当前位置: 文江博客话题详情

如何保护 phpMyAdmin

发布于 2024-08-28 22:08:29 字数 564 浏览 7 评论 0原文

我注意到我的网站有一些奇怪的请求试图找到 phpmyadmin 等

/phpmyadmin/
/pma/

现在我已经通过 apt 在 Ubuntu 上安装了 PMA,并且想通过不同于 /phpmyadmin/ 的网址访问它。我可以做什么来改变它?

感谢

更新

对于 Ubuntu 9.10 和 Apache2,相应的设置位于文件 /etc/apache2/conf.d/phpmyadmin.conf 中,该文件是 的链接/etc/phpmyadmin/apache.conf。 该文件包含第一个 /phpmyadmin 应该更改为不同内容的位置,例如:

Alias /phpmyadmin /usr/share/phpmyadmin

如果想避免不必要的活动,

Alias /secret /usr/share/phpmyadmin
原文

I have noticed that there are strange requests to my website trying to find phpmyadmin, like

/phpmyadmin/
/pma/

etc.

Now I have installed PMA on Ubuntu via apt and would like to access it via webaddress different from /phpmyadmin/. What can I do to change it?

Thanks

Update

For Ubuntu 9.10 and Apache2, the corresponding setting is located in the file /etc/apache2/conf.d/phpmyadmin.conf which is a link to /etc/phpmyadmin/apache.conf. The file contains

Alias /phpmyadmin /usr/share/phpmyadmin

where the first /phpmyadmin should be changed to something different if one wants to avoid the unnecessary activity, e.g.:

Alias /secret /usr/share/phpmyadmin

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(10

守不住的情 2024-09-04 22:08:33

一些提示(虽然 ssh 隧道很容易是最安全的)

我看过指南,他们将 phpmyadmin 放在自定义端口上。我觉得这比将 /phpmyadmin 重命名为长且随机的名称更容易理解,因为端口扫描器扫描所有端口以查找打开的网页是微不足道的。

添加 apache 密码保护具有额外的好处(除了 apache 密码本身和 phpmyadmin 密码之外),因为它可以阻止扫描仪检测该 Web 端口/地址上的 phpmyadmin。

fail2ban 还可以监控 apache-auth 失败以进行暴力保护。

另外我刚刚注意到fail2ban有一个phpmyadmin监狱配置,但我没有尝试过。

Some tips, (while ssh tunnel is easily the most secure)

Ive seen guides where they put phpmyadmin on a custom port. I feel this is less obscure than renaming /phpmyadmin to something long and random, as its trivial for a port scanner to scan all ports for open web pages.

Adding apache password protection has bonus benefit (ontop of the apache password itself and the phpmyadmin password) in that it stops a scanner detecting that its phpmyadmin on that web port/address.

Also fail2ban can monitor apache-auth failures for bruteforce protection.

Also i just noticed fail2ban has a phpmyadmin jail config, not that ive tried it.

回复 原文
_畞蕅 2024-09-04 22:08:32

最大的威胁是攻击者可以利用以下漏洞:目录遍历,或使用 SQL 注入调用 load_file() 读取配置文件中的纯文本用户名/密码,然后使用 phpmyadmin 或通过 tcp 端口 3306 登录。作为渗透测试人员,我使用过此攻击破坏系统的模式。

这是锁定 phpmyadmin 的好方法:

  • PhpMyAdmin 缺乏强大的暴力保护,因此您必须使用随机生成的长密码。
  • 不允许远程 root 登录! 相反,phpmyadmin 可以配置为使用 " Cookie Auth” 来限制哪些用户可以访问系统。如果您需要一些 root 权限,请创建一个可以添加/删除/创建但没有 grantfile_priv 的自定义帐户。
  • 从每个帐户中删除 file_priv 权限。 file_priv 是 MySQL 中最危险的权限之一,因为它允许攻击者读取文件或上传后门。
  • 将有权访问 phpmyadmin 界面的 IP 地址列入白名单。下面是一个 .htaccess reulset 示例:
订单拒绝,允许
所有人都否认
允许来自 199.166.210.1

