phpmyadmin security measures on a Debian webserver

Feb 16th, 2012 | By | Category: Linux / Freebsd

Well I had a rude awakening today that clearly showed my FreeBSD upbringing.  You see when you install phpmyadmin on FreeBSD it leaves it up to YOU to create the alias paths and whatnot.  Meaning that if you do nothing the system will remain as secure as possible, in linux the philosophy is very different, even in Debian.  In linux it figures that if you’re installing phpmyadmin that of course you are going to want a global alias installed so that anyone on any domain can just tack ‘phpmyadmin’ on the end of their domain and they will have access to phpmyadmin.  So if you do nothing in linux it will install the aliases by default which clearly creates a massive vulnerability as your mysql database and consequentially key parts of your system are wide open to anyone or anything that has half a brain to try that alias.

Of course to any security minded person this is complete and utter horse shit and if the sysadmin is too lazy or doesn’t know how to create an alias then he/she has no bloody right admining the box in the first place.  So anyways, I installed phpmyadmin a long time ago and instinctually, being a BSD boy through and through I figured I had to setup the alias manually. And of course instead of setting up a global alias I set it to one single domain on the entire server and of course instead of having the alias be phpmyadmin I set it to something cryptic that no one is going to guess.  I wiped my hands clean knowing my server was somewhat secure with phpmyadmin installed and never looked back…. Until tonight.

I log into my server and notice that instead of my usual .20 server load it is sitting at .6 with twice the httpd procs running.  This tips me off that someone or something is sniffing around where they shouldn’t be and so I open up lsof and ping the top apache proc.  Going through the list I find an error log being written to a LOT and so upon investigation of that log I see every 5 minuets something is pinging phpmyadmin/setup.php.  I thank my lucky stars that I deleted that file after installation and of course laugh because this bot is obviously looking at something that doesn’t exist.  I stopped laughing when I noticed that the error log was saying that /usr/share/phpmyadmin/setup.php doesn’t exist NOT domain.com/phpmyadmin/setup.php doesn’t exist.. This mean that /phpmyadmin/ was still aliasing to /usr/share/phpmyadmin and that’s when I lost it and started screaming bloody murder at this carebear fucking operating system that accomodates lazy fucking admins at the expense of security.. GGAAHHH!!!

Of course in freebsd we don’t have conf directories and .conf files for every god damn thing that is installed, with apache it pretty much all goes into the httpd.conf, hell on my last server the apache config AND the vhosts all went in httpd.conf.  Given that’s not the best wayt o do it but hey, I’m old school I was trained by men who came from simpler times.   Anyways back to Debian, I went into /etc/apache2 ran #find. -exec grep -H phpmyadmin {} ; and sure enough there inside /etc/apache2/conf.d was a phpmyadmin.conf file with all of the open, unsecure bullshit that came with it.  GAH! Have I said GAH yet?!? Because GGAAHHHHH!!! Who the hell is thinking this is a good idea to do BY DEFAULT?!?!   Anyways, I moved the god damn file out of there, restarted the webserver and made sure that my private phpmyadmin url was working, which it was and guess who’s not pinging my server every god damn second anymore?  Those hackers..

 

So, lesson to the learned:

First off, if you want to run phpmyadmin because of how convenient it makes your life, don’t install a global alias, you are just asking to get raped by every script kiddie in Russia.  Install a local alias on one domain and call it something like ‘managemysql’ or whatever floats your boat

Second: After you’ve done the first step go and delete the god damn POS .conf file that is created by phpmyadmin in /etc/apache2/conf.d and enjoy an infinitely more secure server.

 

 

My heart felt thanks go out to the miserable cunt of a sysadmin that I worked with for years that trained me in all of these secrets.  Thank you thank you thank you!

Tags: , , , , , , ,

Leave a Comment