BFA protected phpmyadmin
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
1
down vote
favorite
I use a Ubuntu 16.04 Nginx server environment with phpmyadmin (PMA). All my ports are closed besides 22, 25, 80, 443, 9000 (for PHP-FPM).
A common criticism of the good software (PMA) as of 2018, is that it doesn't have good defense from Brute Force Attacks (BFAs). There are different common ways to cope with this and I admit I dislike all of them:
- Changing the PMA path to something unintuitive and likely uncomfortable (instead of
/var/www/html/phpmyadmin
). - Using a permanent IP (what if you're traveling between countries)?
- Login through a recognized VPN. What if you don't have a free time to seriously learn VPN basics in some era of your life?
- Loging with some kind of authentication certificate. What if don't have one?
- Using mod_security for Apache users. What if you don't use Apache?
- Using a captcha. What if you login frequently? This might be a bit annoying.
- Future PMA versions starting from V 4.8.0 are planned to include support for IPSs like
Fail2ban
, via uthentication logging. - Future PMA versions starting from V 4.8.0 are also planned to include 2factorAuthentication.
I found myself another way which is personal and comfortable (I don't recommend any company with customers to use this way in the form I'll describe below):
SSH tunneling through port 80 to port 80 via Putty/OpenSSH, and use PMA securely and temporarily for 2 hours in a tmux
session (It is extremely unlikely that anyone could BFA PMA with a decent varied password in just 2 hours).
Each time I want to use PMA I run this code:
#!/bin/bash
find $drt/ -iname '*phpmyadmin*' -exec rm -rf ;
wget -P $drt/ https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.zip
find $drt/ -type f -iname '*phpmyadmin*.zip' -exec unzip ;
find $drt/ -type d -iname 'phpmyadmin-*' -exec mv phpmyadmin ;
sleep 2h
find $drt/ -iname '*phpmyadmin*' -exec rm -rf ;
tmux kill-session
I run it this way tmux new-session -d 'bash ~/pma.sh'
, or with a Bash alias pma
.
Note: $drt
stands for document root, which is in my case /var/www/html
and defined in /etc/bash.bashrc
.
I'd like to know what you think of the code I've written (especially, do you see any way to shorten it)?.
php security web-scraping linux ssh
add a comment |Â
up vote
1
down vote
favorite
I use a Ubuntu 16.04 Nginx server environment with phpmyadmin (PMA). All my ports are closed besides 22, 25, 80, 443, 9000 (for PHP-FPM).
A common criticism of the good software (PMA) as of 2018, is that it doesn't have good defense from Brute Force Attacks (BFAs). There are different common ways to cope with this and I admit I dislike all of them:
- Changing the PMA path to something unintuitive and likely uncomfortable (instead of
/var/www/html/phpmyadmin
). - Using a permanent IP (what if you're traveling between countries)?
- Login through a recognized VPN. What if you don't have a free time to seriously learn VPN basics in some era of your life?
- Loging with some kind of authentication certificate. What if don't have one?
- Using mod_security for Apache users. What if you don't use Apache?
- Using a captcha. What if you login frequently? This might be a bit annoying.
- Future PMA versions starting from V 4.8.0 are planned to include support for IPSs like
Fail2ban
, via uthentication logging. - Future PMA versions starting from V 4.8.0 are also planned to include 2factorAuthentication.
I found myself another way which is personal and comfortable (I don't recommend any company with customers to use this way in the form I'll describe below):
SSH tunneling through port 80 to port 80 via Putty/OpenSSH, and use PMA securely and temporarily for 2 hours in a tmux
session (It is extremely unlikely that anyone could BFA PMA with a decent varied password in just 2 hours).
Each time I want to use PMA I run this code:
#!/bin/bash
find $drt/ -iname '*phpmyadmin*' -exec rm -rf ;
wget -P $drt/ https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.zip
find $drt/ -type f -iname '*phpmyadmin*.zip' -exec unzip ;
find $drt/ -type d -iname 'phpmyadmin-*' -exec mv phpmyadmin ;
sleep 2h
find $drt/ -iname '*phpmyadmin*' -exec rm -rf ;
tmux kill-session
I run it this way tmux new-session -d 'bash ~/pma.sh'
, or with a Bash alias pma
.
