BFA protected phpmyadmin

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
1
down vote

favorite












I use a Ubuntu 16.04 Nginx server environment with phpmyadmin (PMA). All my ports are closed besides 22, 25, 80, 443, 9000 (for PHP-FPM).



A common criticism of the good software (PMA) as of 2018, is that it doesn't have good defense from Brute Force Attacks (BFAs). There are different common ways to cope with this and I admit I dislike all of them:



  1. Changing the PMA path to something unintuitive and likely uncomfortable (instead of /var/www/html/phpmyadmin).

  2. Using a permanent IP (what if you're traveling between countries)?

  3. Login through a recognized VPN. What if you don't have a free time to seriously learn VPN basics in some era of your life?

  4. Loging with some kind of authentication certificate. What if don't have one?

  5. Using mod_security for Apache users. What if you don't use Apache?

  6. Using a captcha. What if you login frequently? This might be a bit annoying.

  7. Future PMA versions starting from V 4.8.0 are planned to include support for IPSs like Fail2ban, via uthentication logging.

  8. Future PMA versions starting from V 4.8.0 are also planned to include 2factorAuthentication.

I found myself another way which is personal and comfortable (I don't recommend any company with customers to use this way in the form I'll describe below):



SSH tunneling through port 80 to port 80 via Putty/OpenSSH, and use PMA securely and temporarily for 2 hours in a tmux session (It is extremely unlikely that anyone could BFA PMA with a decent varied password in just 2 hours).



Each time I want to use PMA I run this code:



#!/bin/bash

find $drt/ -iname '*phpmyadmin*' -exec rm -rf ;
wget -P $drt/ https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.zip
find $drt/ -type f -iname '*phpmyadmin*.zip' -exec unzip ;
find $drt/ -type d -iname 'phpmyadmin-*' -exec mv phpmyadmin ;

sleep 2h

find $drt/ -iname '*phpmyadmin*' -exec rm -rf ;
tmux kill-session


I run it this way tmux new-session -d 'bash ~/pma.sh', or with a Bash alias pma.



Note: $drt stands for document root, which is in my case /var/www/html and defined in /etc/bash.bashrc.



I'd like to know what you think of the code I've written (especially, do you see any way to shorten it)?.







share|improve this question





















  • To make sure I'm reading this right: you're basically uninstalling and reinstalling phpmyadmin every two hours?
    – Joe C
    Jan 14 at 10:42










  • No, I use it for 2 hours each time I need (can happen once in 2-3 months or even once in 6 months).
    – Arcticooling
    Jan 14 at 10:46
















up vote
1
down vote

favorite












I use a Ubuntu 16.04 Nginx server environment with phpmyadmin (PMA). All my ports are closed besides 22, 25, 80, 443, 9000 (for PHP-FPM).



A common criticism of the good software (PMA) as of 2018, is that it doesn't have good defense from Brute Force Attacks (BFAs). There are different common ways to cope with this and I admit I dislike all of them:



  1. Changing the PMA path to something unintuitive and likely uncomfortable (instead of /var/www/html/phpmyadmin).

  2. Using a permanent IP (what if you're traveling between countries)?

  3. Login through a recognized VPN. What if you don't have a free time to seriously learn VPN basics in some era of your life?

  4. Loging with some kind of authentication certificate. What if don't have one?

  5. Using mod_security for Apache users. What if you don't use Apache?

  6. Using a captcha. What if you login frequently? This might be a bit annoying.

  7. Future PMA versions starting from V 4.8.0 are planned to include support for IPSs like Fail2ban, via uthentication logging.

  8. Future PMA versions starting from V 4.8.0 are also planned to include 2factorAuthentication.

I found myself another way which is personal and comfortable (I don't recommend any company with customers to use this way in the form I'll describe below):



SSH tunneling through port 80 to port 80 via Putty/OpenSSH, and use PMA securely and temporarily for 2 hours in a tmux session (It is extremely unlikely that anyone could BFA PMA with a decent varied password in just 2 hours).