  • 没有可预测的文件位置,例如:http://127.0.0.1/phpmyadmin。 Nessus/Nikto/Acunetix/w3af 等漏洞扫描器将对此进行扫描。

  • 防火墙关闭 tcp 端口 3306,使其无法被攻击者访问。

  • 使用 HTTPS,否则数据和密码可能会泄露给其他人
    攻击者。如果您不想花 30 美元购买证书,那么
    使用自签名。你会接受一次,即使它是
    由于 MITM 而发生更改,您会收到通知。

The biggest threat is that an attacker could leverage a vulnerability such as; directory traversal, or using SQL Injection to call load_file() to read the plain text username/password in the configuration file and then Login using phpmyadmin or over tcp port 3306. As a pentester I have used this attack pattern to compromise a system.

Here is a great way to lock down phpmyadmin:

  • PhpMyAdmin lacks strong bruteforce protection, so you must use a long randomly generated password.
  • DO NOT ALLOW REMOTE ROOT LOGINS! Instead phpmyadmin can be configured to use "Cookie Auth" to limit what user can access the system. If you need some root privileges, create a custom account that can add/drop/create but doesn't have grant or file_priv.
  • Remove file_priv permissions from every account. file_priv is one of the most dangerous privileges in MySQL because it allows an attacker to read files or upload a backdoor.
  • Whitelist IP address who have access to the phpmyadmin interface. Here is an example .htaccess reulset:
Order deny,allow
Deny from all
allow from 199.166.210.1

  • Do not have a predictable file location like: http://127.0.0.1/phpmyadmin. Vulnerability scanners like Nessus/Nikto/Acunetix/w3af will scan for this.

  • Firewall off tcp port 3306 so that it cannot be accessed by an attacker.

  • Use HTTPS, otherwise data and passwords can be leaked to an
    attacker. If you don't want to fork out the $30 for a cert, then
    use a self-signed. You'll accept it once, and even if it was
    changed due to a MITM you'll be notified.

回复 原文
情未る 2024-09-04 22:08:32

我对 phpMyAdmin 的担忧之一是默认情况下,所有 MySQL 用户都可以访问数据库。如果数据库的 root 密码被泄露,有人可能会对数据库造成严重破坏。我想找到一种方法来通过限制哪些 MySQL 用户可以登录 phpMyAdmin 来避免这种情况。

我发现在 PhpMyAdmin 中使用 AllowDeny 配置非常有用。
http://wiki.phpmyadmin.net/pma/Config#AllowDeny_.28rules.29

允许拒绝允许您以与 Apache 类似的方式配置对 phpMyAdmin 的访问。如果将“顺序”设置为显式,它将仅向“规则”部分中定义的用户授予访问权限。在规则部分中,您限制可以使用 phpMyAdmin 访问的 MySql 用户。

$cfg['Servers'][$i]['AllowDeny']['order'] = 'explicit'
$cfg['Servers'][$i]['AllowDeny']['rules'] = array('pma-user from all')

现在您对 MySQL 中名为 pma-user 的用户具有有限的访问权限,您可以向该用户授予有限的权限。

grant select on db_name.some_table to 'pma-user'@'app-server'

One of my concerns with phpMyAdmin was that by default, all MySQL users can access the db. If DB's root password is compromised, someone can wreck havoc on the db. I wanted to find a way to avoid that by restricting which MySQL user can login to phpMyAdmin.

I have found using AllowDeny configuration in PhpMyAdmin to be very useful.
http://wiki.phpmyadmin.net/pma/Config#AllowDeny_.28rules.29

AllowDeny lets you configure access to phpMyAdmin in a similar way to Apache. If you set the 'order' to explicit, it will only grant access to users defined in 'rules' section. In the rules, section you restrict MySql users who can access use the phpMyAdmin.

