Would you install phpmyadmin on a production web server?

security web-server

Solution 1:

Would you recomend installing/using phpMyAdmin on a prduction webserver?

No, simply.

phpMyAdmin has an infamous security history as detailed on SecurityFocus.

You don't say what platform you're using, but assuming that you have remote access, I suggest:

  • When you need to perform basic tasks such as checking status or performing a dump.

    Learn how to use a handful of basic SQL and command line utilities from memory. You'll find that it could often be quicker than using phpMyAdmin to achieve the same result and they will serve as positively invaluable in an emergency situation.

  • When you need to perform tasks that are awkward or impossible without a GUI.

    Use a local client with tunneled access (such as SSH) to the MySQL server on localhost. This way you have all the power of a good client, secure transport and restricted access. Some good clients are Navicat, HeidiSQL and SQLyog. Some of those clients will even setup the tunnels automatically for you.

Solution 2:

We install it on production machine AND expose it directly to the internet. We are a webhost though so have little choice in the matter.

The main thing is to stay up to date on new versions and follow the security mailing list. We can upgrade our phpMyAdmin installs in one click too with our upgrade scripts.

Solution 3:

At least, change the default folder... My logs are just filled with hundreds of attempts to find a variant of the 'phpmyadmin' folder. I prefer to use something random, at least it will keep the bots away.

Also, restrict access to trusted IP's, or use a password-protected directory, and be sure not to have easily hacked users in Mysql (or to create very restricted and specialized users for phpmyadmin to use).

Solution 4:

PhpMyAdmin is a MAJOR attack vector used by hackers. I have special precautions on my web servers configured specifically for that. I'm sure any web servers attack logs will show PhpMyAdmin exploits as most tried attacks. At least mine do.

Now that doesnt mean you cant use it at all (tho I wouldnt, ssh tunelled solutions are far superior). Just dont rely purely on its security alone:

  • Dont install it on default path.
  • Use apache configuration to limit access to IP addresses you know are yours.
  • Use mod_security.

However, if I were you, I'd use MySQL Workbench latest version, with its integrated ssh tunelling connectability. Even then, limit port 22 access to addresses you know are yours.

Related

iptables blocking DNS
Virutal Machine loses network connectivity on Hyper V Cluster
How do I remove Slony from a restored PostgreSQL database?
Extracting SSL certificates from the network or pcap files
How to enable IPv6 Autoconfiguration with static address in Linux (RHEL)
Hard Drive Disposal
Can I start a program from command line for another logged in user?
Windows remote access server (PPTP) advertised routes
Rotating outgoing IPs using iptables
Can firewall block packets visible in Wireshark?
Run postfix pipe command under a different user than nobody
IIS 7 Reverse Proxy based on domain name host?