Reputation: 1883
Allow access to phpmyadmin from localhost only
I am trying to config my server phpmyadmin to access only from the localhost and not from the remote. Below is the configuration on server /etc/phpmyadmin/apache.conf
Alias /phpmyadmin /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
Order deny,allow
Deny from all
Allow from 127.0.0.1
Options FollowSymLinks
DirectoryIndex index.php
</Directory>
So, while I access phpmyadmin from remote I am getting 403 forbidden which is good but when I access phpmyadmin from localhost (that is from server using remote desktop), I am still getting 403 while I think this should give access to phpmyadmin from localhost. Anything I am missing here?
Thank you
Upvotes: 2
Views: 10848
Answers (4)
Reputation: 1
Limiting the login to localhost for an admin user does not keep a user from login in from the outside if phpMyAdmin is on the same server as the database because the connection from the database to phpMyAdmin is a local connection.
See the link below:
I'm able to login on phpMyAdmin with root, even it's restricted to localhost
To be secure from brut force logins one can block remote access to phpMyAdmin and use a SSH tunnel to gain access from the outside if needed.
Upvotes: 0
Reputation: 55798
Logical mistake
You make one big mistake, every one of you.
PhpMyAdmin is NOT a server, it's just a client written as a PHP script and served by some HTTP server (Apache in this case).
That what you want(ed) and others suggested doing is trying to disable access for phpmyadmin vhost of the HTTP server, but it will be still possible to log in into the base with any other client from terminal's mysql command, to GUI client like MySQL Workbench or IDE's build in DB clients. Where's the logic?
Of course, you can join both techniques (HTTP securing and MySQL securing) however without the second your database will be still unsafe. PhpMyAdmin is just a client! It has even own mechanics for controlling access, but if someone will use any other client (mentioned above) your effort will be absolutely worthless).
Solution:
To maintain your case you should create a dedicated MySQL account with localhost access (I can bed, that at the moment of writing this post it is/was % which means global), then MySQL will control all incoming connections to check if they are from local machine or from the world.
Just don't forget to remove the account with global access (%) and flush the privileges after all changes.
Also, I always suggest creating exactly one user with all privileges to exactly one dedicated database (ofc, other than root). That way, even if you are only admin who works at the many databases, you minimize the risk of accidental changes in other databases. (Pro-tip, good password manager will be your friendly ghost-guard).
I'd suggest googling it and get overall knowledge over this topic, as it's quite crucial for DB security, however that'll be also enough if you'll implement simple solution from very first answer found. Using localhost restriction on MySQL, preferably with setting blocking of 3306 port on the firewall side, is a perfect solution to access your data with locally installed PhpMyAdmin script 100% securely(if that's possible at all).
Below cite answer from another post
GRANT ALL PRIVILEGES ON *.* TO db_user @'localhost' IDENTIFIED BY 'db_passwd';
GRANT ALL PRIVILEGES ON *.* TO db_user @'127.0.0.1' IDENTIFIED BY 'db_passwd';
[mysqld]
bind-address = 127.0.0.1
P.S. You dont need even to write SQL command for this, you can change it for each user with... PhpMyAdmin.
Upvotes: 3
Reputation: 3346
I think this should work, and make it so that you can only access it locally, it should be something like this mostly, but :
<Directory /usr/share/phpmyadmin>
Require local
#......otherthings (also, only copy the line Require local)
Upvotes: 3
Reputation: 14520
My guess is you are using Apache 2.4.x. The syntax for access control changed between 2.2 and 2.4. The Order and Deny syntax you're using is for Apache 2.2, but won't work for 2.4. In 2.4 it would be something like:
<Directory /usr/share/phpmyadmin>
Require ip 127.0.0.1
Options FollowSymLinks
DirectoryIndex index.php
</Directory>
Reference from Apache upgrade doc, and Access Control docs.
Upvotes: 1
Related Questions
- Block access to phpmyadmin page from other computers over LAN Network except Localhost.?
- Why can't I access Xampp's phpmyadmin on localhost? Access is forbidden.
- Restrict access to local address only in the server
- how to access phpmyadmin only the port 8080 in apache
- Restrict phpmyadmin access in the application itself
- Limit MySQL to localhost only - xampp
- WAMP - How to restrict access to phpMyAdmin for a dedicate ip address?
- How to limit access to http://localhost/xampp/
- How to allow phpmyadmin accessible from only ip address?
- How to prevent access to phpmyadmin (MySQL database) using web browser from any computer on LAN (except the server)