如何保护phpMyAdmin [英] How to secure phpMyAdmin
问题描述
我注意到我的网站上有奇怪的请求,试图找到phpmyadmin,例如
/phpmyadmin/
/pma/
等
现在,我已经通过apt在Ubuntu上安装了PMA,并希望通过不同于/phpmyadmin/的网址访问它.我该怎么做才能改变它?
谢谢
更新
对于Ubuntu 9.10和Apache2,相应的设置位于文件/etc/apache2/conf.d/phpmyadmin.conf
中,该文件是/etc/phpmyadmin/apache.conf
的链接.该文件包含
Alias /phpmyadmin /usr/share/phpmyadmin
如果要避免不必要的活动,则应将第一个/phpmyadmin
更改为其他内容,例如:
Alias /secret /usr/share/phpmyadmin
最大的威胁是攻击者可能利用了诸如以下的漏洞:目录遍历,或使用SQL Injection调用load_file()
读取配置文件中的纯文本用户名/密码,然后使用phpmyadmin或tcp端口3306登录. /p>
这是锁定phpmyadmin的好方法:
- 请勿允许远程root登录!而是可以将phpmyadmin配置为使用"Cookie身份验证" ,以限制哪些用户可以访问系统.如果您需要一些root特权,请创建一个可以添加/删除/创建但没有
grant
或file_priv
的自定义帐户. - 从每个帐户中删除
file_priv
权限.file_priv
是MySQL中最危险的特权之一,因为它允许攻击者读取文件或上传后门. - 可以访问phpmyadmin界面的白名单IP地址.这是一个.htaccess重新设置示例:
Order deny,allow Deny from all allow from 199.166.210.1
-
没有可预测的文件位置,例如:
http://127.0.0.1/phpmyadmin
. Nessus/Nikto/Acunetix/w3af等漏洞扫描程序将对此进行扫描. -
关闭tcp端口3306的防火墙,以使攻击者无法访问它.
- 使用HTTPS,否则数据和密码可能会泄露给 攻击者.如果您不想花30美元购买证书,那么 使用自签名.您将接受一次,即使是 因MITM而更改,您将收到通知.
I have noticed that there are strange requests to my website trying to find phpmyadmin, like
/phpmyadmin/
/pma/
etc.
Now I have installed PMA on Ubuntu via apt and would like to access it via webaddress different from /phpmyadmin/. What can I do to change it?
Thanks
Update
For Ubuntu 9.10 and Apache2, the corresponding setting is located in the file /etc/apache2/conf.d/phpmyadmin.conf
which is a link to /etc/phpmyadmin/apache.conf
. The file contains
Alias /phpmyadmin /usr/share/phpmyadmin
where the first /phpmyadmin
should be changed to something different if one wants to avoid the unnecessary activity, e.g.:
Alias /secret /usr/share/phpmyadmin
The biggest threat is that an attacker could leverage a vulnerability such as; directory traversal, or using SQL Injection to call load_file()
to read the plain text username/password in the configuration file and then Login using phpmyadmin or over tcp port 3306. As a pentester I have used this attack pattern to compromise a system.
Here is a great way to lock down phpmyadmin:
- DO NOT ALLOW REMOTE ROOT LOGINS! Instead phpmyadmin can be configured to use "Cookie Auth" to limit what user can access the system. If you need some root privileges, create a custom account that can add/drop/create but doesn't have
grant
orfile_priv
. - Remove
file_priv
permissions from every account.file_priv
is one of the most dangerous privileges in MySQL because it allows an attacker to read files or upload a backdoor. - Whitelist IP address who have access to the phpmyadmin interface. Here is an example .htaccess reulset:
Order deny,allow Deny from all allow from 199.166.210.1
Do not have a predictable file location like:
http://127.0.0.1/phpmyadmin
. Vulnerability scanners like Nessus/Nikto/Acunetix/w3af will scan for this.Firewall off tcp port 3306 so that it cannot be accessed by an attacker.
- Use HTTPS, otherwise data and passwords can be leaked to an attacker. If you don't want to fork out the $30 for a cert, then use a self-signed. You'll accept it once, and even if it was changed due to a MITM you'll be notified.
这篇关于如何保护phpMyAdmin的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!