What is the right method to install phpMyAdmin on my centos 6.2
Dear All,
Currently I get the latest phpMyAdmin unzip and load into my www folder and just run it. Recently there was an attack via phpMyAdmin. So what is the correct method I should install to avoid this type of vulnerable attack ony my server in future? My os is centos and the attack was due to this PhpMyAdmin vulnerability CVE-2011-2505 (http://www.cve.mitre.org/cgi-bin/cve...=CVE-2011-2505) |
Hi,
Apart from always using the latest version, you can obscure the phpMyAdmin url, by using something known only to you. So rename the phpMyAdmin-x.y.z directory to "cannot-be-found" for example. You can then use http://hostname/cannot-be-found to do your job, while bots scanning for vulnerable installations cannot find it. Of course you can deploy mod_security and/or fail2ban and maybe other security measures to reduce risks even more. Regards |
Dear Bathory,
I have another idea is that to keep the whole folder cannot-be-found in another location and only copy into /var/www/html when I need to use then delete? Ok next thing I am trying this .htaccess method. I did this first I set .htaccess folder and type this in it. Quote:
sudo htpasswd -c .htpasswd iamadmin ...and I could see both the .htaccess and .htpasswd files are in the folder. Another thing done is the httpd.conf. Quote:
|
Quote:
Quote:
Code:
<Directory /var/www/html/cannot-be-found> Attn: The .htpasswd should be located into a directory not accessible from the web (e.g. in /var/www) |
Dear Bathory,
So should I add this into my httpd config file is it? Quote:
|
Quote:
Quote:
Quote:
Don't forget to change AuthUserFile with the new path to .htpasswd. Also make sure both .htaccess and .htpasswd are owned by the apache user and can be read only from it |
Dear Bathory,
I managed to solve the problem was in my httpd.conf. But when I do ls-ls I dont find both my .htaccess and .htpasswd file any reason for it? When I created both the file I was under the root account is that ok? |
You need to run ls -la to see files starting with a dot
Anyways if you were root, then chances are that both files are in /root |
Quote:
the html folder is ALWAYS a problem something like this with the doc root set to "html" /var/www/cgi-bin /var/www/html/"your CMS" -- and all it's folders /var/www/MySql /var/www/phpMyAdmin then set the permissions, this way you can not edit "/var/www/phpMyAdmin" from within the "/var/www/html/" folder This is how i set up a Cent / RHEL server and Apache 2 I do not use the rhel or cent rpm's . Because i like to keep things together and not scattered all over the place |
All times are GMT -5. The time now is 07:56 PM. |