Each time I want to use PMA I run this code:



#!/bin/bash

find $drt/ -iname '*phpmyadmin*' -exec rm -rf ;
wget -P $drt/ https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.zip
find $drt/ -type f -iname '*phpmyadmin*.zip' -exec unzip ;
find $drt/ -type d -iname 'phpmyadmin-*' -exec mv phpmyadmin ;

sleep 2h

find $drt/ -iname '*phpmyadmin*' -exec rm -rf ;
tmux kill-session


I run it this way tmux new-session -d 'bash ~/pma.sh', or with a Bash alias pma.



Note: $drt stands for document root, which is in my case /var/www/html and defined in /etc/bash.bashrc.



I'd like to know what you think of the code I've written (especially, do you see any way to shorten it)?.







share|improve this question





















  • To make sure I'm reading this right: you're basically uninstalling and reinstalling phpmyadmin every two hours?
    – Joe C
    Jan 14 at 10:42










  • No, I use it for 2 hours each time I need (can happen once in 2-3 months or even once in 6 months).
    – Arcticooling
    Jan 14 at 10:46












up vote
1
down vote

favorite









up vote
1
down vote

favorite











I use a Ubuntu 16.04 Nginx server environment with phpmyadmin (PMA). All my ports are closed besides 22, 25, 80, 443, 9000 (for PHP-FPM).



A common criticism of the good software (PMA) as of 2018, is that it doesn't have good defense from Brute Force Attacks (BFAs). There are different common ways to cope with this and I admit I dislike all of them:



  1. Changing the PMA path to something unintuitive and likely uncomfortable (instead of /var/www/html/phpmyadmin).

  2. Using a permanent IP (what if you're traveling between countries)?

  3. Login through a recognized VPN. What if you don't have a free time to seriously learn VPN basics in some era of your life?

  4. Loging with some kind of authentication certificate. What if don't have one?

  5. Using mod_security for Apache users. What if you don't use Apache?

  6. Using a captcha. What if you login frequently? This might be a bit annoying.

  7. Future PMA versions starting from V 4.8.0 are planned to include support for IPSs like Fail2ban, via uthentication logging.

  8. Future PMA versions starting from V 4.8.0 are also planned to include 2factorAuthentication.

I found myself another way which is personal and comfortable (I don't recommend any company with customers to use this way in the form I'll describe below):



SSH tunneling through port 80 to port 80 via Putty/OpenSSH, and use PMA securely and temporarily for 2 hours in a tmux session (It is extremely unlikely that anyone could BFA PMA with a decent varied password in just 2 hours).



Each time I want to use PMA I run this code:



#!/bin/bash

find $drt/ -iname '*phpmyadmin*' -exec rm -rf ;
wget -P $drt/ https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.zip
find $drt/ -type f -iname '*phpmyadmin*.zip' -exec unzip ;
find $drt/ -type d -iname 'phpmyadmin-*' -exec mv phpmyadmin ;

sleep 2h

find $drt/ -iname '*phpmyadmin*' -exec rm -rf ;
tmux kill-session


I run it this way tmux new-session -d 'bash ~/pma.sh', or with a Bash alias pma.



Note: $drt stands for document root, which is in my case /var/www/html and defined in /etc/bash.bashrc.



I'd like to know what you think of the code I've written (especially, do you see any way to shorten it)?.







share|improve this question













I use a Ubuntu 16.04 Nginx server environment with phpmyadmin (PMA). All my ports are closed besides 22, 25, 80, 443, 9000 (for PHP-FPM).



A common criticism of the good software (PMA) as of 2018, is that it doesn't have good defense from Brute Force Attacks (BFAs). There are different common ways to cope with this and I admit I dislike all of them:



  1. Changing the PMA path to something unintuitive and likely uncomfortable (instead of /var/www/html/phpmyadmin).

  2. Using a permanent IP (what if you're traveling between countries)?

  3. Login through a recognized VPN. What if you don't have a free time to seriously learn VPN basics in some era of your life?

  4. Loging with some kind of authentication certificate. What if don't have one?

  5. Using mod_security for Apache users. What if you don't use Apache?

  6. Using a captcha. What if you login frequently? This might be a bit annoying.

  7. Future PMA versions starting from V 4.8.0 are planned to include support for IPSs like Fail2ban, via uthentication logging.

