# Securing phpmyadmin -- HOWTO

## acidreign

After a quick trawl around the web, i have found numerous companies web sites, running phpmyadmin accessable via http://mysite.com/phpmyadmin  :Embarassed: 

Although it is illegal in many countries to delete someones database, many script kiddies would not think twice about having fun with your data.

There is a simple and effective way of protecting your phpmyadmin directory, and the most common of which is using the apache web servers built in functions.

Before getting into the nitty gritty of the setup, the main apache config file will need to be changed to allow this configuration to work correctly.

in the /etc/httpd/httpd.conf file, change

```

<Directory />

    Options FollowSymLinks

    AllowOverride None

</Directory>

```

to look like 

```

<Directory />

    Options FollowSymLinks

    AllowOverride AuthConfig

</Directory>

```

After saving your changes, restart the apache server (/etc/init.d/httpd restart) or (apachectl restart).

The method that I will be outlining is called the "htaccess" method.

The htaccess method consists of two files, the .htaccess file and the htpasswd file.  Although this is a small subset of the potential of what these files can be used for, it should be enough to get you started.

The htaccess  file specifies which types of users and groups are allowed to access the specified resource, be it a file or directory (hey.. in unix.. EVERYTHING is a file!).

The example htaccess file that is currently in use is ..

```

AuthUserFile /usr/local/httpd/htpass/htpasswd

AuthGroupFile /dev/null

AuthName  PHPMYADMIN

AuthType Basic

require valid-user

```

The directory /usr/local/httpd/htpass/ is not created by gentoo install. It was created with minimal permissions, so that users that didnt need to see it were not able to view the contents of it. 

htpasswd file is a file that is created with the htpasswd utility that is part of the standard gentoo Apache install.  

The file must be created with the command listed below.

```

htpasswd  -c /usr/local/httpd/htpass/htpasswd username

```

Replace username with the username you wish to add.  The -c parameter needs only to be added for the initial creation of the first user.  You will then be prompted for the password you wish to add for this user.  Your keystrokes will not be echoed back.

The next time you add a user, you no longer need to use the -c parameter, as the file already exists.

Personal preference and paranoia, make me set this file to the ownership of nobody, the user who the webserver runs as, with minimal permissions.

```

chown /usr/local/httpd/htpass/htpasswd

chmod 700 /usr/local/httpd/htpass/htpasswd

```

Assuming all has gone to plan, you should now be able to attempt to access the http://mysite.com/phpmyadmin/ directory and be greeted with a "please enter your password" prompt.. Fill in the details with the username and password that you have entered earlier, and it should all be good.

If you are having any problems, first place to check is your apache logs (/var/log/httpd/access_log and error_log) and failing that.. reply to this thread. I cant promise an answer, but i'll try.

This same method can be used to password protect any directory on your webserver, not just your phpmyadmin directory.  

Happy Gentooing.

 *Quote:*   

> 
> 
> Resources:
> 
> http://faq.clever.net/htaccess.htm
> ...

 Last edited by acidreign on Tue Apr 15, 2003 7:33 am; edited 1 time in total

----------

## acidreign

Can i get some user feedback on what they thought of the post ? an emoticon would do fine.

----------

## Utoxin

 :Very Happy: 

----------

## bishop

Nice HOW-TO, thanks!

----------

## jadenjahner

Why not just set the auth method in the phpmyadmin config to http?

It does the same, only takes one adjustment.

----------

## sidesh0w

How would I go about configuring phpmyadmin to use https:// instead of http:// ?  Ive tried to set the PmaAbsoluteUri to https://myserver.com/phpmyadmin but all i get is 404 - file not found.  I also tried to set that variable to /phpmyadmin but i get the same results.  Any ideas?

----------

## brain

 *sidesh0w wrote:*   

> How would I go about configuring phpmyadmin to use https:// instead of http:// ?  Ive tried to set the PmaAbsoluteUri to https://myserver.com/phpmyadmin but all i get is 404 - file not found.  I also tried to set that variable to /phpmyadmin but i get the same results.  Any ideas?

 

This isn't a phpmyadmin function, it's an Apache one.   There's a quick guide on getting Apache to use SSL in the Desktop Configuration guide:

http://www.gentoo.org/doc/desktop.html

----------

## brain

 *jadenjahner wrote:*   

> Why not just set the auth method in the phpmyadmin config to http?
> 
> It does the same, only takes one adjustment.

 

Actually, to one-up ya   :Wink:  ....

Use both!  Keep one, for example, the .htaccess with a different username and password than the http auth for phpmyadmin.   

For something as important as a database admin tool on the web, personally I'd like to have as many passwords protecting it as possible!

----------

## ViCToR:

If you're running phpmyadmin in your own box, and the only thing you want is not to let others mess up with your databases, I suggest an .htaccess file like this:

```

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName "Restricted Access"

AuthType Basic

<Limit GET POST>

 order deny,allow

 deny from all

 allow from 127.0.0.1

</Limit>

```

This will only let localhost access to that path. This way you wont have to type in user/password. Clean and effective  :Smile: 

----------

## acidreign

It is nice to see mature talk in regards to security, another post will be coming up shortly, got 2 in the works.

----------

## rac

 *ViCToR: wrote:*   

> 
> 
> ```
> 
> <Limit GET POST>
> ...

 

I am curious as to why you use a <Limit> block here.  Wouldn't it be even more secure if the restrictions applied to all types of requests, not just GET and POST?

----------

## ViCToR:

 *rac wrote:*   

> 
> 
> I am curious as to why you use a <Limit> block here.  Wouldn't it be even more secure if the restrictions applied to all types of requests, not just GET and POST?

 

Yes, you're right. Don't know if it's actually more secure (in practice) but there's no need for that <Limit> there, so let's just remove it. Thanks for pointing it. I also removed the AuthName tag.

It'll look like this:

```
AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthType Basic

order deny,allow

deny from all

allow from 127.0.0.1

```

----------

## CarlUman

Great to see some people interested in security.  Will be some review material for when I get my site working.

Thanks

Opps that was an old post   :Embarassed: 

----------

## Shibo

I read that we can also make groupes of user allowed to acces the files. Does anyone know howto do? beacause i've try this:

```

.htacces file:

AuthType Basic

AuthName "Restricted Area"

AuthUserFile /somepath/.htpasswd

AuthGroupFile /somepath/.htgroup

require groupe mysql

.htgroup file:

mysql: shadow root

.htpasswd file:

shadow:************

root:************

```

But it seems not to work. Maybe its because i'm in local network, i'll try tonight from somwhere else. Anyway, does anybody have already used this method? And does it worked?

----------

## kamikaze04

What i do for avoiding scriptz kiddies is changiing www.name.com/phpmyadmin to www.name.com/anothername, i get rid of all possible risks from unknown people. Also i've got user and password too.

So in other words: Come on, don't use the habitual name for phpmyadmin, gallery, wordpress etc...

----------

## jballou

Just to let folks know, if one has access to the httpd.conf it is waaaay better do do the changes in there rather than .htaccess. Now every single request requires Apache to need to search for an .htaccess for every single file on the entire server, even images and other nondynamic content. And it does it for every directory above it, to the filesystem root IIRC. By the way, nice search action, original post is like 4 years old   :Very Happy: 

----------

