phpMyAdmin installation

[DanielM]

While there's a discussion about phpmyadmin and security here anyways, I could add another thing. I've been looking at my apache logs and 90% of all 404 errors are people trying to reach my server with urls ending with different variants of "phpmyadmin", so this is obviously something hackers know to be a good thing to try out when they want to break some home users security. In my case, I've never had phpmyadmin installed (I'm quite fond of hand writing mysql commands instead), so I don't see it as a big problem, but it might be good to know...

/Daniel

[RandomUsername]

I see that too - and vtigercrm as well for some reason. I've set up fail2ban to immediately drop all traffic from those addresses trying to access those URLs.

[nobody]

Yeah they do that everywhere, and then run a silly dictionry attack on it if they hit an eisting file. If you have bandwidth to spare and a slowish connection you can also create a phpmyadmin/index.html file of a few mb to slow them down.

[GodfatherB]

Sorry but do you realize the manner in which you just set up your system?

Wouldnt you say its kinda ridiculous to allow a single PHP script to eat 1G of memory for a post on a machine that has 1G memory tops? Just the upload to 1G will take so long the script will timeout, and if it does not, you just opened up your system for an easy DoS attack. If you are planning to upload 1GB files, the web interface is maybe not the best way to do so.

ISPs generally set max_mem_limit and max_post-limit to 64MB. I only hear inexperienced web devs complain about this setting. For cloud services I can imagine you increase this to maybe 128M, but for a B3 anything over 128M is not making the system more stable.

Thank you for this imput... I am not an expert in these matters, hell I am learning a lot as I go. What you mentioned makes sense and I will lower the values as you proposed. Does this apply only for uploading or downloading as well? I mean if a large file is once uploaded (through other means than web interface), do these two variables also have any effect on downloading the large files?

What is the relation between post_max_size and upload_file_size? I read somewhere that post_max_size should be a bit bigger... Why?

Also, what is then the apropriate way to upload larger files? WebDAV client?

[RandomUsername]

Also, what is then the apropriate way to upload larger files? WebDAV client?

FTP (or a secure variant), ssh, rsync. There's probably some others I've missed.

[Gordon]

True except the conf file includes an "allow fom 127.0.0.1/ deny all" that limits exploitation. But its not the most secure of setups, especilly when noobs remove the allow line instead of modifying it to allow only the subnet

I think that you're referring to to the MySQL conf file. The problem with phpMyAdmin however is that this *is* acting as a client with origin 127.0.0.1, except that it extends this single IP limit to anyone who can access the phpMyAdmin pages.

Funny thing though: what is actually considered to be the biggest security issue with MySQL, an empty root password, is now the biggest obstacle for the hacker trying to gain access. Let's name that a little sunshine in internet hell.

[nobody]

I think im not referring to the mysql conf file but to the apache config file tht comes with standard dstributions of phpmyadmin and is generally added to /etc/httpd/conf.d/. In that apach config file there should be a "deny from all" line. To this line i was referring

[Gordon]

I think im not referring to the mysql conf file but to the apache config file tht comes with standard dstributions of phpmyadmin and is generally added to /etc/httpd/conf.d/. In that apach config file there should be a "deny from all" line. To this line i was referring

Apparently not the case with Debian Squeeze, because then TS wouldn't have been able to access the (non functional) logon screen to start with.

[nobody]

Good point

[GodfatherB]

Also, what is then the apropriate way to upload larger files? WebDAV client?

FTP (or a secure variant), ssh, rsync. There's probably some others I've missed.

Is WebDAV good as well?

[nobody]

Its a little quirky to set up securely, but is certainly possible. Theres a pretty good mobile version of winscp thats much more lexible than webdav can be though. My advice would be to chek that out first

[toukie]

"I've set up fail2ban to immediately drop all traffic from those addresses trying to access those URLs."

How does the script look like that does the job?

[RandomUsername]

"I've set up fail2ban to immediately drop all traffic from those addresses trying to access those URLs."

How does the script look like that does the job?

How much do you want? A complete step by step on how to set up fail2ban or just the specific part that drops those invalid URLs?

[toukie]

I have fail2ban up and running but the scripts I found for this purpose didn't work for me.
I have 2 WordPress sites on B3 and I don't use phpMyAdmin at all. I would still like to get rid of the bots trying to find phpMyAdmin. I would need the .conf file to put into /etc/fail2ban/filter.d and an idea about what to write into jail.local.

I used these:

in filter.d:

[Apache-404]

failregex = (?P<host>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+ 404 [0-$

ignoreregex = favicon\.ico

in jail.local:

[apache-404]

enabled = true
port = http,https
filter = apache-404
logpath = /var/log/apache2/access.log
bantime = -1
maxretry = 1

[nobody]

So you permaban anyone that request a single nonexistant page? I hope you'll never make a typo in a hyperlink.