Virtualmin allows to an administration account to install some scripts like RoundCube, phpMyAdmin. In the last days we encountered a huge number of brute force attacks over phpmyadmin links. Checking the links it was easy to find out the path because it was the default one. These administrators for their virtual servers just installed the script but they did not know based on their knowledge to give a unique name for phpmyadmin path. I will correct this and inform them later.
The main problem I have is once a phpMyAdmin is installed in a virtual server, it allows to connect all the other administrators to their databases. For example:
- virtual server 1: vs1.com, admin vs1
- virtual server 2: vs2.com, admin vs2
If admin vs1 installs phpmyadmin on vs1.com with the default path phpmyadmin I discovered admin vs2 can use this path to connect to its database for domain vs2.com. Is there a way after installing phpMyAdmin script "locking" automatically that installation only to its admin account? In this way any no other administrators cannot connect to their databases in that domain.
Thank you.
Comments
Hi addison74, what you can do is set phpmyadmin connection only via ssl, place htaccess to allow only your ip address to be able connect to or protect your phpmyadmin with double login action as I call it - simply set apache authentication to it (one username and password for all your admins), install fail2ban and enable apache auth jail and set up ban time for 24 hours or more. This is possibly overkill I know but it will defo stops anyone right there on apache login page before he/she gets even to phpmyadmin login page.
Submitted by andreychek on Tue, 06/21/2016 - 10:03 Comment #2
Yeah all of unborn's suggestions are good ones.
There's no automatic way to do the things you're asking about those, those would all need to be setup manually within each installation.
Just to verify though -- can you remind me whether this is for Virtualmin Pro, or Virtualmin GPL?
Submitted by ADDISON74 on Fri, 06/24/2016 - 08:42 Comment #3
This is a Virtualmin GPL
Submitted by andreychek on Fri, 06/24/2016 - 09:05 Comment #4
Yeah since you're not seeing a Virtalmin bug there, and you're using Virtualmin GPL, my suggestion would be to start a Forum thread to discuss that.
Some folks in the community there may have some suggestions as to how they added additional protections into phpMyAdmin. Thanks!
Fail2ban is great and i would dare to say "must have" on any server but like with WP i want to block as much as i can before anyone can even reach his intended destination. Like unborn said install f2b and set to 24 hours scan and ban.
What you can do with phpMyAdmin is to limit access with htaccess:
First you will create "/phpmyadmin/.htaccess":
AuthUserFile /home/name_of_your_virtualserver/public_html/phpmyadmin/.nologinAuthName "Private access"
AuthType Basic
require user YourUsername
Once done its time to make "/phpmyadmin/.nologin":
YourUsername:some_really_long_stringWhat to put inside .nologin you can get from here - http://www.htaccesstools.com/htpasswd-generator/. Keep in mind username and the code are case sensitive.
Once done check if both files have permissions set to 644 and now no one will be able to even see your phpMyAdmin. Majority of browsers offer to remember login information prompted with htaccess so you dont need to type every time when you want to access phpMyAdmin.
I like this way because regardless of how many hits i get the consumption of server resources is minimal, almost non existent.
Ninja edit: If you want to prevent virtual server admin to change or delete the files make them as root.
Submitted by andreychek on Fri, 06/24/2016 - 09:35 Comment #6