$cfg['Servers'][$i]['AllowDeny']['order'] = 'explicit'
$cfg['Servers'][$i]['AllowDeny']['rules'] = array('pma-user from all')

Now you have limited access to the user named pma-user in MySQL, you can grant limited privilege to that user.

grant select on db_name.some_table to 'pma-user'@'app-server'
回复 原文
じее 2024-09-04 22:08:32

另一种解决方案是使用配置文件而不进行任何设置。第一次你可能必须包含你的 mysql root 登录名/密码,以便它可以安装所有内容,然后将其删除。

$cfg['服务器'][$i]['auth_type'] = 'cookie';

$cfg['服务器'][$i]['主机'] = '本地主机';

$cfg['服务器'][$i]['connect_type'] = 'tcp';

$cfg['服务器'][$i]['压缩'] = false;

$cfg['服务器'][$i]['扩展'] = 'mysql';

如果不使用任何 apache/lighthtpd 别名,只会向您显示一个登录屏幕。
在此处输入图像描述

您可以使用 root 登录,但建议创建其他用户,并且仅允许 root 进行本地访问。还要记住使用字符串密码,即使很短,但要带有大写字母和一些特殊字符。例如 !34sy2rmbr! 又名“easy 2 Remember”

-编辑:现在一个好的密码实际上类似于 没有语法意义,但你可以记住,因为它们很有趣。或者使用keepass生成强随机数并轻松访问它们

Another solution is to use the config file without any settings. The first time you might have to include your mysql root login/password so it can install all its stuff but then remove it.

$cfg['Servers'][$i]['auth_type'] = 'cookie';

$cfg['Servers'][$i]['host'] = 'localhost';

$cfg['Servers'][$i]['connect_type'] = 'tcp';

$cfg['Servers'][$i]['compress'] = false;

$cfg['Servers'][$i]['extension'] = 'mysql';

Leaving it like that without any apache/lighhtpd aliases will just present to you a log in screen.
enter image description here

You can log in with root but it is advised to create other users and only allow root for local access. Also remember to use string passwords, even if short but with a capital, and number of special character. for example !34sy2rmbr! aka "easy 2 remember"

-EDIT: A good password now a days is actually something like words that make no grammatical sense but you can remember because they funny. Or use keepass to generate strong randoms an have easy access to them

回复 原文
花桑 2024-09-04 22:08:32

在较新版本的 phpMyAdmin 中,可以在 phpMyAdmin 的 config.inc.php 文件中设置用户名 + IP 地址的访问权限。这是一种更好、更稳健的限制访问的方法(通过将 URL 和 IP 地址硬编码到 Apache 的 httpd.conf 中)。

下面是一个完整的示例,说明如何切换到将所有用户列入白名单(此列表之外的任何人都不允许访问),以及如何将 root 用户限制为仅限本地系统和网络。

$cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array(
    'deny % from all', // deny everyone by default, then -

    'allow % from 127.0.0.1', // allow all local users
    'allow % from ::1',

    //'allow % from SERVER_ADDRESS', // allow all from server IP

    // allow user:root access from these locations (local network)
    'allow root from localhost',
    'allow root from 127.0.0.1',
    'allow root from 10.0.0.0/8',
    'allow root from 172.16.0.0/12',
    'allow root from 192.168.0.0/16',

    'allow root from ::1',

    // add more usernames and their IP (or IP ranges) here -    
    );

来源:How to Install and Secure phpMyAdmin on localhost for Windows

这为您提供了更多细节 -在 MySQL 用户名级别,比 Apache 的 URL 权限或 .htaccess 文件可以提供的粒度访问限制。

确保您登录的用户的 MySQL Host: 字段设置为 127.0.0.1::1 ,因为 phpMyAdmin 和 MySQL 在同一系统上。

In newer versions of phpMyAdmin access permissions for user-names + ip-addresses can be set up inside the phpMyAdmin's config.inc.php file. This is a much better and more robust method of restricting access (over hard-coding URLs and IP addresses into Apache's httpd.conf).

