How to secure PhpMyAdmin on your local network

If you're developing web applications on a *AMP stack then you may well have PhpMyAdmin installed, even if you're not using it to manage your databases. Unlike your deployed websites, your local ones are not advertising their existence, but they may still contain sensitive data. When did you last take an SQL dump from a production website to debug on your development machine?

How secure is your local MySQL server?

Let's test how accessible that data is. First, get the IP address of your computer on the local network. I'm on linux so I did that by running the ifconfig program. Armed with that IP address, you can then try using it from another computer, but you don't have to.

I tried connecting to the local MySQL server as the root user through the command line:

$ mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor...

Yep, that worked. Then I tried it through the "loopback" interface:

$ mysql -h127.0.0.1 -uroot -p
Enter password: 
Welcome to the MySQL monitor...

Yep, that worked too. Finally I tried it through my computer's IP address on the local network (192.168.0.1 in this example):

$ mysql -h192.168.0.1 -uroot -p
Enter password: 
ERROR 2003 (HY000): Can't connect to MySQL server on '192.168.0.1' (111)

Nope. It looks like MySql is secured against remote login on my computer. Good.

How secure is your local PhpMyAdmin?

Unlike database servers, web servers are generally intended to be visible to the world. That means that remote login to your MySql server may still be possible. You are probably used to pointing your web browser at:

localhost/phpmyadmin

Or, if you're more of a numbers person:

127.0.0.1/phpmyadmin

But try again using your IP address on the local network and you'll probably get exactly the same result:

192.168.0.1/phpmyadmin

I'm on a large network shared with other business units so I wasn't keen on this behaviour. I might rarely use my laptop in a public network and I definitely wouldn't want my database management login screen to be accessible then.

I very quickly found a solution on the Ubuntu forums and modified the Apache configuration for PhpMyAdmin. On my Ubuntu based computer, that's:

/etc/apache2/conf.d/phpmyadmin.conf

Here I added the emboldened lines:

    <Directory /usr/share/phpmyadmin>
        Order Deny,Allow
        Deny from All
        Allow from 127.0.0.1
        Options Indexes FollowSymLinks
        DirectoryIndex index.php

After reloading my Apache configuration, navigating to 192.168.0.1/phpmyadmin gives me a very satisfying 403 error.

--

Edit: I recently upgraded to Apache 2.4, which meant that I needed to change the config file. It now looks like this:

    <Directory /usr/share/phpmyadmin>
        Require ip 127.0.0.1
        Options Indexes FollowSymLinks
        DirectoryIndex index.php

Justin Hellings

"Justin? Hell of a guy! We would have kept him but you know how it is. Genius like that is always restless ... Eh? ... Oh, him ... No, I thought you meant someone else."

comments powered by Disqus