Phpmyadmin SSL

Search on "phpmyadmin" on this forum and you will find many many many posts advising you NOT to use phpmyadmin.

It's a popular attack vector, and there are better client side tools that are better, have minimal resource impact, and is way more secure.

@vonskippy:

Search on "phpmyadmin" on this forum and you will find many many many posts advising you NOT to use phpmyadmin.

It's a popular attack vector, and there are better client side tools that are better, have minimal resource impact, and is way more secure.

I think I disabled it now by using command chmod 000 /usr/share/phpmyadmin Is that secure enough to disable phpmyadmin this way?

I used it to manage users more easily, got a bit lost with commands.

Thanks

The error is probably because you don't have SSL set up as described in Preparing Your Apache Configuration.

Unlike some, I don't consider phpmyadmin to be the devil, but would not recommend exposing it to the whole world either. The Linode guide covers this in .htaccess File. My suggestion would be slightly different; instead of putting your IP address in the file, use:

Order allow,deny
Allow from 127.0.0.0/8 ::1

If you're using Apache 2.4 (as on Ubuntu 14.04), use the new configuration syntax instead:

Require local

This will only permit connections to phpmyadmin from your Linode. (You should verify this by trying to connect from your home machine; you should receive a 403 Forbidden error.)

So how do you connect from your Linode? You connect from home to your Linode via ssh, and set up port forwarding. For example, connect using:

ssh -L 8080:localhost:80 user@your.linode

Then you can visit http://localhost:8080/phpmyadmin/ in your web browser (assuming the symbolic link you set up is named phpmyadmin - if not, use the name you picked in the URL). The traffic will be forwarded over the ssh link and will appear to Apache to be coming from your Linode, and thus will be permitted. Once you log out of your ssh session, phpmyadmin will no longer be accessible.

Because the ssh traffic is encrypted, there is no need to set up SSL for this or set ForceSSL, although you can certainly do so.

Note that in this scenario, anyone who can get a shell on your machine can access phpmyadmin (although they will still need a MySQL username and password to access databases). Of course, those people could just run the mysql client from the command line too. The linchpin of security in this configuration is the restriction in the .htaccess file, so you must get it correct and verify it is working as intended.

You could also use a local client like MySQL Workbench, but these require you to either expose MySQL to the internet (about as bad an idea as making phpmyadmin visible to the world) or set up port forwarding over ssh (supposedly MySQL Workbench will do this for you; don't know about other clients).

@Vance:

You could also use a local client like MySQL Workbench, but these require you to either expose MySQL to the internet (about as bad an idea as making phpmyadmin visible to the world) or set up port forwarding over ssh (supposedly MySQL Workbench will do this for you; don't know about other clients).

I used to use phpMyAdmin all the time and it was exposed to the world. It did make me nervous so I started looking at MySQL Workbench. I found it to be a great tool. You don't need to expose MySQL to the world for it to work. When you create a connection in Workbench you can specify all of your SSH connection information along with your MySQL username and password and it will connect via SSH and setup everything for you. You can use both password and key based authentication (obviously key is preferred).

phpMyAdmin is a nice tool and it is easy to use. I have to give the developers credit but I did switch to Workbench in the end. Any of my other clients that wish to use MySQL are required to do the same.