Various things can be done. Here I am going to explain my ideas and how they can be implemented through Apache2. 1. Change the URI (path) of PhpMyAdmin. Edit and change the first part ( ) of this directive: /etc/phpmyadmin/apache.conf/phpmyadmin
Alias /phpmyadmin /usr/share/phpmyadmin
2. Run PhpMyAdmin on different port - here is the manual step by step .
3. Using HTTP S connection to protect your data from sniffing.
-
First enable SSL module is disabled if: sudo a2enmod ssl.
Open port 443 (HTTPS) in the firewall . You must use your own port here.
Follow this manual and enable a certificate of Let's Encrypt.
-
Check this answer and disable weak encryption systems.
Then you can force all users to use HTTPS .
4. Protect PhpMyAdmin URI path through:
-
Password authentication (see Apache manual Authentication and Authorization ):
-
Create folder outside of /var/www, where the password of the file will be saved. After generating the password file. Suppose the name of this new folder /var/www-auth:
$ sudo mkdir /var/www-auth
$ cd /var/www-auth
$ sudo htpasswd -c .htpasswd.phpmyadmin user
New password: *********
Re-type new password: *********
Adding password for user user
Where:
-
.htpasswd.phpmyadmin is the name of the file where the password will be stored.
-
user is the login name used to login.
-
********* is the password :)
-
-cmeans creating a new file. If this option is omitted htpasswdcommand will attempt to add the new login nameexisting ones .htpasswd.file.
-
Modify PhpMyAdmin authentication type, through editing /etc/phpmyadmin/apache.conflike this (or create .htaccessfile):
<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php
<IfModule mod_authz_core.c>
<IfModule mod_authn_file.c>
AuthType Basic
AuthName "The name of the authentication form - type some user and password hints"
AuthUserFile /var/www-auth/.htpasswd.phpmyadmin
</IfModule>
Require valid-user
</IfModule>
.....
</Directory>
-
Enable the modules and restart Apache2 to apply the new configuration:
sudo a2enmod authz_core authz_user authn_file
sudo systemctl restart apache2.service
Now to access PhpMyAdmin the URI must provide the login name of useryour password.
-
Two-factor authentication (2FA):
Follow steps 1 and 3 of this manual to generate .google_authenticatorfile, which is located in your $HOMEdirectory. Step 4 describes how to generate authentication codes.
-
Create a new directory in /var/www-auth. Suppose the name of this new folder google_authenticator:
sudo mkdir -p /var/www-auth/google_authenticator
-
Copy the file $HOME/.google_authenticatorinto that directory and change its permissions (it should be readable to www-data):
sudo cp $HOME/.google_authenticator /var/www-auth/google_authenticator/user
sudo chown www-data:www-data /var/www-auth/google_authenticator/user
Please note that the file name determines the login name!
-
Modify the new file by adding the directive " PASSWORD=qwerty, where qwertyis the new login password.
E3CY3TNSNBXXXXXX
"RESETTING_TIME_SKEW ...
"RATE_LIMIT 3 30 ...
"WINDOW_SIZE 17
"DISALLOW_REUSE 48885555 ...
"TOTP_AUTH
"PASSWORD = qwerty
4567 ...
-
Install mod_authn_googleApache2. Unfortunately I couldn't find this module in the Ubuntu repository, so let's get from this repository . The steps are: (1) go to your home directory, (2) download the package dba-apa24-mod_authn_google-r22... .rpm, (3) extract mod_authn_google.so, (4) en /usr/lib/apache2/modules/and (5) grant the corresponding permissions:
cd $HOME/Downloads
wget http://download.opensuse.org/repositories/home:/csbuild:/DBA/RedHat_RHEL-7/x86_64/dba-apa24-mod_authn_google-r22-1.1.x86_64.rpm
rpm2cpio dba-apa24-mod_authn_google-r22-1.1.x86_64.rpm | cpio -iv --to-stdout ./DBA/apache24/WWW/2.4.x/modules/mod_authn_google-r22.so > mod_authn_google.so
sudo mv mod_authn_google.so /usr/lib/apache2/modules/
sudo chown root:root /usr/lib/apache2/modules/mod_authn_google.so
sudo chmod g-w /usr/lib/apache2/modules/mod_authn_google.so
-
Modify PhpMyAdmin authentication type, through editing /etc/phpmyadmin/apache.conflike this (or create .htaccessfile):
<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php
<IfModule mod_authz_core.c>
<IfModule mod_authn_google.c>
AuthType Basic
AuthName "The name of the authentication form - type some user and password hints"
AuthBasicProvider "google_authenticator"
GoogleAuthUserPath /var/www-auth/google_authenticator
GoogleAuthCookieLife 3600
GoogleAuthEntryWindow 2
</IfModule>
Require valid-user
</IfModule>
.....
</Directory>
-
Enable the modules and restart Apache2 to apply the new configuration:
sudo a2enmod authz_core authz_user authn_google
sudo systemctl restart apache2.service
Now to access the PhpMyAdmin the URI must provide the login name user, su passwordand 6 digits token code:
5. Create ModSecurity rule that blocks access to PhpMyAdmin from the URI if the request comes from IP address that is not resolved.
In this answer , in the ModSecurity Rules ► SAS ► Iptables section , I have described how we can create custom rules for ModSecurity. If you have any additional questions, I could work out the current answer.