An unsecured phpMyAdmin is one of the biggest security risk on most servers. First we create all users as username@localhost, then we open up a webinterface, allowing everybody to login as “@localhost”.
Great, isn’t it? So let’s use our old buddy fail2ban to reduce this risk quite a bit.
Out goal? Block a user’s IP for a certain amount of time after several failed logins.
First things first: we need a logfile. Usually, phpMyAdmin doesn’t log anything - but since we’re on our own Server, we can change that (given we’re using apache2).
The phpMyAdmin Documentation provides a possible solution.
But we have to keep a few things in mind:
- LogFormat/CustomLog have to be applied at Server Context or VirtualHost Context (see here). So our phpMyAdmin installation has to be it’s own VirtualHost. A subdomain will work fine.
- phpMyAdmin uses php’s apache_note function to make this work. AFAIK this function is only available in mod_php mode. This will not work with mod_fcgi & co.
Having taken this into consideration, we add these lines to our Apache Config in the according VirtualHost Section:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{userID}n %{userStatus}n" pma_combined
CustomLog /var/log/apache2/phpmyadmin_access.log pma_combinedDon’t forget to reload your apache2 configuration:
service apache2 reload
Now we create our fail2ban filter
/etc/fail2ban/filter.d/phpmyadmin.conf
[Definition]
denied = mysql-denied|allow-denied|root-denied|empty-denied
failregex = ^<HOST> -.*(?:%(denied)s)$
ignoreregex =And we test if our filter is working (try logging into phpMyAdmin with wrong credentials for this to return something meaningful):
fail2ban-regex /var/log/apache2/phpmyadmin_access.log /etc/fail2ban/filter.d/phpmyadmin.conf
Looks good? Good. Then we just have to add our jail to /etc/fail2ban/jail.conf
[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
logpath = /var/log/apache2/phpmyadmin_access.logReload fail2ban one last time and you’re done.
service fail2ban reload