Dear All,
Currently I get the latest phpMyAdmin unzip and load into my www folder and just run it. Recently there was an attack via phpMyAdmin. So what is the correct method I should install to avoid this type of vulnerable attack ony my server in future? My os is centos and the attack was due to this PhpMyAdmin vulnerability CVE-2011-2505 (http://www.cve.mitre.org/cgi-bin/cve...=CVE-2011-2505)

Hi,

Apart from always using the latest version, you can obscure the phpMyAdmin url, by using something known only to you. So rename the phpMyAdmin-x.y.z directory to "cannot-be-found" for example. You can then use http://hostname/cannot-be-found to do your job, while bots scanning for vulnerable installations cannot find it.
Of course you can deploy mod_security and/or fail2ban and maybe other security measures to reduce risks even more.

Regards

Dear Bathory,
I have another idea is that to keep the whole folder cannot-be-found in another location and only copy into /var/www/html when I need to use then delete? Ok next thing I am trying this .htaccess method. I did this first I set .htaccess folder and type this in it.

The I created the username and password using this command

sudo htpasswd -c .htpasswd iamadmin
...and I could see both the .htaccess and .htpasswd files are in the folder.


Another thing done is the httpd.conf.

But when I go my link it never prompt for the additional username and password. My OS is centos 6.2

You could, but I think it's a waste of time copying and deleting that directory.

You should do this for the docroot (or just for the phpMyAdmin (or whatever you want to call it) directory). E.g.
And of course place the .htaccess into that directory
Attn: The .htpasswd should be located into a directory not accessible from the web (e.g. in /var/www)

Dear Bathory,
So should I add this into my httpd config file is it?
Why is this <Directory /> not taking effect ya? Now I saw the .htpasswd is also in the same location in the phpMyAdmin directory. So should I move it to where is best location? If I move will it be able to detect then the password?

Yup


I'm not familiar with centos apache configuration, but I guess that there is another "AllowOverride None" for docroot.


You should move it to somewhere not accessible from the web (that is outside the docroot). It's just a precaution, as the default apache configuration prohibits access to .ht* files.
Don't forget to change AuthUserFile with the new path to .htpasswd. Also make sure both .htaccess and .htpasswd are owned by the apache user and can be read only from it

Dear Bathory,
I managed to solve the problem was in my httpd.conf. But when I do ls-ls I dont find both my .htaccess and .htpasswd file any reason for it? When I created both the file I was under the root account is that ok?

You need to run ls -la to see files starting with a dot
Anyways if you were root, then chances are that both files are in /root

i would not have installed it there
the html folder is ALWAYS a problem

something like this with the doc root set to "html"
/var/www/cgi-bin
/var/www/html/"your CMS" -- and all it's folders
/var/www/MySql
/var/www/phpMyAdmin

then set the permissions, this way you can not edit "/var/www/phpMyAdmin" from within the "/var/www/html/" folder

This is how i set up a Cent / RHEL server and Apache 2
I do not use the rhel or cent rpm's . Because i like to keep things together and not scattered all over the place