Here is a full example of how to switch to white-listing all users (no one outside this list will be allowed access), and also how to restrict user root to the local system and network only.

$cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array(
    'deny % from all', // deny everyone by default, then -

    'allow % from 127.0.0.1', // allow all local users
    'allow % from ::1',

    //'allow % from SERVER_ADDRESS', // allow all from server IP

    // allow user:root access from these locations (local network)
    'allow root from localhost',
    'allow root from 127.0.0.1',
    'allow root from 10.0.0.0/8',
    'allow root from 172.16.0.0/12',
    'allow root from 192.168.0.0/16',

    'allow root from ::1',

    // add more usernames and their IP (or IP ranges) here -    
    );

Source: How to Install and Secure phpMyAdmin on localhost for Windows

This gives you much more fine-grained access restrictions than Apache's URL permissions or an .htaccess file can provide, at the MySQL user name level.

Make sure that the user you are login in with, has its MySQL Host: field set to 127.0.0.1 or ::1, as phpMyAdmin and MySQL are on the same system.

回复 原文
比忠 2024-09-04 22:08:32

最有可能的是,您的网络服务器上的某个地方会有这样的 Alias 指令;

Alias /phpmyadmin "c:/wamp/apps/phpmyadmin3.1.3.1/"

在我的 wampserver / localhost 设置中,它位于 c:/wamp/alias/phpmyadmin.conf 中。

只需更改别名指令即可。

Most likely, somewhere on your webserver will be an Alias directive like this;

Alias /phpmyadmin "c:/wamp/apps/phpmyadmin3.1.3.1/"

In my wampserver / localhost setup, it was in c:/wamp/alias/phpmyadmin.conf.

Just change the alias directive and you should be good to go.

回复 原文
梦里寻她 2024-09-04 22:08:32

确保 phpMyAdmin 安全的最佳方法是所有这 4 种方法的组合:

1. Change phpMyAdmin URL
2. Restrict access to localhost only.
3. Connect through SSH and tunnel connection to a local port on your computer
4. Setup SSL to already encrypted SSH connection. (x2 security)

以下是如何执行所有这些操作:
Ubuntu 16.4 + Apache 2 设置
Windows 计算机 + PuTTY 连接并将 SSH 连接隧道连接到本地端口:

# Secure Web Serving of phpMyAdmin (change URL of phpMyAdmin):

    sudo nano /etc/apache2/conf-available/phpmyadmin.conf
            /etc/phpmyadmin/apache.conf
        Change: phpmyadmin URL by this line:
            Alias /newphpmyadminname /usr/share/phpmyadmin
        Add: AllowOverride All
            <Directory /usr/share/phpmyadmin>
                Options FollowSymLinks
                DirectoryIndex index.php
                AllowOverride Limit
                ...
        sudo systemctl restart apache2
        sudo nano /usr/share/phpmyadmin/.htaccess
            deny from all
            allow from 127.0.0.1

        alias phpmyadmin="sudo nano /usr/share/phpmyadmin/.htaccess"
        alias myip="echo ${SSH_CONNECTION%% *}"

# Secure Web Access to phpMyAdmin:

        Make sure pma.yourdomain.com is added to Let's Encrypt SSL configuration:
            https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04

        PuTTY => Source Port (local): <local_free_port> - Destination: 127.0.0.1:443 (OR localhost:443) - Local, Auto - Add

        C:\Windows\System32\drivers\etc
            Notepad - Run As Administrator - open: hosts
                127.0.0.1 pma.yourdomain.com

        https://pma.yourdomain.com:<local_free_port>/newphpmyadminname/ (HTTPS OK, SSL VPN OK)
        https://localhost:<local_free_port>/newphpmyadminname/ (HTTPS ERROR, SSL VPN OK)

