Securing phpMyAdmin – Using Non-Standard Port and HTTPS

apache-2.2httpsport

Trying to secure phpmyadmin, we already did the following:

  • Cookie Auth login

  • firewall off tcp port 3306.

  • running on non-standard port

Now we would like to implement https… but how could it work with phpmyadmin running already on a non-stardard port?

This is the apache config:

# PHP MY ADMIN
<VirtualHost *:$CUSTOMPORT>
    Alias /phpmyadmin /usr/share/phpmyadmin

    <Directory /usr/share/phpmyadmin>
        Options FollowSymLinks
        DirectoryIndex index.php

        <IfModule mod_php5.c>
            AddType application/x-httpd-php .php

            php_flag magic_quotes_gpc Off
            php_flag track_vars On
            php_flag register_globals Off
            php_value include_path .
        </IfModule>

    </Directory>

    # Disallow web access to directories that don't need it
    <Directory /usr/share/phpmyadmin/libraries>
        Order Deny,Allow
        Deny from All
    </Directory>

    <Directory /usr/share/phpmyadmin/setup/lib>
        Order Deny,Allow
        Deny from All
    </Directory>

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/phpmyadmin.log combined
</VirtualHost>

Edit:

I created a custom SSL certificate with apache itself, based on this link and then followed the tips given by James and I get this:

[Sun Nov 04 16:02:38 2012] [info] Init: Seeding PRNG with 656 bytes of entropy
[Sun Nov 04 16:02:38 2012] [error] Init: Unable to read server certificate from file /etc/apache2/ssl/pma.crt
[Sun Nov 04 16:02:38 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Sun Nov 04 16:02:38 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Mon Nov 05 18:22:54 2012] [info] Init: Seeding PRNG with 656 bytes of entropy
[Mon Nov 05 18:22:54 2012] [error] Init: Unable to read server certificate from file /etc/apache2/ssl/pma.crt
[Mon Nov 05 18:22:54 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Nov 05 18:22:54 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

Edit:

File exists, key is there, it ends with '-' end these are the privileges:

drwxr-xr-x 2 root root 4096  4. Nov 14:45 .
drwxr-xr-x 8 root root 4096  4. Nov 14:30 ..
-rw-r--r-- 1 root root 1041  4. Nov 14:45 pma.crt
-rw-r--r-- 1 root root 1679  4. Nov 14:45 pma.key

Best Answer

phpMyAdmin is one of those packages that has kept me in business as an incident/forensic examiner. It has a terrible history of arbitrary code execution and authentication bypass. My general security recommendation is to uninstall it and use something like Workbench or learn how to manage mysqld directly.

If you do use it, then the steps you've taken are good ones. You definitely need to only present it over SSL, which will be configured on the underlying webserver. You also need to restrict access. With Apache httpd this will be done via htaccess. Close it off as tightly as you can. Your efforts will be rewarded.

Related Topic