Audrey 
Introduction
MySQL is being wanted by many users for the functionality of a database. And it is interacting with the system solely from the MySQL command. It is required a SQL language familiarity for line clients also. But someone is not preferred to this interface.
phpMyAdmin created so that users can interact with MySQL and it runs with a PHP development environment for an intuitive web interface. Through this article, we discuss the way of installing phpMyAdmin on top of an Nginx server and the way of configuration to increase the security of the server.
Note:
When using software like phpMyAdmin, there is an important security consideration. Because it runs on the database server. It deals with the database credentials. Arbitrary SQL queries are facilitated to users to easily execute. phpMyAdmin widely based on the PHP application. And this is a target for attack. Through this article, we informed you regarding security measurement. Then you can make a decision either the knowledge.
Prerequisites
Before you install this, you should have to fulfill the following requirements with you.
- According to the description of the initial server setup guide for Ubuntu 18.04, the Ubuntu 18.04 server running a LEMP (Linux, Nginx, MySQL, and PHP) stack secured with of. Still, you haven’t set up your server; you can follow some guides through the searching article.
- You have to access this server as a non-root user with sudo privileges.
Using MySQL credentials, phpMyAdmin handle authentication. It is better to install an SSL or TLS certificate. Through that, it enables encrypted traffic between server and client. If you have not available domain configured with a valid certificate then you can available article to match with your issue.
Warning
If you not available SSL or TLS certificates ha installed on your server and if you want to still continue the process, then you can consider enforcing access via SSH tunnels which will be explained in step 05 of this article.
When you fulfilled those mention requirements, Now you can go ahead to the installation process.
Step 01: Installing phpMyAdmin
AS the first step, we have to install phpMyAdmin on the LEMP. To achieve our target, we use our usual default Ubuntu repositories.
We will start with updating the server’s package index,
$ sudo apt update
Now you have the ability to install phpMyAdmin with:
$ sudo apt install PHPMyAdmin
When you are in the installation process, it will be asked you choose the webserver. (Either Apache or Lighthttp) to configure. But there is no need to choose a server because we use the Nginx as the web server. To move to the next step, press on the tab key and click on ok.
Then it will ask you whether you use dbconfig- common for configuring the application database. Now you select the “Yes” option. Now it will set up the internal database and administrative user for PHPMyAdmin. It will be ask from you to define a new password for the PHPMyAdmin MySQL user. It is not necessary to enter a password. if you leave it blank, it will automatically create a password for PHPMyAdmin.
Now it is finished the installation. Now we have to create a symbolic link for the installation files to Nginx document for root directory, because of the Nginx web server find and serve the phpMyAdmin files correctly.
$ sudo ln -s /usr/ share/ phpmyadmin/ var/ www/ html/ phpmyadmin
Now, it is process your phpMyAdmin installation. For the access to the interface, go to your server’s domain name or public IP address followed by phpmyadmin in your web browser:
https:// server_domain_or IP/phpmyadmin
As mention before, using MySQL credentials, phpMyAdmin handles authentication. The meaning of that, to connect to database to the database via console or via an API, you should use the same user name and password.
Note: It may be discourage the logging into phpMyAdmin as the root MySQL. Through that, it represents a significant security risk. We will discuss the way of disabling the root login.
At this point, your phpMyAdmin installation should be starting to the completely functional. We have exposed our MySQL database server to the outside world through installing a web interface. phpMyAdmin is popular in the world and it have large amount of data it may provide access to, because of that, phpMyAdmin may be a common targets for a attacker. We go ahead through this article and it will discuss the different ways for increase the security of our phpMyAdmin installation.
Step 02: Changing phpMyAdmin,s default location.
Through making it harder to find, we can protect our phpMyAdmin installation. And it is the most basic way to secure the phpMyAdmin installation. Bots will scan the common path such as phpMyAdmin, pma, admin, mysql and etc. Through changing the URL phpMyAdmin interface to non standard interface, it make difficult to find for the automated scripts the phpMyAdmin installation and attempt are may be inherit bad results for attackers.
It creates a symbolic link pointing, when we installed the phpMyAdmin. It located in the actual file application which is the user/ share/ phpMyAdmin. We have to rename the symbol link for change the interface of phpMyAdmin.
First of all we will navigate to the Nginx document root directory and will list the files which are containing it. Through that will get a better knowledge of the change we’ll make:
$ cd / var/ www/ html/
$ ls –l
Then, you will receive the output as follow.
Output
total 8
-rw- r– r– 1 root root 612 Apr 8 13:30 index. nginx- debian.html
lrwxrwxrwx 1 root root 21 Apr 8 15:36 phpmyadmin -> / user/ share/ phpmyadmin
The meaning of this output is, there is a symbolic link called phpMyAdmin in this directory. If you want, you can change this link name as you want. In addition to, this will change the access URL of phpMyAdmin. It will help to obscure the endpoint from bots hardcoded to search common endpoint names.
