Saturday, April 23, 2016

16.04 - How to secure phpmyadmin



OK, so I have several sites on a vps with ssl certificates. I have mod security setup as well as tripwire. My question then relates to phpmyadmin security. If my IP is 123.123.123.123 I can access phpmyadmin using 123.123.123.123/mypmyadmin-IHaveChangedThisURL.




And even though I changed the phpmyadmin url, phpmyadmin is still accessible if you can find the url.



I have added a blank html file to the root directory and so no directory index is given using the vps hostname or vps IP.



Is there anything else I can do to protect the IP use and attempts to get to phpmyadmin etc?



Any guidance appreciated. Thanks.



Several things could be done. I will explain my ideas and the way how they could be implemented within Apache2.






1. Use HTTPS connection to protect your data from sniffing




  • First enable SSL module if it is not enabled: sudo a2enmod ssl.


  • Оpen port 443 (HTTPS) into the firewall. You should use your custom port here.


  • Follow this manual and enable a free certificate from Let's Encrypt.


  • Check this answer and disable Weak Ciphers.


  • Then you can force all users to use HTTPS.







2. Change the URI of PhpMyAdmin



To change the URI, within the default configuration, you should edit /etc/phpmyadmin/apache.conf and change the first part (/phpmyadmin) of this directive:



Alias /phpmyadmin /usr/share/phpmyadmin



Restart Apache and you will be able to access PhpMyAdmin through the new URI.





3. Run PhpMyAdmin on different port



Here is a step-by-step manual: How to run PhpMyAdmin on different port. Don't forget to open this port into the Firewall.






4. Access PhpMyAdmin only locally through SSH tunnel



Run PhpMyAdmin on different port. Let's assume it is port 99. Close this port into the Firewall. Then establish SSH connection by a command similar as:





ssh -fTN -R 99:localhost:99 @or




  • This command will create ssh tunnel, where the remote -R port 99 is forwarded to the local port 99 on the localhost (127.0.0.1).

  • The options -fTN will push the connection in to the background.



Then PhpMyAdmin should be accessible via the web browser of your local machine on the URL http://localhost:99/. More ideas could be find here:








5. Protect PhpMyAdmin URI path via Password authentication



More details could be found in this Apache's manual: Authentication and Authorization. The package apache2-utils must be installed. In short the steps are:




  • Create folder outside of /var/www, where the password file will be kept. Then generate password file. Let's assume the name of this new folder is /var/www-auth:



    $ sudo mkdir /var/www-auth
    $ cd /var/www-auth

    $ sudo htpasswd -c .htpasswd.phpmyadmin 
    New Password: *********
    Re-Type New Password: *********
    Adding Password For User



    • .htpasswd.phpmyadmin is the name of the file in which the password will be stored.

    • user is the login name that will be used.

    • ********* is the password :)


    • -c means create new file. If this option is omitted htpasswd command will try to add the new login name to an existing .htpasswd.file.


  • Modify PhpMyAdmin authentication type, through edit /etc/phpmyadmin/apache.conf in this way (or create .htaccess file):




    .....
        
            
                AuthType Basic
                AuthName "The name of the authentication form - type some user and password hints"

                AuthUserFile /var/www-auth/.htpasswd.phpmyadmin
            
            Require valid-user
        
    .....


  • Enable the modules and restart Apache2 to apply the new configuration:



    sudo a2enmod authz_core authz_user authn_file

    sudo systemctl restart apache2.service

  • Now to access PhpMyAdmin's URI you must provide the login name user and its password.






6. Protect PhpMyAdmin URI path via Two Factor Authentication (2FA):





  • Follow steps 1 and 3 from this manual to generate .google_authenticator file, located in your $HOME directory. In step 4 is described how to generate authentication codes.


  • Create a new directory under /var/www-auth. Let's assume the name of this new folder is google_authenticator:



    sudo mkdir -p /var/www-auth/google_authenticator

  • Copy the file $HOME/.google_authenticator into that directory and change its permissions (it must be readable for www-data): 



    sudo cp $HOME/.google_authenticator /var/www-auth/google_authenticator/user
    sudo chown www-data:www-data /var/www-auth/google_authenticator/user



    Please note that the file name determines the login name! The file name will be used as username while logging-in to your secure website.


  • Modify the new file by adding the directive " PASSWORD=qwerty, where qwerty is the new login password.




    E3CY3TNSNBXXXXXX
    " RESETTING_TIME_SKEW ...
    " RATE_LIMIT 3 30 ...
    " WINDOW_SIZE 17
    " DISALLOW_REUSE 48885555 ...

    " TOTP_AUTH
    " PASSWORD=qwerty
    4567...

  • Install mod_authn_google for Apache2. Unfortunately I this module is unavailable within Ubuntu's repository, but we can get it from this repository. The steps are: (1) go to your Downloads, (2) download the package dba-apa24-mod_authn_google-r22... .rpm, (3) extract mod_authn_google.so, (4) place the file in /usr/lib/apache2/modules/, (5) grant appropriate permissions, (6) Create module load file: 



    cd $HOME/Downloads
    wget http://download.opensuse.org/repositories/home:/csbuild:/DBA/RedHat_RHEL-7/x86_64/dba-apa24-mod_authn_google-r22-1.1.x86_64.rpm

    rpm2cpio dba-apa24-mod_authn_google-r22-1.1.x86_64.rpm | cpio -iv --to-stdout ./DBA/apache24/WWW/2.4.x/modules/mod_authn_google-r22.so > mod_authn_google.so


    sudo mv mod_authn_google.so /usr/lib/apache2/modules/
    sudo chown root:root /usr/lib/apache2/modules/mod_authn_google.so
    sudo chmod g-w /usr/lib/apache2/modules/mod_authn_google.so

    echo "LoadModule authn_google_module /usr/lib/apache2/modules/mod_authn_google.so" | sudo tee /etc/apache2/mods-available/authn_google.load

    sudo a2enmod authn_google

  • Modify PhpMyAdmin authentication type, through edit /etc/phpmyadmin/apache.conf in this way (or create .htaccess file):





    .....
        
            
                AuthType Basic
                AuthName "The name of the authentication form - type some user and password hints"
                AuthBasicProvider "google_authenticator"
                GoogleAuthUserPath /var/www-auth/google_authenticator
                GoogleAuthCookieLife 3600

                GoogleAuthEntryWindow 2
            
            Require valid-user
        
    .....


  • Enable the modules and restart Apache2 to apply the new configuration:



    sudo a2enmod authz_core authz_user authn_google

    sudo systemctl restart apache2.service

  • Now to access PhpMyAdmin's URI you must provide the login name user, its password and 6 digit token code:



    enter image description here






7. Use ModSecurity for Apache




With ModSecurity you can add more flexible restrictions to the PhpMyAdmin's URI.
In this answer, under the section "ModSecurity Rules > SAS > Iptables", I've described in short how we can create custom rules for ModSecurity.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

11.10 - Can't boot from USB after installing Ubuntu

I bought a Samsung series 5 notebook and a very strange thing happened: I installed Ubuntu 11.10 from a usb pen drive but when I restarted (...