Note: $drt
stands for document root, which is in my case /var/www/html
and defined in /etc/bash.bashrc
.
I'd like to know what you think of the code I've written (especially, do you see any way to shorten it)?.
php security web-scraping linux ssh
To make sure I'm reading this right: you're basically uninstalling and reinstalling phpmyadmin every two hours?
â Joe C
Jan 14 at 10:42
No, I use it for 2 hours each time I need (can happen once in 2-3 months or even once in 6 months).
â Arcticooling
Jan 14 at 10:46
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I use a Ubuntu 16.04 Nginx server environment with phpmyadmin (PMA). All my ports are closed besides 22, 25, 80, 443, 9000 (for PHP-FPM).
A common criticism of the good software (PMA) as of 2018, is that it doesn't have good defense from Brute Force Attacks (BFAs). There are different common ways to cope with this and I admit I dislike all of them:
- Changing the PMA path to something unintuitive and likely uncomfortable (instead of
/var/www/html/phpmyadmin
). - Using a permanent IP (what if you're traveling between countries)?
- Login through a recognized VPN. What if you don't have a free time to seriously learn VPN basics in some era of your life?
- Loging with some kind of authentication certificate. What if don't have one?
- Using mod_security for Apache users. What if you don't use Apache?
- Using a captcha. What if you login frequently? This might be a bit annoying.
- Future PMA versions starting from V 4.8.0 are planned to include support for IPSs like
Fail2ban
, via uthentication logging. - Future PMA versions starting from V 4.8.0 are also planned to include 2factorAuthentication.
I found myself another way which is personal and comfortable (I don't recommend any company with customers to use this way in the form I'll describe below):
SSH tunneling through port 80 to port 80 via Putty/OpenSSH, and use PMA securely and temporarily for 2 hours in a tmux
session (It is extremely unlikely that anyone could BFA PMA with a decent varied password in just 2 hours).
Each time I want to use PMA I run this code:
#!/bin/bash
find $drt/ -iname '*phpmyadmin*' -exec rm -rf ;
wget -P $drt/ https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.zip
find $drt/ -type f -iname '*phpmyadmin*.zip' -exec unzip ;
find $drt/ -type d -iname 'phpmyadmin-*' -exec mv phpmyadmin ;
sleep 2h
find $drt/ -iname '*phpmyadmin*' -exec rm -rf ;
tmux kill-session
I run it this way tmux new-session -d 'bash ~/pma.sh'
, or with a Bash alias pma
.
Note: $drt
stands for document root, which is in my case /var/www/html
and defined in /etc/bash.bashrc
.
I'd like to know what you think of the code I've written (especially, do you see any way to shorten it)?.
php security web-scraping linux ssh
I use a Ubuntu 16.04 Nginx server environment with phpmyadmin (PMA). All my ports are closed besides 22, 25, 80, 443, 9000 (for PHP-FPM).
A common criticism of the good software (PMA) as of 2018, is that it doesn't have good defense from Brute Force Attacks (BFAs). There are different common ways to cope with this and I admit I dislike all of them:
- Changing the PMA path to something unintuitive and likely uncomfortable (instead of
/var/www/html/phpmyadmin
). - Using a permanent IP (what if you're traveling between countries)?
- Login through a recognized VPN. What if you don't have a free time to seriously learn VPN basics in some era of your life?
- Loging with some kind of authentication certificate. What if don't have one?
- Using mod_security for Apache users. What if you don't use Apache?
- Using a captcha. What if you login frequently? This might be a bit annoying.
- Future PMA versions starting from V 4.8.0 are planned to include support for IPSs like
Fail2ban
, via uthentication logging. - Future PMA versions starting from V 4.8.0 are also planned to include 2factorAuthentication.
