phpMyAdmin installation

Got problems with your B2 or B3? Share and get helped!
DanielM
Posts: 637
Joined: 28 Mar 2008, 06:37
Location: Sweden

Re: phpMyAdmin installation

Post by DanielM » 15 Feb 2013, 13:39

While there's a discussion about phpmyadmin and security here anyways, I could add another thing. I've been looking at my apache logs and 90% of all 404 errors are people trying to reach my server with urls ending with different variants of "phpmyadmin", so this is obviously something hackers know to be a good thing to try out when they want to break some home users security. In my case, I've never had phpmyadmin installed (I'm quite fond of hand writing mysql commands instead), so I don't see it as a big problem, but it might be good to know...

/Daniel

RandomUsername
Posts: 904
Joined: 09 Oct 2009, 18:49

Re: phpMyAdmin installation

Post by RandomUsername » 15 Feb 2013, 13:50

I see that too - and vtigercrm as well for some reason. I've set up fail2ban to immediately drop all traffic from those addresses trying to access those URLs.

nobody
Posts: 226
Joined: 10 Mar 2012, 14:46

Re: phpMyAdmin installation

Post by nobody » 15 Feb 2013, 17:07

Yeah they do that everywhere, and then run a silly dictionry attack on it if they hit an eisting file. If you have bandwidth to spare and a slowish connection you can also create a phpmyadmin/index.html file of a few mb to slow them down.

GodfatherB
Posts: 55
Joined: 03 Jan 2012, 18:17

Re: phpMyAdmin installation

Post by GodfatherB » 16 Feb 2013, 13:46

nobody wrote:Sorry but do you realize the manner in which you just set up your system?

Wouldnt you say its kinda ridiculous to allow a single PHP script to eat 1G of memory for a post on a machine that has 1G memory tops? Just the upload to 1G will take so long the script will timeout, and if it does not, you just opened up your system for an easy DoS attack. If you are planning to upload 1GB files, the web interface is maybe not the best way to do so.

ISPs generally set max_mem_limit and max_post-limit to 64MB. I only hear inexperienced web devs complain about this setting. For cloud services I can imagine you increase this to maybe 128M, but for a B3 anything over 128M is not making the system more stable.
Thank you for this imput... I am not an expert in these matters, hell I am learning a lot as I go. What you mentioned makes sense and I will lower the values as you proposed. Does this apply only for uploading or downloading as well? I mean if a large file is once uploaded (through other means than web interface), do these two variables also have any effect on downloading the large files?

What is the relation between post_max_size and upload_file_size? I read somewhere that post_max_size should be a bit bigger... Why?

Also, what is then the apropriate way to upload larger files? WebDAV client?

RandomUsername
Posts: 904
Joined: 09 Oct 2009, 18:49

Re: phpMyAdmin installation

Post by RandomUsername » 16 Feb 2013, 14:02

Also, what is then the apropriate way to upload larger files? WebDAV client?
FTP (or a secure variant), ssh, rsync. There's probably some others I've missed.

Gordon
Posts: 1395
Joined: 10 Aug 2011, 03:18

Re: phpMyAdmin installation

Post by Gordon » 16 Feb 2013, 17:07

nobody wrote:True except the conf file includes an "allow fom 127.0.0.1/ deny all" that limits exploitation. But its not the most secure of setups, especilly when noobs remove the allow line instead of modifying it to allow only the subnet
I think that you're referring to to the MySQL conf file. The problem with phpMyAdmin however is that this *is* acting as a client with origin 127.0.0.1, except that it extends this single IP limit to anyone who can access the phpMyAdmin pages.

Funny thing though: what is actually considered to be the biggest security issue with MySQL, an empty root password, is now the biggest obstacle for the hacker trying to gain access. Let's name that a little sunshine in internet hell.

nobody
Posts: 226
Joined: 10 Mar 2012, 14:46

Re: phpMyAdmin installation

Post by nobody » 17 Feb 2013, 14:02

I think im not referring to the mysql conf file but to the apache config file tht comes with standard dstributions of phpmyadmin and is generally added to /etc/httpd/conf.d/. In that apach config file there should be a "deny from all" line. To this line i was referring

Gordon
Posts: 1395
Joined: 10 Aug 2011, 03:18

Re: phpMyAdmin installation

Post by Gordon » 17 Feb 2013, 15:24

nobody wrote:I think im not referring to the mysql conf file but to the apache config file tht comes with standard dstributions of phpmyadmin and is generally added to /etc/httpd/conf.d/. In that apach config file there should be a "deny from all" line. To this line i was referring
Apparently not the case with Debian Squeeze, because then TS wouldn't have been able to access the (non functional) logon screen to start with.

nobody
Posts: 226
Joined: 10 Mar 2012, 14:46

Re: phpMyAdmin installation

Post by nobody » 17 Feb 2013, 17:01

Good point

GodfatherB
Posts: 55
Joined: 03 Jan 2012, 18:17

Re: phpMyAdmin installation

Post by GodfatherB » 18 Feb 2013, 14:06

RandomUsername wrote:
Also, what is then the apropriate way to upload larger files? WebDAV client?
FTP (or a secure variant), ssh, rsync. There's probably some others I've missed.
Is WebDAV good as well?

nobody
Posts: 226
Joined: 10 Mar 2012, 14:46

Re: phpMyAdmin installation

Post by nobody » 18 Feb 2013, 14:54

Its a little quirky to set up securely, but is certainly possible. Theres a pretty good mobile version of winscp thats much more lexible than webdav can be though. My advice would be to chek that out first

toukie
Posts: 115
Joined: 13 Jan 2012, 12:22

Re: phpMyAdmin installation

Post by toukie » 23 Feb 2013, 11:02

"I've set up fail2ban to immediately drop all traffic from those addresses trying to access those URLs."

How does the script look like that does the job?

RandomUsername
Posts: 904
Joined: 09 Oct 2009, 18:49

Re: phpMyAdmin installation

Post by RandomUsername » 23 Feb 2013, 12:56

toukie wrote:"I've set up fail2ban to immediately drop all traffic from those addresses trying to access those URLs."

How does the script look like that does the job?
How much do you want? A complete step by step on how to set up fail2ban or just the specific part that drops those invalid URLs?

toukie
Posts: 115
Joined: 13 Jan 2012, 12:22

Re: phpMyAdmin installation

Post by toukie » 23 Feb 2013, 15:37

I have fail2ban up and running but the scripts I found for this purpose didn't work for me.
I have 2 WordPress sites on B3 and I don't use phpMyAdmin at all. I would still like to get rid of the bots trying to find phpMyAdmin. I would need the .conf file to put into /etc/fail2ban/filter.d and an idea about what to write into jail.local.

I used these:

in filter.d:

[Apache-404]

failregex = (?P<host>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+ 404 [0-$

ignoreregex = favicon\.ico

in jail.local:

[apache-404]

enabled = true
port = http,https
filter = apache-404
logpath = /var/log/apache2/access.log
bantime = -1
maxretry = 1

nobody
Posts: 226
Joined: 10 Mar 2012, 14:46

Re: phpMyAdmin installation

Post by nobody » 23 Feb 2013, 16:13

So you permaban anyone that request a single nonexistant page? I hope you'll never make a typo in a hyperlink.

Post Reply