edit-icon download-icon

Harden phpMyadmin service security

Last Updated: May 08, 2018

Vulnerability description

phpMyAdmin is a popular database management system. If the password is too simple, attackers can crack it, log on to the system, and execute high-risk malicious database operations, such as additions, deletions, and modifications. This can lead to data leakage or severely compromise security of your network.

Hardening solution

According to common business requirements, access to database management backends serves specific users, such as database administrators and developers. If access is made available to the public, it may lead to serious data leakage. Therefore, after deployment, it is suggested that security of the phpMyAdmin management console is reinforced.

1. Network Access Control Policy

Restrict visitor IP access to phpMyAdmin.

  • You can use the Security Group Firewall Policy provided by ECS to restrict visitor IP addresses and avoid unnecessary access to the database management backend.

  • By default, phpMyAdmin provides an access control feature, and the detailed configuration is as follows:

    Enter the phpMyAdmin directory and find config.inc.php. If it does not exist, copy config.sample.inc.php in the root directory as config.inc.php.

  • Edit config.inc.php and add the following two codes, of which the IP address 192.168.0.1 is available to access phpMyAdmin and the message Access Denied is displayed to unauthorized users.

    1. ?$ip_prefix = '192.168.0.1';
    2. if (substr($_SERVER['REMOTE_ADDR'], 0, strlen($ip_prefix)) != $ip_prefix ) die('Access denied');

    phpMyadmin

2. Account and password security policy

  • A complex password can effectively prevent brute force password cracking attacks. The newly set password will take effect immediately without restarting.

  • Refine authorization for database accounts according to user roles to prevent O&M risks.

For more information, see MySQL Service Security Document - Authorization section.

3. Security detection and monitoring

Alibaba Cloud Security Situational Awareness supports detection and warnings for vulnerabilities. We recommend enabling basic Situational Awareness in the console for real-time detecting and warning to provide real-time notifications about security vulnerabilities so they can be mitigated.

Thank you! We've received your feedback.