I found myself another way which is personal and comfortable (I don't recommend any company with customers to use this way in the form I'll describe below):
SSH tunneling through port 80 to port 80 via Putty/OpenSSH, and use PMA securely and temporarily for 2 hours in a tmux
session (It is extremely unlikely that anyone could BFA PMA with a decent varied password in just 2 hours).
Each time I want to use PMA I run this code:
#!/bin/bash
find $drt/ -iname '*phpmyadmin*' -exec rm -rf ;
wget -P $drt/ https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.zip
find $drt/ -type f -iname '*phpmyadmin*.zip' -exec unzip ;
find $drt/ -type d -iname 'phpmyadmin-*' -exec mv phpmyadmin ;
sleep 2h
find $drt/ -iname '*phpmyadmin*' -exec rm -rf ;
tmux kill-session
I run it this way tmux new-session -d 'bash ~/pma.sh'
, or with a Bash alias pma
.
Note: $drt
stands for document root, which is in my case /var/www/html
and defined in /etc/bash.bashrc
.
I'd like to know what you think of the code I've written (especially, do you see any way to shorten it)?.
php security web-scraping linux ssh
edited Jan 16 at 8:21
asked Jan 14 at 7:53
Arcticooling
5110
5110
To make sure I'm reading this right: you're basically uninstalling and reinstalling phpmyadmin every two hours?
â Joe C
Jan 14 at 10:42
No, I use it for 2 hours each time I need (can happen once in 2-3 months or even once in 6 months).
â Arcticooling
Jan 14 at 10:46
add a comment |Â
To make sure I'm reading this right: you're basically uninstalling and reinstalling phpmyadmin every two hours?
â Joe C
Jan 14 at 10:42
No, I use it for 2 hours each time I need (can happen once in 2-3 months or even once in 6 months).
â Arcticooling
Jan 14 at 10:46
To make sure I'm reading this right: you're basically uninstalling and reinstalling phpmyadmin every two hours?
â Joe C
Jan 14 at 10:42
To make sure I'm reading this right: you're basically uninstalling and reinstalling phpmyadmin every two hours?
â Joe C
Jan 14 at 10:42
No, I use it for 2 hours each time I need (can happen once in 2-3 months or even once in 6 months).
â Arcticooling
Jan 14 at 10:46
No, I use it for 2 hours each time I need (can happen once in 2-3 months or even once in 6 months).
â Arcticooling
Jan 14 at 10:46
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
2
down vote
accepted
One potential security issue: what if $drt
is not set before this is run? A safety check will be very useful.
As for your wider issue, rather than having to download it every time, would it not be just as effective to remove the permissions on the phpmyadmin
directory? If you set it to 000
, then nobody should be able to access it nor its contents.
Thanks! Sorry for not mentioning, I declared$drt
inside/etc/bash.bashrc
(I shouldn't worry about some other user conflicting because this is a personal system I enter usually only from my own computers). Regarding permissions, you're probably right; This would save the script and will let me download it and install it just once as withapt-get install phpmyadmin
. I do wonder, however, how to make sure permissions are changed the moment I finished using it and then, when I want I change them back, so even if I pick the good method you mention, I need to automate permission handling.
â Arcticooling
Jan 14 at 11:24
Something good in redownloading and reinstalling instead permission change is making sure I always use the most updated version.
â Arcticooling
Jan 14 at 11:50
If you consider PMA unsecure I'm not sure a time window approach solves that for you. Sure, it's better, but a crawler looking for PMA could find it near the beginning of your window and have hours of brute force access. If you access via a PC I'd consider some type of SSH tunnel from your laptop to the Ubuntu server while running PMA itself on an internal/private IP address.
â Max Haaksman
Jan 17 at 13:06
Max, thanks. I mentioned I used an SSH tunnel as well as a time window in the question.
â Arcticooling
Jan 18 at 17:19
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
One potential security issue: what if $drt
is not set before this is run? A safety check will be very useful.
As for your wider issue, rather than having to download it every time, would it not be just as effective to remove the permissions on the phpmyadmin
directory? If you set it to 000
, then nobody should be able to access it nor its contents.