It is better to select an obscures name with purpose of the endpoint. As an example, we use the “nothintosee” as our end point. As that, you should use the alternative name. According to that; we will rename the link as follow;
$ sudo mv phpmyadmin nothingtosee
$ ls -l
After running the above commands, you’ll receive this output as follow:
Output
total 8
-rw-r–r– 1 root root 612 Apr 8 13:30 index.nginx- debian.html
lrwxrwxrwx 1 root root 21 Apr 8 15:36 nothingtosee -> / user/ share/ phpmyadmin
Now, you will go the old URL and you will get a 404 error;
https://server_ domain_ or_ IP/ phpmyadmin
Now it is available the phpMyAdmin interface now at the new URL as soon as configured;
https://server_ domain_ or_ IP/ nothingtosee
Through obfuscating the real location of phpMyAdmin on the server, your phpMyAdmin installation is securing against automated scan and from attackers.
Step 03: Disabling root login
As well as regular Linux system, on MySQL is also have root account and it is a special administrative account with unrestricted access to the system. Although it is a privilege account, it inherits disadvantages being with a popular login name. With this known login it may be easy target for attackers. To minimize the risk, we can configure phpMyAdmin to reject any login attempts coming from the user root. According to that, you will get an “access denied” error and won’t be allowing to login, even you provide valid credentials.
To configure and store phpMyAdmin setting we select the dbconfig- common. Because of that, the default configuration is currently stored in the database. With the purpose of define our custom setting; we have to create a new config. Inc. php file.
The PHP file locates in the user/ share/ phpmyadmin for phpMyAdmin installation. But the application use the configuration file available in /etc/ phpmyadmin. Now we will create a new custom file inside the /etc/ phpmyadmin/ conf.d. We name it as pma_ secure.php:
$ sudo nano / etc/ phpmyadmin/ conf.d/ pma_ secure.php
There is the necessary setting for the disabling password setting in the following configuration file.( AllownoPassword set to false) and root login (AllowRoot set to false);
etc/ phpmyadmin/ conf.d/ pma_secure.php
<?php
# PhpMyAdmin Settings
# This should be set to a random string of at least 32 chars
$ cfg[‘blowfish_secret’] = ‘3!#32@3sa(+=_4?),5XP_:U%%8\34sdfSdg43yH# {o’;
$ i=0;
$ i++;
$ cfg [‘Servers’] [$i] [‘auth_type’] = ‘cookie’;
$ cfg [‘Servers’] [$i] [‘AllowNoPassword’] = false;
$ Icfg [‘Servers’] [$i] [‘AllowRoot’] = false;
After you done editing, you have to save the changes. For that, you can press the CTRL + X and then press Y to confirm the changes and press ENTER. Now, the changes will apply to automatically. Now there may be display error as Access Denied, if you try to reload the login page and try to log in as root.
On your phpMyAdmin installation, it prohibited the root login. This will help you to secure your phpMyAdmin installation from attacks through trying to guess the root database password on your server. In addition to, for accessing the interface of phpMyAdmin, you can use less privileged MySQL account. It is also good security measurement.
Step 04: Creating an authentication gateway
You can avoid some automated bots through hiding your phpMyAdmin installation on unusual location. But it is not a solution for targeted attacks. It is better to protect a web application with restricted access and it generally wise protective action to stop attackers before they reach the application. Through this, attackers are unable to attacks to guess the access credentials and use generic exploits.
It is more important to keep the login interface locked away at specific case of phpMyAdmin. You provide a chance for attackers to guess your database credentials through keeping it open to the world.
You can increase security of your phpMyAdmin installation, through adding an extra layer of authentication. Before seeing the phpMyAdmin login screen, user will required to pass through an HTTP authentication prompt. Most of time, Most of web servers and Nginx also provide this capability natively.
First of all, we should have created a password file to store the authentication credentials for set this. Nginx requires to crate the password ne encrypted through using the crypt ( ) function. It is already included in the OpenSSL suite which you have installed on your server.
To create an encrypted password, type as follow;
$ openssl passwd
Now it will require entering and confirming the password, which you wish to use as password. After confirming the password, it will display the encrypted version of the password. It may be as follow;
Output
O5az. RSPzd. HE
This code will be need to past into the authentication file which we will be creating. Because of that copy this value.
Now, we have to create an authentication file. We identify this file as pma_ pass and place it in the Nginx configuration directory;
$ sudo nano / etc/ nginx/ pma_ pass
In this file, you have to specify which you like username. Now you can use follow by a colon (: ) the encryption version of your password receive from the openssl passwd utility.
Now we will rename our user as Sammy, so, you can use that kind of alternative username. Then it should like as follow;
/etc/ nginx/ pma_pass
sammy: O5az. RSPzd. HE
Now save and close your file.