  8. Future PMA versions starting from V 4.8.0 are also planned to include 2factorAuthentication.

I found myself another way which is personal and comfortable (I don't recommend any company with customers to use this way in the form I'll describe below):



SSH tunneling through port 80 to port 80 via Putty/OpenSSH, and use PMA securely and temporarily for 2 hours in a tmux session (It is extremely unlikely that anyone could BFA PMA with a decent varied password in just 2 hours).



Each time I want to use PMA I run this code:



#!/bin/bash

find $drt/ -iname '*phpmyadmin*' -exec rm -rf ;
wget -P $drt/ https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.zip
find $drt/ -type f -iname '*phpmyadmin*.zip' -exec unzip ;
find $drt/ -type d -iname 'phpmyadmin-*' -exec mv phpmyadmin ;

sleep 2h

find $drt/ -iname '*phpmyadmin*' -exec rm -rf ;
tmux kill-session


I run it this way tmux new-session -d 'bash ~/pma.sh', or with a Bash alias pma.



Note: $drt stands for document root, which is in my case /var/www/html and defined in /etc/bash.bashrc.



I'd like to know what you think of the code I've written (especially, do you see any way to shorten it)?.









share|improve this question












share|improve this question




share|improve this question








edited Jan 16 at 8:21
























asked Jan 14 at 7:53









Arcticooling

5110




5110











  • To make sure I'm reading this right: you're basically uninstalling and reinstalling phpmyadmin every two hours?
    – Joe C
    Jan 14 at 10:42










  • No, I use it for 2 hours each time I need (can happen once in 2-3 months or even once in 6 months).
    – Arcticooling
    Jan 14 at 10:46
















  • To make sure I'm reading this right: you're basically uninstalling and reinstalling phpmyadmin every two hours?
    – Joe C
    Jan 14 at 10:42










  • No, I use it for 2 hours each time I need (can happen once in 2-3 months or even once in 6 months).
    – Arcticooling
    Jan 14 at 10:46















To make sure I'm reading this right: you're basically uninstalling and reinstalling phpmyadmin every two hours?
– Joe C
Jan 14 at 10:42




To make sure I'm reading this right: you're basically uninstalling and reinstalling phpmyadmin every two hours?
– Joe C
Jan 14 at 10:42












No, I use it for 2 hours each time I need (can happen once in 2-3 months or even once in 6 months).
– Arcticooling
Jan 14 at 10:46




No, I use it for 2 hours each time I need (can happen once in 2-3 months or even once in 6 months).
– Arcticooling
Jan 14 at 10:46










1 Answer
1






active

oldest

votes

















up vote
2
down vote



accepted
+50










One potential security issue: what if $drt is not set before this is run? A safety check will be very useful.



As for your wider issue, rather than having to download it every time, would it not be just as effective to remove the permissions on the phpmyadmin directory? If you set it to 000, then nobody should be able to access it nor its contents.






share|improve this answer





















  • Thanks! Sorry for not mentioning, I declared $drt inside /etc/bash.bashrc (I shouldn't worry about some other user conflicting because this is a personal system I enter usually only from my own computers). Regarding permissions, you're probably right; This would save the script and will let me download it and install it just once as with apt-get install phpmyadmin. I do wonder, however, how to make sure permissions are changed the moment I finished using it and then, when I want I change them back, so even if I pick the good method you mention, I need to automate permission handling.
    – Arcticooling
    Jan 14 at 11:24










  • Something good in redownloading and reinstalling instead permission change is making sure I always use the most updated version.
    – Arcticooling
    Jan 14 at 11:50










  • If you consider PMA unsecure I'm not sure a time window approach solves that for you. Sure, it's better, but a crawler looking for PMA could find it near the beginning of your window and have hours of brute force access. If you access via a PC I'd consider some type of SSH tunnel from your laptop to the Ubuntu server while running PMA itself on an internal/private IP address.
    – Max Haaksman
    Jan 17 at 13:06











  • Max, thanks. I mentioned I used an SSH tunnel as well as a time window in the question.
    – Arcticooling
    Jan 18 at 17:19










Your Answer




StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
);
);
, "mathjax-editing");

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "196"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f185081%2fbfa-protected-phpmyadmin%23new-answer', 'question_page');

);

Post as a guest






























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
2
down vote



accepted
+50










One potential security issue: what if $drt is not set before this is run? A safety check will be very useful.