        # Check to make sure you are on SSH Tunnel
            1. Windows - CMD:
                ping pma.yourdomain.com
                ping www.yourdomain.com

                # See PuTTY ports:
                netstat -ano |find /i "listening"

            2. Test live:
                https://pma.yourdomain.com:<local_free_port>/newphpmyadminname/

如果您能够成功完成所有这些操作,

you now have your own url path for phpmyadmin,
you denied all access to phpmyadmin except localhost,
you connected to your server with SSH,
you tunneled that connection to a port locally,
you connected to phpmyadmin as if you are on your server,
you have additional SSL conenction (HTTPS) to phpmyadmin in case something leaks or breaks.

The best way to secure phpMyAdmin is the combination of all these 4:

1. Change phpMyAdmin URL
2. Restrict access to localhost only.
3. Connect through SSH and tunnel connection to a local port on your computer
4. Setup SSL to already encrypted SSH connection. (x2 security)

Here is how to do these all with:
Ubuntu 16.4 + Apache 2 Setup
Windows computer + PuTTY to connect and tunnel the SSH connection to a local port:

# Secure Web Serving of phpMyAdmin (change URL of phpMyAdmin):

    sudo nano /etc/apache2/conf-available/phpmyadmin.conf
            /etc/phpmyadmin/apache.conf
        Change: phpmyadmin URL by this line:
            Alias /newphpmyadminname /usr/share/phpmyadmin
        Add: AllowOverride All
            <Directory /usr/share/phpmyadmin>
                Options FollowSymLinks
                DirectoryIndex index.php
                AllowOverride Limit
                ...
        sudo systemctl restart apache2
        sudo nano /usr/share/phpmyadmin/.htaccess
            deny from all
            allow from 127.0.0.1

        alias phpmyadmin="sudo nano /usr/share/phpmyadmin/.htaccess"
        alias myip="echo ${SSH_CONNECTION%% *}"

# Secure Web Access to phpMyAdmin:

        Make sure pma.yourdomain.com is added to Let's Encrypt SSL configuration:
            https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04

        PuTTY => Source Port (local): <local_free_port> - Destination: 127.0.0.1:443 (OR localhost:443) - Local, Auto - Add

        C:\Windows\System32\drivers\etc
            Notepad - Run As Administrator - open: hosts
                127.0.0.1 pma.yourdomain.com

        https://pma.yourdomain.com:<local_free_port>/newphpmyadminname/ (HTTPS OK, SSL VPN OK)
        https://localhost:<local_free_port>/newphpmyadminname/ (HTTPS ERROR, SSL VPN OK)

        # Check to make sure you are on SSH Tunnel
            1. Windows - CMD:
                ping pma.yourdomain.com
                ping www.yourdomain.com

                # See PuTTY ports:
                netstat -ano |find /i "listening"

            2. Test live:
                https://pma.yourdomain.com:<local_free_port>/newphpmyadminname/

If you are able to do these all successfully,

you now have your own url path for phpmyadmin,
you denied all access to phpmyadmin except localhost,
you connected to your server with SSH,
you tunneled that connection to a port locally,
you connected to phpmyadmin as if you are on your server,
you have additional SSL conenction (HTTPS) to phpmyadmin in case something leaks or breaks.
回复 原文
鱼忆七猫命九 2024-09-04 22:08:32

如果您正在运行 Linux 服务器:

  • 使用 SSH,您可以禁止用户/密码登录,只接受authorized_keys 文件中的公钥
  • 使用 putty 连接到您的服务器并打开远程终端
  • 转发 X11 并将 localhost firefox/iceweasel 带到您的服务器桌面(在 Windows 中,您需要安装 Xming 软件)
  • 现在您通过 ssh 保护您的 phpMyAdmin