Now we are going to modify the configuration file of Nginx. For that we use the configuration file, which located is /etc/ nginx/ sites-available/ example.com. For the phpMyAdmin is currently hosted, you have to select Nginx configuration file. To get started, open the file through your text editor.
$ sudo nano /etc/ nginx/ sites- available/ example.com
Now, find the server block and location section with it. To match with phpMyAdmin’s current path on the server, we have to create a new location within this block. According to this article, the location of phpMyAdmin relative to the web root is /nothingsee:
/etc/ nginx/ sites- available/ default
server {
. . .
location / {
try_ files $uri $uri/ =404;
}
location / nothingtosee {
# Settings for phpMyAdmin will go here
}
. . .
}
In here we have to set up two different directives. Through auth_basic define the message that will be displayed on the authentication prompt and auth_basic_user_files, pointing to the file we just created. The configuration looks like as follow when you finish it;
/etc/ nginx/ sites- available/ default
server {
. . .
location / nothingtosee {
auth_ basic “Admin Login”;
auth_ basic_ user_ file /etc/ nginx/ pma_ pass;
}
. . .
}
Now save and close your file when you finished. You can run it to check whether configuration file is valid.
sudo nginx -t
Then it can be see the output as follow.
Output
nginx: the configuration file / etc/ nginx/ nginx.conf syntax is ok
nginx: configuration file / etc/ nginx/ nginx.conf test is successful
After that you have to reload the web server to activate the authentication gate.
$ sudo systemctl reload nginx
Now we have to provide the user name and password, which you set to the pma_ pass file, for visit the phpMyAdmin URL in your web browser.
https://server_domain_or_IP/ nothingtosee
After you entering the credentials, you will able to taken to the standard phpMyAdmin login page.
Note: After refreshing the page does not work, then you have to clear your cache or use a different browser, if you are already use phpMyAdmin.
This is providing the extra layer of security. In addition to it help to keep the MySQL logs clean of spammy authentication attempts.
Step 05: Setting up access via encrypted tunnels (Optional)
Through lock down the phpMyAdmin installation to authorized hosts only, is be a reason for increase the security of phpMyAdmin installation. For the authorized hosts in your Nginx configuration file, you can whitelist those files. Then it automatically rejected any IP address requests which are not included in the list.
For the some cases, it is sufficient this feature alone. But this is not the best solution and not valid for long term. Most of times, peoples are not accessing to the internet using static IP address. When you receive a new IP address from your internet provider, you should update the Nginx configuration file with your new IP address. Without updating, you are unable to access to the phpMyAdmin interface.
There is the more robust long term another solution. For the users can access to phpMyAdmin interface by using IP based access control. But this is valid only for access through authorized IP address or Local host via SSH tunneling. Now we focus on the way for that.
In addition to provide a secure channel between user and server through the using of encrypted tunnels, it is increase the security with combining IP based access control withSSH tunneling are work as to blocking access coming from the public internet. (Except for authorized IPs)
Setting up IP bases access control on Nginx
We can define the corresponding location block given site based on IP based access control on Nginx, using the directives allow and deny. As a example, if want to allow only specific request which are coming from given host, Then we can include following two lines, inside the relevant location block for the site we would like to protect;
allow hostname_ or_IP;
deny all;
You will be able to allow the hosts as you want. It is enough to include one allow line for each authorized host/ IP inside the respective location block for the site you’re protecting. Until it will be find a match or due to reject the all request through deny all directives, it will be evaluated in same order as they listed.
Now, for the requests are coming from only local host or your current IP address, Nginx will be configured to allow. For that, first of all you should know your current public IP address which your local machine is use to connect to the internet.
There are several ways available to find that information. Because of simplicity, we will move to the get understand the service provided by ipinfo.io Otherwise you can open the URL https://ipinfo.io/ip in your browser. If not, you can enter following command in your local machine;
$ curl https://ipinfo.io/ip
Then you can get an IP address as follow;
Output
203.0.113.111
Above output is your current public IP address. We can configure the phpMyAdmin’s location block, for only approve the request, which are coming from your local host and that IP address. For that, we have to edit the configuration block for phpMyAdmin inside the etc/ nginx/ sites-available/ example.com.
Now, using your command line editor of your choice, open the Nginx configuration line.
$ sudo nano / etc/ nginx/ sites-available/ example.com
It is already have an access rule in our current configuration. Through using the Satisfy all directives, we can combine it the IP based access control. For the increase security, we can keep the current HTTP authentication prompt.
After configuration of your phpMyAdmin, it will be display as follow:
/etc/ nginx/ sites-available/ example.com
server {
. . .
location / nothingtosee {
satisfy all; #requires both conditions
allow 203.0.113.111; #allow your IP
allow 127.0.0.1; #allow localhost via SSH tunnels
deny all; #deny all other sources
auth_basic “Admin Login”;
auth_basic_user_file / etc/ nginx/
..6pma_pass;
}
. . .
