home/Knowledge Base/Centos/How to Set Up and Secure phpMyAdmin on a CentOS 7 Server Using Apache
How to Set Up and Secure phpMyAdmin on a CentOS 7 Server Using Apache
209 views0December 5, 2022Updated on February 1, 2023host_know_user
Introduction
A sizable percentage of websites and applications use relational database management systems like MySQL and MariaDB. While using the command line to manage their data may not be comfortable for all people.
In order to provide a solution in the form of a web-based management interface, a project named phpMyAdmin was developed. We’ll show you how to set up and secure a phpMyAdmin configuration on a CentOS 7 server in this tutorial. The most widely used web server in the world, Apache, will serve as the foundation for this setup.
Prerequisites
• Logged in as a user with sudo privileges . • Installing a LAMP stack on your CentOS 7 server—Linux, Apache, MariaDB, and PHP—is the second need that must be met before beginning this instruction. This is the system we’ll employ to provide our phpMyAdmin interface (MariaDB is also the database management software that we are wishing to manage). • You can read the remainder of this page if you’ve followed these instructions and got your server up and running
Step :1 Install phpMyAdmin
The phpMyAdmin software installation may start right immediately because our LAMP platform is already set up. Unfortunately, CentOS 7’s default repository does not have phpMyAdmin.
We will have to add an additional repository to our system in order to receive the packages we require. The phpMyAdmin package we need can be found in the EPEL repo (Extra Packages for Enterprise Linux), among many other packages.
Installing the epel-release package will enable your server to access the EPEL repository. Your repository list will be updated as a result, and you’ll have access to the EPEL packages.
# sudo yum install epel-release
Once the EPEL repo is set up, you can use the yum packaging system to install the phpMyAdmin package by typing:
# sudo yum install phpmyadmin
Now the installation is finished. An Apache configuration file that has already been set up was provided in the installation. To make this work properly for our installation, we will need to make a few modifications.
Now that the file is open in your text editor, let’s make some changes:
# sudo vi /etc/httpd/conf.d/phpMyAdmin.conf
To describe the access policy for our directory, we can see several directory blocks within with some conditional logic. There are two defined directories that include settings that are appropriate for both Apache 2.2 and Apache 2.4. (which we are running).
This configuration currently forbids access to any connection that is not coming from the server. We need to change a few lines to give the IP address of your home connection because we’re working on our server remotely.
Any lines that say Require ip 127.0.0.1 or Allow from 127.0.0.1 should be changed to refer to the IP address of your home connection. Check out the next section if you need assistance locating the IP address of your home connection. The file should need to be modified in the following four places:
. . . Require ip your_workstation_IP_address . . . Allow from your_workstation_IP_address . . . Require ip your_workstation_IP_address . . . Allow from your_workstation_IP_address . . .
When finished, type: to restart the Apache web server and apply your changes.
sudo systemctl restart httpd.service
Our phpMyAdmin installation is now operating as a result. Use your web browser to navigate to your server’s domain name or public IP address followed by /phpMyAdmin to enter the interface:
http://server_domain_or_IP/phpMyAdmin
Use a valid MariaDB user’s username and password to log in. A decent place to start is with the root user and the MariaDB administrator password. After that, you will have access to the administration interface:
Step 2: Secure your phpMyAdmin instance.
At this point, the phpMyAdmin instance that was installed on our server ought to be fully functional. However, we have made our MySQL system accessible to the public by installing a web interface.
This is a big issue even with the built-in authentication screen. Installations like these are frequent targets for attackers due to the popularity of phpMyAdmin and the vast quantity of data it grants access to.
To reduce the likelihood that our installation may be compromised and targeted, we will put into practise two straightforward measures. To avoid some of the automated bot brute-force attacks, we will move the interface from /phpMyAdmin to another site. Additionally, we’ll build a second, web server-level authentication gateway that needs to be passed in order to access the phpMyAdmin login page.
Changing the Application’s Access Location
Our phpMyAdmin Apache configuration file uses an alias to route to the directory location of the files in order for our Apache web server to function with phpMyAdmin.
We just need to rename the alias to change the URL where our phpMyAdmin interface may be accessed. Now, access the Apache configuration file for phpMyAdmin:
sudo nano /etc/httpd/conf.d/phpMyAdmin.conf
You will see two lines at the top of the file that look like this:
Alias /phpMyAdmin /usr/share/phpMyAdmin Alias /phpmyadmin /usr/share/phpMyAdmin
These two lines function as our aliases, which means that we will be shown the content at /usr/share/phpMyAdmin if we approach our site using its domain name or IP address followed by either /phpMyAdmin or /phpmyadmin.
