如何保护phpMyAdmin [英] How to secure phpMyAdmin

问题描述

我注意到我的网站上有奇怪的请求，试图找到phpmyadmin，例如

/phpmyadmin/
/pma/

等

现在，我已经通过apt在Ubuntu上安装了PMA，并希望通过不同于/phpmyadmin/的网址访问它.我该怎么做才能改变它?

谢谢

---

更新

对于Ubuntu 9.10和Apache2，相应的设置位于文件/etc/apache2/conf.d/phpmyadmin.conf中，该文件是/etc/phpmyadmin/apache.conf的链接.该文件包含

Alias /phpmyadmin /usr/share/phpmyadmin

如果要避免不必要的活动，则应将第一个/phpmyadmin更改为其他内容，例如:

Alias /secret /usr/share/phpmyadmin

解决方案

最大的威胁是攻击者可能利用了诸如以下的漏洞:目录遍历，或使用SQL Injection调用load_file()读取配置文件中的纯文本用户名/密码，然后使用phpmyadmin或tcp端口3306登录. /p>

这是锁定phpmyadmin的好方法:

• 请勿允许远程root登录！而是可以将phpmyadmin配置为使用"Cookie身份验证" ，以限制哪些用户可以访问系统.如果您需要一些root特权，请创建一个可以添加/删除/创建但没有grant或file_priv的自定义帐户.
• 从每个帐户中删除file_priv权限. file_priv是MySQL中最危险的特权之一，因为它允许攻击者读取文件或上传后门.
• 可以访问phpmyadmin界面的白名单IP地址.这是一个.htaccess重新设置示例:

Order deny,allow
Deny from all
allow from 199.166.210.1

• 没有可预测的文件位置，例如:http://127.0.0.1/phpmyadmin. Nessus/Nikto/Acunetix/w3af等漏洞扫描程序将对此进行扫描.

• 关闭tcp端口3306的防火墙，以使攻击者无法访问它.

• 使用HTTPS，否则数据和密码可能会泄露给 攻击者.如果您不想花30美元购买证书，那么 使用自签名.您将接受一次，即使是 因MITM而更改，您将收到通知.

I have noticed that there are strange requests to my website trying to find phpmyadmin, like

/phpmyadmin/
/pma/

etc.

Now I have installed PMA on Ubuntu via apt and would like to access it via webaddress different from /phpmyadmin/. What can I do to change it?

Thanks

---

Update

For Ubuntu 9.10 and Apache2, the corresponding setting is located in the file /etc/apache2/conf.d/phpmyadmin.conf which is a link to /etc/phpmyadmin/apache.conf. The file contains

Alias /phpmyadmin /usr/share/phpmyadmin

where the first /phpmyadmin should be changed to something different if one wants to avoid the unnecessary activity, e.g.:

Alias /secret /usr/share/phpmyadmin

解决方案

The biggest threat is that an attacker could leverage a vulnerability such as; directory traversal, or using SQL Injection to call load_file() to read the plain text username/password in the configuration file and then Login using phpmyadmin or over tcp port 3306. As a pentester I have used this attack pattern to compromise a system.

Here is a great way to lock down phpmyadmin:

• DO NOT ALLOW REMOTE ROOT LOGINS! Instead phpmyadmin can be configured to use "Cookie Auth" to limit what user can access the system. If you need some root privileges, create a custom account that can add/drop/create but doesn't have grant or file_priv.
• Remove file_priv permissions from every account. file_priv is one of the most dangerous privileges in MySQL because it allows an attacker to read files or upload a backdoor.
• Whitelist IP address who have access to the phpmyadmin interface. Here is an example .htaccess reulset:

Order deny,allow
Deny from all
allow from 199.166.210.1

• Do not have a predictable file location like: http://127.0.0.1/phpmyadmin. Vulnerability scanners like Nessus/Nikto/Acunetix/w3af will scan for this.

• Firewall off tcp port 3306 so that it cannot be accessed by an attacker.

• Use HTTPS, otherwise data and passwords can be leaked to an attacker. If you don't want to fork out the $30 for a cert, then use a self-signed. You'll accept it once, and even if it was changed due to a MITM you'll be notified.

这篇关于如何保护phpMyAdmin的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！