Securing phpmyadmin: non-standard port + https

https apache-2.2 port

phpMyAdmin is one of those packages that has kept me in business as an incident/forensic examiner. It has a terrible history of arbitrary code execution and authentication bypass. My general security recommendation is to uninstall it and use something like Workbench or learn how to manage mysqld directly.

If you do use it, then the steps you've taken are good ones. You definitely need to only present it over SSL, which will be configured on the underlying webserver. You also need to restrict access. With Apache httpd this will be done via htaccess. Close it off as tightly as you can. Your efforts will be rewarded.


Simply put all you need to do is configure the virtual host for SSL in the normal way.

SSLEngine on
SSLCertificateFile /path/to/crt
SSLCertificateKeyFile /parh/to/cry/key

Because the virtual host is configured to listen on a different port does not affect the way SSL will work but you do need to tell your browser that it is functioning on a different port. Eg:

https://www.example.com:3130/phpmyadmin

Update: Fixed typos.


If you must use phpMyAdmin (which you shouldn't if you really care about security, as covered by @ScottPack), you should consider restricting access to a private subnet and connect using a VPN tunnel to access it. I would never deploy phpMyAdmin on the public Internet if I were forced to.

Related

Is tcp_keepalive application dependant on Linux?
Monitoring "Request Wait Time" in PerfMon
How do I reinstall the Search/Indexing Feature on Server 2012 R2?
Postfix illegal address syntax
HW Raid controller error
Lots of unused memory on EL6 compared to EL5
Do wheel spikes actually accomplish anything?
Where is the golden horn?
Can Sith use lightsabers of any other colour than red or yellow?
How do I strategically use Promote?
Can I hide my legacy surname?
When a girl flirts with me, does that mean she's eligible for marriage?