该系统对于家庭服务器来说非常安全/方便 - 通常默认情况下会阻止所有端口 -。您只需转发 SSH 端口(不要使用数字 22)。

如果您喜欢 Microsoft 终端服务器,您甚至可以为您的计算机设置 SSH 隧道,并通过它安全地连接到您的 Web 服务器。

通过 ssh 隧道,您甚至可以将远程服务器的 3306 端口转发到本地端口,并使用本地 phpMyAdmin 或 MySQL Workbench 进行连接。

我知道这个选项有点矫枉过正,但与访问您的私钥一样安全。

If you are running a linux server:

  • Using SSH you can forbid the user/password loging and only accept a public key in the authorized_keys file
  • Use putty to connect to your server and open a remote terminal
  • Forward X11 and brings localhost firefox/iceweasel to your desktop (in windows you need Xming software installed)
  • Now you secured your phpMyAdmin throught ssh

This system is quite secure/handy for homeservers -usually with all ports blocked by default-. You only have to forward the SSH port (don't use number 22).

If you like Microsoft Terminal Server you can even set a SSH Tunneling to your computer and connect securely to your web server throught it.

With ssh tunneling you even can forward the 3306 port of your remote server to a local port and connect using local phpMyAdmin or MySQL Workbench.

I understand that this option is an overkill, but is as secure as the access of your private key.

回复 原文
触ぅ动初心 2024-09-04 22:08:32

最简单的方法是编辑网络服务器,很可能是 Apache2 安装、配置并给 phpmyadmin 一个不同的名称。

第二种方法是限制可以访问 phpmyadmin 的 IP 地址(例如,仅限本地 LAN 或本地主机)。

The simplest approach would be to edit the webserver, most likely an Apache2 installation, configuration and give phpmyadmin a different name.

A second approach would be to limit the IP addresses from where phpmyadmin may be accessed (e.g. only local lan or localhost).

回复 原文
不可一世的女人 2024-09-04 22:08:32

您可以使用以下命令:

$ grep "phpmyadmin" $path_to_access.log | grep -Po "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | sort | uniq | xargs -I% sudo iptables -A INPUT -s % -j DROP

说明:

在通过 iptables drop 进行管道传输之前,请确保您的 IP 未列出!

这将首先找到 $path_to_access.log 中包含 phpmyadmin 的所有行,

然后从该行的开头 grep 出 ip 地址,

然后对它们进行排序和唯一,

然后添加一条规则将它们放入 iptables

再次,只需编辑最后使用 echo % 而不是 iptables 命令来确保您的 IP 不在其中。不要无意中禁止您访问服务器!

限制

如果您使用的是 Mac 或任何没有 grep -P 的系统,您可能需要更改命令的 grep 部分。我不确定是否所有系统都以 xargs 开头,因此可能也需要安装。无论如何,如果你经常进行 bash,它会非常有用。

You can use the following command :

$ grep "phpmyadmin" $path_to_access.log | grep -Po "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | sort | uniq | xargs -I% sudo iptables -A INPUT -s % -j DROP

Explanation:

Make sure your IP isn't listed before piping through iptables drop!!

This will first find all lines in $path_to_access.log that have phpmyadmin in them,

then grep out the ip address from the start of the line,

then sort and unique them,

then add a rule to drop them in iptables

Again, just edit in echo % at the end instead of the iptables command to make sure your IP isn't in there. Don't inadvertently ban your access to the server!

Limitations

You may need to change the grep part of the command if you're on mac or any system that doesn't have grep -P. I'm not sure if all systems start with xargs, so that might need to be installed too. It's super useful anyway if you do a lot of bash.

回复 原文
~没有更多了~

关于作者

⊕婉儿

暂无简介

0 文章
0 评论
22 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

linfzu01

文章 0 评论 0

§对你不离不弃

文章 0 评论 0

可遇━不可求

文章 0 评论 0

枕梦

文章 0 评论 0

qq_3LFa8Q

文章 0 评论 0

JP

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文