Security trick for phpmyadmin in a vhost environment

[Wilhelm]

Hi people,

I've figured a way to enhance security on a virtualhosting server. First i must note that this is an additional measure and is only slightly less vulnerable.

I myself am setting up a virtual hosting server and i hit the problem that any scriptkiddy could brute force the mysql root user and drop all databases which isn't a good thing. Since my system has only 1 MySQL server i needed to figure a way to protect the root user and other users from my served phpmyadmins. My trick makes brute forcing root slightly harder by limiting the accessibility of the mysql database.

My trick is simple and works together webapp-config which is nice.
It requires setting up an alias for localhost (or whatever your mysql is bound to) in /etc/hosts which is hard to guess. This makes only the phpmyadmin with the host set to the alias-localhost to be allowed root or secure-access which is what we want.

You must set the User entries on the mysql database you wish to protect in the mysql DB to the alias host.
(!!!Warning!!! messing with the root user can make your DB inaccessible so test this with a non root user first).
(Also note that you must flush privileges and change any mysql accessing configuration file which still has localhost set as host.)

Then if you wish to have 1 phpmyadmin which can go root modify the phpmyadmins config.inc.php and set the host to the alias host.


OK so why didn't i just give all my virtual users phpmyadmins a different hostname? This would indeed limit all access to and from the DBs. This however does require every webapp-config installation to have it's config modified. Also i presumed that a scriptkiddy could install his own phpmyadmin and set it up to use localhost. Since the scriptkiddy has no access to my system and /etc/hosts that i know of, i can assume he/she will not guess the alias localhost.


Now i'm looking for a way to secure the password transfer to my phpmyadmins but i'll probably find a solution