Thanks! Sorry for not mentioning, I declared$drt
inside/etc/bash.bashrc
(I shouldn't worry about some other user conflicting because this is a personal system I enter usually only from my own computers). Regarding permissions, you're probably right; This would save the script and will let me download it and install it just once as withapt-get install phpmyadmin
. I do wonder, however, how to make sure permissions are changed the moment I finished using it and then, when I want I change them back, so even if I pick the good method you mention, I need to automate permission handling.
â Arcticooling
Jan 14 at 11:24
Something good in redownloading and reinstalling instead permission change is making sure I always use the most updated version.
â Arcticooling
Jan 14 at 11:50
If you consider PMA unsecure I'm not sure a time window approach solves that for you. Sure, it's better, but a crawler looking for PMA could find it near the beginning of your window and have hours of brute force access. If you access via a PC I'd consider some type of SSH tunnel from your laptop to the Ubuntu server while running PMA itself on an internal/private IP address.
â Max Haaksman
Jan 17 at 13:06
Max, thanks. I mentioned I used an SSH tunnel as well as a time window in the question.
â Arcticooling
Jan 18 at 17:19
add a comment |Â
up vote
2
down vote
accepted
One potential security issue: what if $drt
is not set before this is run? A safety check will be very useful.
As for your wider issue, rather than having to download it every time, would it not be just as effective to remove the permissions on the phpmyadmin
directory? If you set it to 000
, then nobody should be able to access it nor its contents.
Thanks! Sorry for not mentioning, I declared$drt
inside/etc/bash.bashrc
(I shouldn't worry about some other user conflicting because this is a personal system I enter usually only from my own computers). Regarding permissions, you're probably right; This would save the script and will let me download it and install it just once as withapt-get install phpmyadmin
. I do wonder, however, how to make sure permissions are changed the moment I finished using it and then, when I want I change them back, so even if I pick the good method you mention, I need to automate permission handling.
â Arcticooling
Jan 14 at 11:24
Something good in redownloading and reinstalling instead permission change is making sure I always use the most updated version.
â Arcticooling
Jan 14 at 11:50
If you consider PMA unsecure I'm not sure a time window approach solves that for you. Sure, it's better, but a crawler looking for PMA could find it near the beginning of your window and have hours of brute force access. If you access via a PC I'd consider some type of SSH tunnel from your laptop to the Ubuntu server while running PMA itself on an internal/private IP address.
â Max Haaksman
Jan 17 at 13:06
Max, thanks. I mentioned I used an SSH tunnel as well as a time window in the question.
â Arcticooling
Jan 18 at 17:19
add a comment |Â
up vote
2
down vote
accepted
up vote
2
down vote
accepted
One potential security issue: what if $drt
is not set before this is run? A safety check will be very useful.
As for your wider issue, rather than having to download it every time, would it not be just as effective to remove the permissions on the phpmyadmin
directory? If you set it to 000
, then nobody should be able to access it nor its contents.
One potential security issue: what if $drt
is not set before this is run? A safety check will be very useful.
As for your wider issue, rather than having to download it every time, would it not be just as effective to remove the permissions on the phpmyadmin
directory? If you set it to 000
, then nobody should be able to access it nor its contents.
answered Jan 14 at 11:18
Joe C
58919
58919
Thanks! Sorry for not mentioning, I declared$drt
inside/etc/bash.bashrc
(I shouldn't worry about some other user conflicting because this is a personal system I enter usually only from my own computers). Regarding permissions, you're probably right; This would save the script and will let me download it and install it just once as withapt-get install phpmyadmin
. I do wonder, however, how to make sure permissions are changed the moment I finished using it and then, when I want I change them back, so even if I pick the good method you mention, I need to automate permission handling.
â Arcticooling
Jan 14 at 11:24
Something good in redownloading and reinstalling instead permission change is making sure I always use the most updated version.
â Arcticooling
Jan 14 at 11:50
If you consider PMA unsecure I'm not sure a time window approach solves that for you. Sure, it's better, but a crawler looking for PMA could find it near the beginning of your window and have hours of brute force access. If you access via a PC I'd consider some type of SSH tunnel from your laptop to the Ubuntu server while running PMA itself on an internal/private IP address.