As for your wider issue, rather than having to download it every time, would it not be just as effective to remove the permissions on the phpmyadmin directory? If you set it to 000, then nobody should be able to access it nor its contents.






share|improve this answer





















  • Thanks! Sorry for not mentioning, I declared $drt inside /etc/bash.bashrc (I shouldn't worry about some other user conflicting because this is a personal system I enter usually only from my own computers). Regarding permissions, you're probably right; This would save the script and will let me download it and install it just once as with apt-get install phpmyadmin. I do wonder, however, how to make sure permissions are changed the moment I finished using it and then, when I want I change them back, so even if I pick the good method you mention, I need to automate permission handling.
    – Arcticooling
    Jan 14 at 11:24










  • Something good in redownloading and reinstalling instead permission change is making sure I always use the most updated version.
    – Arcticooling
    Jan 14 at 11:50










  • If you consider PMA unsecure I'm not sure a time window approach solves that for you. Sure, it's better, but a crawler looking for PMA could find it near the beginning of your window and have hours of brute force access. If you access via a PC I'd consider some type of SSH tunnel from your laptop to the Ubuntu server while running PMA itself on an internal/private IP address.
    – Max Haaksman
    Jan 17 at 13:06











  • Max, thanks. I mentioned I used an SSH tunnel as well as a time window in the question.
    – Arcticooling
    Jan 18 at 17:19














up vote
2
down vote



accepted
+50










One potential security issue: what if $drt is not set before this is run? A safety check will be very useful.



As for your wider issue, rather than having to download it every time, would it not be just as effective to remove the permissions on the phpmyadmin directory? If you set it to 000, then nobody should be able to access it nor its contents.






share|improve this answer





















  • Thanks! Sorry for not mentioning, I declared $drt inside /etc/bash.bashrc (I shouldn't worry about some other user conflicting because this is a personal system I enter usually only from my own computers). Regarding permissions, you're probably right; This would save the script and will let me download it and install it just once as with apt-get install phpmyadmin. I do wonder, however, how to make sure permissions are changed the moment I finished using it and then, when I want I change them back, so even if I pick the good method you mention, I need to automate permission handling.
    – Arcticooling
    Jan 14 at 11:24










  • Something good in redownloading and reinstalling instead permission change is making sure I always use the most updated version.
    – Arcticooling
    Jan 14 at 11:50










  • If you consider PMA unsecure I'm not sure a time window approach solves that for you. Sure, it's better, but a crawler looking for PMA could find it near the beginning of your window and have hours of brute force access. If you access via a PC I'd consider some type of SSH tunnel from your laptop to the Ubuntu server while running PMA itself on an internal/private IP address.
    – Max Haaksman
    Jan 17 at 13:06











  • Max, thanks. I mentioned I used an SSH tunnel as well as a time window in the question.
    – Arcticooling
    Jan 18 at 17:19












up vote
2
down vote



accepted
+50







up vote
2
down vote



accepted
+50




+50




One potential security issue: what if $drt is not set before this is run? A safety check will be very useful.



As for your wider issue, rather than having to download it every time, would it not be just as effective to remove the permissions on the phpmyadmin directory? If you set it to 000, then nobody should be able to access it nor its contents.






share|improve this answer













One potential security issue: what if $drt is not set before this is run? A safety check will be very useful.



As for your wider issue, rather than having to download it every time, would it not be just as effective to remove the permissions on the phpmyadmin directory? If you set it to 000, then nobody should be able to access it nor its contents.







share|improve this answer













share|improve this answer



share|improve this answer











answered Jan 14 at 11:18









Joe C

58919




58919











  • Thanks! Sorry for not mentioning, I declared $drt inside /etc/bash.bashrc (I shouldn't worry about some other user conflicting because this is a personal system I enter usually only from my own computers). Regarding permissions, you're probably right; This would save the script and will let me download it and install it just once as with apt-get install phpmyadmin. I do wonder, however, how to make sure permissions are changed the moment I finished using it and then, when I want I change them back, so even if I pick the good method you mention, I need to automate permission handling.
    – Arcticooling
    Jan 14 at 11:24










