PHPMYADMIN - How to lock access

Virtualmin
1
SYSTEM INFORMATION
OS type and version Ubuntu Linux 22.04.5
Webmin version 2.610
Usermin version 2.510
Virtualmin version 7.50.2 GPL
Theme version 26.20
Apache version 2.4.52
Package updates All installed packages are up to date

I see thread

i didnt see a conclusion.
how best to enable phpmyadmin, yet restrict access ?
i have it installed now as a ‘web app’ with folder ’ /phpmyadmin’ , but dont see it in any of the public_html folders
can we install as a sub-folder in the public_html, then use directory restriction ?

phpmyadmin options
phpmyadmin options2270×828 156 KB

but adding to restricted access, and addign a user, still does not make access restricted ?

protected directories
protected directories2768×696 136 KB

2

Never had that happen, you should see a folder for it.
Also you need a username password for phpmyadmin already.

image
image1121×422 44.2 KB

The Protected Web Directory works for me as well.
You will have 2 login then.

3

I dont like having PHPMyAdmin publicly exposed even if you need to enter a password.

I did not use the method above, I restricted access it to my local network. The template below will allow you to change it as required. You can also add username and password requiredments via htaccess.

.htaccess in the phpmyadmin folder, edit as required

# RESTRICT ACCESS TO DIRECTORY BY IP ADDRESS
# Include in .htaccess of any directory
<RequireAny>
    Require all denied
    #Require ip 1.2.3.4
    #Require ip 5.6.7.8/12
    
    # If local server access to the directory is required
    # add the following; include the server ip addresses (ipv4 & ipv6)
    Require local
    Require ip 10.0.0.0/24
    #Require ip 2001:0db8:85a3:0000:0000:8a2e:0370:7334
</RequireAny>
4

To protect a phpMyAdmin installation located in the web root, use the following methods:

  1. Rename the Directory: Change the folder name from /phpmyadmin to a unique, unpredictable string (e.g., /access_db_9x21) to avoid automated bot scans.

  2. IP Whitelisting: Use .htaccess (Apache) or nginx.conf to allow access only from your specific IP address, or a range of IP’s (e.g. country), blocking everyone else.

  3. Basic HTTP Authentication: Add an extra security layer using .htpasswd. This requires a system-level username and password before the phpMyAdmin login page even loads.

  4. Two-Factor Authentication (2FA): Enable native 2FA support in phpMyAdmin using applications like Google Authenticator.

  5. Disable Root Login: Edit config.inc.php to set $cfg['Servers'][$i]['AllowRoot'] = false;, forcing the use of non-privileged database users for login.

  6. Force SSL/HTTPS: Ensure all traffic is encrypted to prevent password sniffing by enforcing HTTPS connections.

  7. Use a Cookie Auth Signon: Ensure auth_type is set to cookie in the configuration so that sessions expire and require manual login.

  8. SSH Tunneling: The most secure method is to block public access entirely and access phpMyAdmin only through an SSH Tunnel, making the interface invisible to the outside world.

To address the security risks in Virtualmin where usernames match domain names, please take in consideration (just a few methods):

  1. Change Username Convention: Modify Virtualmin settings to stop using the domain name as the username. Use random or custom strings instead to prevent attackers from guessing the login ID.

  2. Enable Fail2Ban: Enable the phpmyadmin jail in Fail2Ban. This automatically bans IP addresses that attempt multiple failed logins, effectively stopping brute-force bots.

1 Like
5

@Ilia

Should this not be on by default? or is this only possible with one installation of phpMyAdmin which I know is being looked into, if not already done.

I would much prefer that phpmyadmin is only accessible from within Webmin/Virtualmin and never publicly exposed.

@ADDISON74 Excellent checklist

1 Like
6

For some weird reason, phpmyadmin is enabled on all domains.
I did reinstall the web app for 2 domains, and yes now i see the folder in the public_html
then delete the web app for phpmyadmin from all domains, but its still available ?
I woudl like to remove it completly, then re-install on a web-app basis for each domain, use a different name for the folder (as in the web app install), then add the IP restrictions.
How do i safely remove PHPMYADMIN ?

7

Let’s take the following situation, you have 10 domains hosted on your server. If you install phpMyAdmin in one of them, you will be surprised to find that on that domain, you can access the databases of the other domains (obviously with the username and related passwords). If I remember correctly a long time ago we discussed this in the old forum. But it is not a reason to worry, you can configure phpMyAdmin strictly to work on that domain, but Virtualmin does not do it, you do it manually. This could be an advantage, you can manage all databases with one installation to manage the rest of the domains (pretty close to cPanel).

I don’t understand what “safety remove” means, it is just an online database client. if you installed it through the Virtualmin interface, you have to delete it from there.

8

no, i only ever see the database for that domain within phpmyadmin.
I now do not have this as a ‘web app’ on any site, but still have access !! so need to know how to remove (from where as no domain has it as a web app !!) and start again.

no web app in domain
no web app in domain1746×506 101 KB

available
available2594×1088 384 KB

9

i removed it from the command line
sudo apt update
sudo apt purge phpMyAdmin
sudo apt autoremove
sudo apt autoclean
sudo systemctl restart apache2

now no longer have it installed. so going to try now by adding the web app from 1 virtualmin domain, in a none obvious directory name

install worked, now only in 1 domain, and access from the new directory name, and access is with database for only that domain !

installed php in one domain
installed php in one domain1982×658 174 KB

so now need to restrict access

10

This is getting/sounding messy. Can anyone with an installation verify that it is logging to syslog which is where it appears the jail is looking?

Hmm.. hit a wrong key and posted before I meant.

It seems one install with access as permitted from within WM/VM seems like the most elegant solution. This seems to be getting fragmented.

1 Like
11

oK, it all works !!!
the issue must have been that phpmyadmin was installed as a moduel in the root OS, so after purging, and installing for one domain in virtualmin, naming the folder as unique name (not phpmyadmin!!!), then adding protected directory, all works

protected directories
protected directories2370×892 237 KB

add user to protected directrories
add user to protected directrories1990×1216 205 KB

login restricted access
login restricted access1322×680 53 KB

it works !!!

so do all agree, that the built in mechanism (protected directories) in Virtualmin works fine, and I do not need to add a htaccess file ?

12

No, we shouldn’t micromanage this, as it isn’t straightforward.

It’s better to install phpMyAdmin in a different non-standard directory and protect it with a basic auth password.

1 Like
13

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.