc/phpmyadmin/apache.conf

Voila … you now have phpMyadmin running in https and your server does not reveal this fact to any hacker unless he is able to guess somestrangename that is not even recorded in your DNS.

Obviously you could improve on this method.

Additional thoughts after I had completed the installation.

If you register a unique domain unrelated to your normal domain and then follow my procedure of creating a virtualhost for using somestrangename.uniquedomain.com  instead of somestrangename.mydomain.com you will have taken invisibility a step further.

You could use a .htaccess file in the root of /usr/share/phpmyadmin together with htpasswd for further securing your phpMyadmin, as suggested on some forums but I think having made the existence of phpMyAdmin virtually invisible from the internet, this is no longer essential.

 

 

 

Leave a Reply