2

I have just installed Linux / Ubuntu for the first time in order to learn, and to get some experience with LAMP servers.

I also installed phpMyAdmin and used an .htaccess file (stored in /usr/share/phpMyAdmin, iirc) which points to an .htpasswd file in /etc/phpMyAdmin.

Is this considered "enough" to protect phpMyAdmin from other intruders? Is there any way someone could interact with any part of phpMyAdmin without first authenticating themselves via that .htaccess username/password?

DoubleBass
  • 337
  • 1
  • 3
  • 9

2 Answers2

0

Securing phpMyAdmin with .htaccess is considered sufficient if you're just using Ubuntu in order to learn and get experience with LAMP servers.

However, if you were working in a corporate environment, I would suggest setting up SSL Certifications with phpMyAdmin for that extra level of security.

Ben
  • 1,466
  • 2
  • 11
  • 10
  • In what way would .htaccess not be secure in a corporate environment? – DoubleBass Jun 30 '14 at 14:37
  • @DoubleBass - .htaccess authentication would be secure, but if we're talking about the corporate enterprise, wouldn't you want extra security no matter what? Providing SSL Certifications is just another barrier an intruder would have to pass. And shareholders would be grateful you implemented it. – Ben Jun 30 '14 at 14:43
  • How do SSL certifications work? Is this similar to "SSH"? (which I don't think I've set up yet) – DoubleBass Jun 30 '14 at 14:45
  • SSH vs SSL and why should we care? http://stackoverflow.com/a/17091299 – Ben Jun 30 '14 at 14:49
  • I understand that SSL is a way to encrypt traffic so people can't get plaintext data from sniffed packets easily, but is it simply a setting you turn on somewhere? Isn't SSH normally a "secure way to connect to your box / server to do work" type thing? – DoubleBass Jun 30 '14 at 15:03
  • That's right. SSL isn't something you can just turn on with a switch. You need to buy a SSL Certification from a accredited Vendor (Certificate Authority aka CA) such as GoDaddy, Comodo, Symantec, etc. Much like a domain name, their cost is reoccurring each year. Reference: http://www.sslshopper.com/how-to-order-an-ssl-certificate.html – Ben Jun 30 '14 at 15:12
  • Why isn't traffic naturally encrypted to begin with? (over, say, plain http) Seems odd to me that people need to pay to make traffic safer from outside sniffers. – DoubleBass Jun 30 '14 at 15:20
0

If people are accessing phpmyadmin over the Internet, you should use SSL encryption for the web traffic.

If not, add a couple lines to your htaccess file that only allows connection from the LAN.

Something like the following

Order Deny,Allow
    Deny from All
    Allow from 10.253.0.1/24
Dan
  • 6,753
  • 5
  • 26
  • 43
  • What is "10.253.0.1/24"?

    And how do you use SSL encryption?

     – DoubleBass Jun 30 '14 at 13:41
  • That's an example LAN IP address range. Yours might differ. /24 is CIDR notation for specifying the subnet. – Dan Jun 30 '14 at 13:51
  • How do I know what the correct LAN IP / CIDR subnet is in this case? – DoubleBass Jun 30 '14 at 13:52
  • http://askubuntu.com/questions/197628/how-do-i-find-my-network-ip-netmask-and-gateway-info AND http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing – Dan Jun 30 '14 at 13:59
  • I don't understand what any of this means or which number I need to look at. What is "nmcli dev list iface eth0 | grep IP4" and what is the difference between .address, .prefix, .gateway and dns1.dns / dns2.dns? – DoubleBass Jun 30 '14 at 14:08
  • looked into this some more, thanks but sorry, I do not think this is what I need. Supposedly it is considered bad practice to hardcode IPs like that. – DoubleBass Jun 30 '14 at 14:36
  • @DoubleBass - you may want to research into the world of Networking before starting with LAMP Servers.. that's not to say you can't start with LAMP Servers, but understanding how we communicate across the wire makes every other area easier to understand. – Ben Jun 30 '14 at 14:45
  • @boon Any good sources you might recommend for this? – DoubleBass Jun 30 '14 at 15:00
  • @DoubleBass - personally I'm taking training courses for my CCNA. A great place to start would be CCNA1, then move onto CCNA2, then CCNA3, then CCNA4. Just make sure Networking is an area you're passionate about as it can be pretty overwhelming at some points. – Ben Jun 30 '14 at 15:06