}
Now, keep in mind to replace the nothingtosee with the actual path which phpMyAdmin can be found, and highlight the IP address with your current public IP address.
When you finished he process, you can save and close the file. And you can run it to check whether configuration file is valid.
$ sudo nginx –t
Then the output may be as follow;
Output
nginx: the configuration file / etc/ nginx/ nginx.conf syntax is ok
nginx: configuration file / etc/ nginx/ nginx.conf test is successful
Now, when you open the web server, it will change through above affects;
$ sudo systemctl reload nginx
It should not disturb to access for your IP address because of it clearly listed as an authorized host. When others are trying to access your phpMyAdmin installation, they will receive a 403 error message (Forbidden).
https://server_domain_or_IP/nothingtosee
Next we move to the usage of SSH tunneling to access the web server through local request. Through this way, if your IP address will be changed, you will be able to access to the interface of phpMyAdmin.
Accessing phpMyAdmin through an encrypted tunnel
SSH tunnel work as to way of redirecting network traffic through encrypted channels. You can set a secure tunnel between your local machine and the server, through running as SSH command similar to what you would use to login into server. Now it can redirect through the encrypted tunnel the all traffic coming in on a given local port. And also can use the remote server as proxy before reaching out to the internet. When use VPN (Virtual Private Network), there also happen same procedure. But VPN is simple than set up SSH tunnels.
We will use SSH tunneling to proxy our request to the remote web server running phpMyAdmin. You can redirect the local requests to the remote web server, through creating a tunnel between your local machine and the server where phpMyAdmin installed. More important thing of thing behind that, traffic will be encrypted and the request will reach as coming from local host to the Nginx. Through this, you can access to the phpMyAdmin interface as securely, without any matter regarding the IP address which you use.
This is the best security method, if you cannot install SSL or TSL certificate on the web server running phpMyAdmin, because the traffic between your local machine and the remote web server will be encrypted.
You can run the following command in your local machine for access to phpMyAdmin.
$ ssh user@server_domain_or_IP -L 8000: localhost:80 -L 8443:localhost:443 – N
Let’s examine each part of the command:
user: SSH user to connect to the server where phpMyAdmin is running
hostname_or_IP: SSH host where phpMyAdmin is running
-L 8000: localhost: 80 redirect HTTP traffic on port 8000
-L 8443: localhost: 443 redirect HTTPS traffic on port 8443
-N: do not execute remote commands
Note: This command can be block the terminal till interrupted with a CTRL + C. In such a situation, it will be a reason for disconnect the SSH connection and packet redirection. You will be able to use the SSH option –f, if you want run this command in background mode.
Now, you have to go your browser and replace server_domain_or_IP with localhost:PORT, where PORT is either 8000 for HTTP or 8443 for HTTPS:
http://localhost:8000/ nothingtosee
https://localhost:443/nothingtosee
Note: You well receive a alert message questioning the security of the SSL certificate, if you use https for accessing to the phpMyAdmin. This happens due to the mismatch with the domain name, which you use (local host) and the address registered within the certificate. (damain where phpMyAdmin is actually being served) Actually, this is a safe to proceed.
Now it being to redirect through a secure tunnel to your remote phpMyAdmin application, all request on local host: 8000 (HTTP) and local host: 8443 (HTTPS). You can increase security of your phpMyAdmin through disabling public access to your phpMyAdmin. In addition to it help to protect all traffic between your local computer and the remote server, through using encrypted tunnel to send and receive data.
If you want to enable the access of usage of SSH tunnel for anyone to your phpMyAdmin interface (including you). For that you can remove any authorized IPs from the Nginx configuration file, for that leaving 127.0.0.1 as the only allowed host to access that location. It is safety action to remove HTTP authentication in order to simplify your set up, when consider nobody will be able to make direct request to phpMyAdmin. In such a situation your configuration file appearance as follow;
/etc/ nginx/ sites-available/ example.com
server {
. . .
location / nothingtosee {
allow 127.0.0.1; #allow localhost only
deny all; #deny all other sources
}
. . .
}
After you reload the Nginx’s configuration sudo systemctl reload nginx. You want to use the SSH tunnels to access the interface of phpMyAdmin via redirect request, because your phpMyAdmin installation will be locked down.
Conclusion
Through this article, we discuss about the way of install phpMyAdmin on Ubuntu 18.04 running Nginx as the web server. This article covered the way of secure a phpMyAdmin installation such as disabling root login, create an extra layer of authentication, and use the SSH tunneling to access a phpMyAdmin installation via local request only.
Through this article, you will be able to secure your MySQL database from a reasonably secure web interface. So we hope this article will be a help for you to secure your phpMyAdmin database.