  • Something good in redownloading and reinstalling instead permission change is making sure I always use the most updated version.
    – Arcticooling
    Jan 14 at 11:50










  • If you consider PMA unsecure I'm not sure a time window approach solves that for you. Sure, it's better, but a crawler looking for PMA could find it near the beginning of your window and have hours of brute force access. If you access via a PC I'd consider some type of SSH tunnel from your laptop to the Ubuntu server while running PMA itself on an internal/private IP address.
    – Max Haaksman
    Jan 17 at 13:06











  • Max, thanks. I mentioned I used an SSH tunnel as well as a time window in the question.
    – Arcticooling
    Jan 18 at 17:19
















  • Thanks! Sorry for not mentioning, I declared $drt inside /etc/bash.bashrc (I shouldn't worry about some other user conflicting because this is a personal system I enter usually only from my own computers). Regarding permissions, you're probably right; This would save the script and will let me download it and install it just once as with apt-get install phpmyadmin. I do wonder, however, how to make sure permissions are changed the moment I finished using it and then, when I want I change them back, so even if I pick the good method you mention, I need to automate permission handling.
    – Arcticooling
    Jan 14 at 11:24










  • Something good in redownloading and reinstalling instead permission change is making sure I always use the most updated version.
    – Arcticooling
    Jan 14 at 11:50










  • If you consider PMA unsecure I'm not sure a time window approach solves that for you. Sure, it's better, but a crawler looking for PMA could find it near the beginning of your window and have hours of brute force access. If you access via a PC I'd consider some type of SSH tunnel from your laptop to the Ubuntu server while running PMA itself on an internal/private IP address.
    – Max Haaksman
    Jan 17 at 13:06











  • Max, thanks. I mentioned I used an SSH tunnel as well as a time window in the question.
    – Arcticooling
    Jan 18 at 17:19















Thanks! Sorry for not mentioning, I declared $drt inside /etc/bash.bashrc (I shouldn't worry about some other user conflicting because this is a personal system I enter usually only from my own computers). Regarding permissions, you're probably right; This would save the script and will let me download it and install it just once as with apt-get install phpmyadmin. I do wonder, however, how to make sure permissions are changed the moment I finished using it and then, when I want I change them back, so even if I pick the good method you mention, I need to automate permission handling.
– Arcticooling
Jan 14 at 11:24




Thanks! Sorry for not mentioning, I declared $drt inside /etc/bash.bashrc (I shouldn't worry about some other user conflicting because this is a personal system I enter usually only from my own computers). Regarding permissions, you're probably right; This would save the script and will let me download it and install it just once as with apt-get install phpmyadmin. I do wonder, however, how to make sure permissions are changed the moment I finished using it and then, when I want I change them back, so even if I pick the good method you mention, I need to automate permission handling.
– Arcticooling
Jan 14 at 11:24












Something good in redownloading and reinstalling instead permission change is making sure I always use the most updated version.
– Arcticooling
Jan 14 at 11:50




Something good in redownloading and reinstalling instead permission change is making sure I always use the most updated version.
– Arcticooling
Jan 14 at 11:50












If you consider PMA unsecure I'm not sure a time window approach solves that for you. Sure, it's better, but a crawler looking for PMA could find it near the beginning of your window and have hours of brute force access. If you access via a PC I'd consider some type of SSH tunnel from your laptop to the Ubuntu server while running PMA itself on an internal/private IP address.
– Max Haaksman
Jan 17 at 13:06





If you consider PMA unsecure I'm not sure a time window approach solves that for you. Sure, it's better, but a crawler looking for PMA could find it near the beginning of your window and have hours of brute force access. If you access via a PC I'd consider some type of SSH tunnel from your laptop to the Ubuntu server while running PMA itself on an internal/private IP address.
– Max Haaksman
Jan 17 at 13:06













Max, thanks. I mentioned I used an SSH tunnel as well as a time window in the question.
– Arcticooling
Jan 18 at 17:19




Max, thanks. I mentioned I used an SSH tunnel as well as a time window in the question.
– Arcticooling
Jan 18 at 17:19












 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f185081%2fbfa-protected-phpmyadmin%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

Chat program with C++ and SFML

Function to Return a JSON Like Objects Using VBA Collections and Arrays

Will my employers contract hold up in court?