Due to the fact that bots and malicious people frequently target certain particular aliases, we want to disable them. We should instead choose our own alias. It should be simple to recall but challenging to guess. It shouldn’t state what the URL location is for. In this instance, we’ll use /nothingtosee.
We should delete or comment out the current lines and add our own to implement the changes we intend:
# Alias /phpMyAdmin /usr/share/phpMyAdmin # Alias /phpmyadmin /usr/share/phpMyAdmin Alias /nothingtosee /usr/share/phpMyAdmin
Save your work and then exit the file.
Restart the web service to apply the changes:
sudo systemctl restart httpd.service
You will now encounter a 404 error if you attempt to access the former location of your phpMyAdmin installation:
http://server_domain_or_IP/phpMyAdmin
However, the new site we chose will now host your phpMyAdmin interface:
http://server_domain_or_IP/nothingtosee
A Web Server Authentication Gate's configuration
The next feature we needed for our installation was a login page for phpMyAdmin that would not be visible until a user had successfully passed an authentication check.
Thankfully, most web servers—including Apache—offer this functionality by default. Simply changing our Apache configuration file will enable us to use an authorization file.
Reopen the text editor and the phpMyAdmin Apache configuration file:
sudo nano /etc/httpd/conf.d/phpMyAdmin.conf
We need to add an override directive outside of any of the blocks inside the /usr/share/phpMyAdmin directory block. It will seem as follows:
This will enable us to put further configuration information in a file called .htaccess that is placed inside the phpMyAdmin directory. This file will be used to configure our password authentication.
When you’re done, save and shut the file.
To make this update effective, restart the web service:
sudo systemctl restart httpd.service
This will enable us to put further configuration information in a file called .htaccess that is placed inside the phpMyAdmin directory. This file will be used to configure our password authentication.
When you’re done, save and shut the file.
To make this update effective, restart the web service:
Create an .htaccess File
Since we have included the override directive to our setup, Apache will now search the /usr/share/phpMyAdmin directory for a file with the name .htaccess. If it does, it will add the directives in it to its prior configuration information.
The .htaccess file needs to be created in that directory as the following step. Use your text editor to do this right away:
AuthType Basic: This line describes the type of authentication that we are using. This kind will use a password file to implement password authentication.
AuthName: This configures the authentication dialogue box’s message. Keep this general to prevent unauthorised users from learning what is being protected.
AuthUserFile: This configures the authentication dialogue box’s message. Keep this general to prevent unwanted users from learning what is being protected.
Require valid-user: This states that this resource should only be accessible to people who have provided valid credentials. This is what truly prevents entry by unauthorised users.
Save the file after you have completed entering this information.
Make the authentication password file.
Now that the AuthUserFile directive in our .htaccess file has indicated the path for our password file, we need to build and populate the password file.
Htpasswd is a tool provided by Apache that can be used to achieve this. The location where we want to create the file and the username we want to add authentication information for are passed to the command when we run it:
sudo htpasswd -c /etc/httpd/pma_pass username
The -c parameter signals that an initial file will be created. The path and filename for the file will be determined by the directory location. The first user we want to add is the username. You will be asked to enter and verify the user’s password.
You may run the same command again with a different username and without the -c parameter if you wish to add other users to authenticate:
The -c parameter signals that an initial file will be created. The path and filename for the file will be determined by the directory location. The first user we want to add is the username. You will be asked to enter and verify the user’s password.
You may run the same command again with a different username and without the -c parameter if you wish to add other users to authenticate:
sudo htpasswd /etc/httpd/pma_pass seconduser
We now get a password prompt when we visit our site once our password file has been produced and an authentication gateway has been put in place:
http://server_domain_or_IP/nothingtosee
The standard phpMyAdmin login page will be displayed when you have entered your credentials. In addition to the increased security, this extra layer of security will assist in preventing authentication attempts from appearing in your MySQL logs.
Conclusion
Now, you can administer your MySQL databases using a web interface that is largely safe. The majority of the functionality accessible via the MySQL command prompt is exposed by this UI. You can run queries, view databases and schema, and build new data sets and structures.