How to secure phpmyadmin

Several things could be done. I will explain my ideas and the way how they could be implemented within Apache2.

1. Use HTTPS connection to protect your data from sniffing

First enable SSL module if it is not enabled: sudo a2enmod ssl.
Оpen port 443 (HTTPS) into the firewall. You should use your custom port here.
Follow this manual and enable a free certificate from Let's Encrypt.
Check this answer and disable Weak Ciphers.
Then you can force all users to use HTTPS.

2. Change the URI of PhpMyAdmin

To change the URI, within the default configuration, you should edit /etc/phpmyadmin/apache.conf and change the first part (/phpmyadmin) of this directive:

Alias /phpmyadmin /usr/share/phpmyadmin

Restart Apache and you will be able to access PhpMyAdmin through the new URI.

3. Run PhpMyAdmin on different port

Here is a step-by-step manual: How to run PhpMyAdmin on different port. Don't forget to open this port into the Firewall.

4. Access PhpMyAdmin only locally through SSH tunnel

Run PhpMyAdmin on different port. Let's assume it is port 99. Close this port into the Firewall. Then establish SSH connection by a command similar as:

ssh -fTN -R 99:localhost:99 <user>@<domain>or<ip>

This command will create ssh tunnel, where the remote -R port 99 is forwarded to the local port 99 on the localhost (127.0.0.1).
The options -fTN will push the connection in to the background.

Then PhpMyAdmin should be accessible via the web browser of your local machine on the URL http://localhost:99/. More ideas could be find here:

Access remote multiple servers behind NAT
IPTables only allow localhost access
Allow Ubuntu Server Access only from specific IP's

5. Protect PhpMyAdmin URI path via Password authentication

More details could be found in this Apache's manual: Authentication and Authorization. The package apache2-utils must be installed. In short the steps are:

Create folder outside of /var/www, where the password file will be kept. Then generate password file. Let's assume the name of this new folder is /var/www-auth:
```
$ sudo mkdir /var/www-auth
$ cd /var/www-auth
$ sudo htpasswd -c .htpasswd.phpmyadmin <user>
New Password: *********
Re-Type New Password: *********
Adding Password For User <user>
```
- .htpasswd.phpmyadmin is the name of the file in which the password will be stored.
- user is the login name that will be used.
- ********* is the password :)
- -c means create new file. If this option is omitted htpasswd command will try to add the new login name to an existing .htpasswd.file.

Modify PhpMyAdmin authentication type, through edit /etc/phpmyadmin/apache.conf in this way (or create .htaccess file):

<Directory /usr/share/phpmyadmin>
.....
    <IfModule mod_authz_core.c>
        <IfModule mod_authn_file.c>
            AuthType Basic
            AuthName "The name of the authentication form - type some user and password hints"
            AuthUserFile /var/www-auth/.htpasswd.phpmyadmin
        </IfModule>
        Require valid-user
    </IfModule>
.....
</Directory>

Enable the modules and restart Apache2 to apply the new configuration:

sudo a2enmod authz_core authz_user authn_file
sudo systemctl restart apache2.service

Now to access PhpMyAdmin's URI you must provide the login name user and its password.

6. Protect PhpMyAdmin URI path via Two Factor Authentication (2FA):

Follow steps 1 and 3 from this manual to generate .google_authenticator file, located in your $HOME directory. In step 4 is described how to generate authentication codes.
Create a new directory under /var/www-auth. Let's assume the name of this new folder is google_authenticator:
```
sudo mkdir -p /var/www-auth/google_authenticator
```
Copy the file $HOME/.google_authenticator into that directory and change its permissions (it must be readable for www-data):
```
sudo cp $HOME/.google_authenticator /var/www-auth/google_authenticator/user
sudo chown www-data:www-data /var/www-auth/google_authenticator/user
```
Please note that the file name determines the login name! The file name will be used as username while logging-in to your secure website.

Modify the new file by adding the directive " PASSWORD=qwerty, where qwerty is the new login password.

E3CY3TNSNBXXXXXX
" RESETTING_TIME_SKEW ...
" RATE_LIMIT 3 30 ...
" WINDOW_SIZE 17
" DISALLOW_REUSE 48885555 ...
" TOTP_AUTH
" PASSWORD=qwerty
4567...

Install mod_authn_google for Apache2. Unfortunately I this module is unavailable within Ubuntu's repository, but we can get it from this repository. The steps are: (1) go to your Downloads, (2) download the package dba-apa24-mod_authn_google-r22... .rpm, (3) extract mod_authn_google.so, (4) place the file in /usr/lib/apache2/modules/, (5) grant appropriate permissions, (6) Create module load file:

cd $HOME/Downloads
wget http://download.opensuse.org/repositories/home:/csbuild:/DBA/RedHat_RHEL-7/x86_64/dba-apa24-mod_authn_google-r22-1.1.x86_64.rpm

rpm2cpio dba-apa24-mod_authn_google-r22-1.1.x86_64.rpm | cpio -iv --to-stdout ./DBA/apache24/WWW/2.4.x/modules/mod_authn_google-r22.so > mod_authn_google.so

sudo mv mod_authn_google.so /usr/lib/apache2/modules/
sudo chown root:root /usr/lib/apache2/modules/mod_authn_google.so
sudo chmod g-w /usr/lib/apache2/modules/mod_authn_google.so

echo "LoadModule authn_google_module /usr/lib/apache2/modules/mod_authn_google.so" | sudo tee /etc/apache2/mods-available/authn_google.load

sudo a2enmod authn_google