â Max Haaksman
Jan 17 at 13:06
Max, thanks. I mentioned I used an SSH tunnel as well as a time window in the question.
â Arcticooling
Jan 18 at 17:19
add a comment |Â
Thanks! Sorry for not mentioning, I declared$drt
inside/etc/bash.bashrc
(I shouldn't worry about some other user conflicting because this is a personal system I enter usually only from my own computers). Regarding permissions, you're probably right; This would save the script and will let me download it and install it just once as withapt-get install phpmyadmin
. I do wonder, however, how to make sure permissions are changed the moment I finished using it and then, when I want I change them back, so even if I pick the good method you mention, I need to automate permission handling.
â Arcticooling
Jan 14 at 11:24
Something good in redownloading and reinstalling instead permission change is making sure I always use the most updated version.
â Arcticooling
Jan 14 at 11:50
If you consider PMA unsecure I'm not sure a time window approach solves that for you. Sure, it's better, but a crawler looking for PMA could find it near the beginning of your window and have hours of brute force access. If you access via a PC I'd consider some type of SSH tunnel from your laptop to the Ubuntu server while running PMA itself on an internal/private IP address.
â Max Haaksman
Jan 17 at 13:06
Max, thanks. I mentioned I used an SSH tunnel as well as a time window in the question.
â Arcticooling
Jan 18 at 17:19
Thanks! Sorry for not mentioning, I declared
$drt
inside /etc/bash.bashrc
(I shouldn't worry about some other user conflicting because this is a personal system I enter usually only from my own computers). Regarding permissions, you're probably right; This would save the script and will let me download it and install it just once as with apt-get install phpmyadmin
. I do wonder, however, how to make sure permissions are changed the moment I finished using it and then, when I want I change them back, so even if I pick the good method you mention, I need to automate permission handling.â Arcticooling
Jan 14 at 11:24
Thanks! Sorry for not mentioning, I declared
$drt
inside /etc/bash.bashrc
(I shouldn't worry about some other user conflicting because this is a personal system I enter usually only from my own computers). Regarding permissions, you're probably right; This would save the script and will let me download it and install it just once as with apt-get install phpmyadmin
. I do wonder, however, how to make sure permissions are changed the moment I finished using it and then, when I want I change them back, so even if I pick the good method you mention, I need to automate permission handling.â Arcticooling
Jan 14 at 11:24
Something good in redownloading and reinstalling instead permission change is making sure I always use the most updated version.
â Arcticooling
Jan 14 at 11:50
Something good in redownloading and reinstalling instead permission change is making sure I always use the most updated version.
â Arcticooling
Jan 14 at 11:50
If you consider PMA unsecure I'm not sure a time window approach solves that for you. Sure, it's better, but a crawler looking for PMA could find it near the beginning of your window and have hours of brute force access. If you access via a PC I'd consider some type of SSH tunnel from your laptop to the Ubuntu server while running PMA itself on an internal/private IP address.
â Max Haaksman
Jan 17 at 13:06
If you consider PMA unsecure I'm not sure a time window approach solves that for you. Sure, it's better, but a crawler looking for PMA could find it near the beginning of your window and have hours of brute force access. If you access via a PC I'd consider some type of SSH tunnel from your laptop to the Ubuntu server while running PMA itself on an internal/private IP address.
â Max Haaksman
Jan 17 at 13:06
Max, thanks. I mentioned I used an SSH tunnel as well as a time window in the question.
â Arcticooling
Jan 18 at 17:19
Max, thanks. I mentioned I used an SSH tunnel as well as a time window in the question.
â Arcticooling
Jan 18 at 17:19
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f185081%2fbfa-protected-phpmyadmin%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
To make sure I'm reading this right: you're basically uninstalling and reinstalling phpmyadmin every two hours?
â Joe C
Jan 14 at 10:42
No, I use it for 2 hours each time I need (can happen once in 2-3 months or even once in 6 months).
â Arcticooling
Jan 14 at 10:46