如何保护 phpMyAdmin [英] How to secure phpMyAdmin

问题描述

我注意到我的网站有一些奇怪的请求试图找到 phpmyadmin，比如

/phpmyadmin//下午/

等

现在我已经通过 apt 在 Ubuntu 上安装了 PMA，并希望通过不同于/phpmyadmin/的网址访问它.我该怎么做才能改变它?

谢谢

<小时>

更新

对于 Ubuntu 9.10 和 Apache2，相应的设置位于文件 /etc/apache2/conf.d/phpmyadmin.conf 中，该文件是 /etc/phpmyadmin/apache 的链接.conf.该文件包含

别名/phpmyadmin/usr/share/phpmyadmin

如果想要避免不必要的活动，第一个 /phpmyadmin 应该更改为不同的东西，例如:

别名/secret/usr/share/phpmyadmin

解决方案

最大的威胁是攻击者可以利用漏洞，例如；目录遍历，或使用 SQL 注入调用 load_file() 读取配置文件中的纯文本用户名/密码，然后使用 phpmyadmin 或通过 tcp 端口 3306 登录. 作为渗透测试者，我使用了这种攻击破坏系统的模式.

这是锁定 phpmyadmin 的好方法:

• PhpMyAdmin 缺乏强大的暴力破解保护，因此您必须使用随机生成的长密码.
• 不允许远程 root 登录！ phpmyadmin 可以配置为使用 Cookie 身份验证" 以限制哪些用户可以访问系统.如果您需要一些 root 权限，请创建一个可以添加/删除/创建但没有 grant 或 file_priv 的自定义帐户.
• 从每个帐户中删除 file_priv 权限.file_priv 是 MySQL 中最危险的权限之一，因为它允许攻击者读取文件或上传后门.
• 将有权访问 phpmyadmin 界面的 IP 地址列入白名单.这是一个 .htaccess reulset 示例:

<块引用>

订单拒绝，允许拒绝所有人允许从 199.166.210.1

• 没有可预测的文件位置，例如:http://127.0.0.1/phpmyadmin.Nessus/Nikto/Acunetix/w3af 等漏洞扫描程序会对此进行扫描.

• 防火墙关闭 tcp 端口 3306，使其无法被攻击者访问.

• 使用HTTPS，否则数据和密码可能会泄露给攻击者.如果您不想为证书支付 30 美元，那么使用自签名.你会接受它一次，即使它是由于 MITM 而更改，您会收到通知.

I have noticed that there are strange requests to my website trying to find phpmyadmin, like

/phpmyadmin/
/pma/

etc.

Now I have installed PMA on Ubuntu via apt and would like to access it via webaddress different from /phpmyadmin/. What can I do to change it?

Thanks

---

Update

For Ubuntu 9.10 and Apache2, the corresponding setting is located in the file /etc/apache2/conf.d/phpmyadmin.conf which is a link to /etc/phpmyadmin/apache.conf. The file contains

Alias /phpmyadmin /usr/share/phpmyadmin

where the first /phpmyadmin should be changed to something different if one wants to avoid the unnecessary activity, e.g.:

Alias /secret /usr/share/phpmyadmin

解决方案

The biggest threat is that an attacker could leverage a vulnerability such as; directory traversal, or using SQL Injection to call load_file() to read the plain text username/password in the configuration file and then Login using phpmyadmin or over tcp port 3306. As a pentester I have used this attack pattern to compromise a system.

Here is a great way to lock down phpmyadmin:

• PhpMyAdmin lacks strong bruteforce protection, so you must use a long randomly generated password.
• DO NOT ALLOW REMOTE ROOT LOGINS! Instead phpmyadmin can be configured to use "Cookie Auth" to limit what user can access the system. If you need some root privileges, create a custom account that can add/drop/create but doesn't have grant or file_priv.
• Remove file_priv permissions from every account. file_priv is one of the most dangerous privileges in MySQL because it allows an attacker to read files or upload a backdoor.
• Whitelist IP address who have access to the phpmyadmin interface. Here is an example .htaccess reulset:

Order deny,allow
Deny from all
allow from 199.166.210.1

• Do not have a predictable file location like: http://127.0.0.1/phpmyadmin. Vulnerability scanners like Nessus/Nikto/Acunetix/w3af will scan for this.

• Firewall off tcp port 3306 so that it cannot be accessed by an attacker.

• Use HTTPS, otherwise data and passwords can be leaked to an attacker. If you don't want to fork out the $30 for a cert, then use a self-signed. You'll accept it once, and even if it was changed due to a MITM you'll be notified.

这篇关于如何保护 phpMyAdmin的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！