How to restrict access to phpmyadmin? [duplicate]

2020-02-23 03:40发布

问题:

This question already has answers here:
Closed 9 years ago.

Possible Duplicate:
How to secure phpMyAdmin

I use phpmyadmin to preview the database of my website. However, everyone can access the login page of my phpmyadmin by simply typing example.com/phpmyadmin

I am not an expert in network security but I assume this isn't very secure.

How can I restrict the access to the login page(maybe creating some alias like example.com/a4ebb72d ). I heard about allowing access only for specified IPs, but it won't help because I have dynamically assigned IP.

I'd be thankful for your tips.

回答1:

I'd make that server listen on 127.0.0.1 and then use port forwarding with SSH...

Make sure, the server serving phpMyAdmin only serves to 127.0.0.1, and then run

$ ssh -L4545:localhost:80 yourserver.com

and then point your browser to http://127.0.0.1:4545/phpmyadmin, you should be able to access phpmyadmin as long as your SSH session is active. You can even make a shell script to automate this.

This works with PuTTY as well.



回答2:

Exposing any part of phpMyAdmin is a potential risk. You could use Apache's Allow/Deny directives:

Order Deny,Allow
Deny from All
Allow from 12.34.56.78

Replace 12.34.56.78 with your IP address, and put this in a .htaccess file in your phpMyAdmin folder.



回答3:

As you said, you can change the name of the directory to be something that is not easily guessable.

You can also place the directory (or a parent directory, if you can't do it in the phpmyadmin directory directly) under password protection using .htaccess. Regardless of this perceived enhanced security, it's probably not going to be much more secure. After all, phpMyAdmin requires a login and a password just as much as .htaccess would, so if you use weak passwords or password practices, you're still just as vulnerable, so obviously make sure that both user/password combinations are both unique and strong.

The best thing you can do is ensure that all your phpMyAdmin users/passwords are secure and that you only entrust them to people you trust. Keep in mind that phpMyAdmin allows for the dropping of tables and entire databases, so keep regular backups and continually ensure the integrity of the data on your server, because in reality hiding the directory name or placing it behind another login barrier is only worthwhile if your password practices are as secure as possible to begin with.



回答4:

I suppose you could install phpMyAdmin in a directory behind a firewall so that only users with inside access could get to it.