An unsecured phpMyAdmin is one of the biggest security risk on most servers. First we create all users as username@localhost, then we open up a webinterface, allowing everybody to login as “@localhost”.

Great, isn’t it? So let’s use our old buddy fail2ban to reduce this risk quite a bit.

Out goal? Block a user’s IP for a certain amount of time after several failed logins.

First things first: we need a logfile. Usually, phpMyAdmin doesn’t log anything - but since we’re on our own Server, we can change that (given we’re using apache2).

The phpMyAdmin Documentation provides a possible solution.

But we have to keep a few things in mind:

Having taken this into consideration, we add these lines to our Apache Config in the according VirtualHost Section:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{userID}n %{userStatus}n" pma_combined
CustomLog /var/log/apache2/phpmyadmin_access.log pma_combined

Don’t forget to reload your apache2 configuration:

service apache2 reload

Now we create our fail2ban filter

/etc/fail2ban/filter.d/phpmyadmin.conf

[Definition]
denied = mysql-denied|allow-denied|root-denied|empty-denied
failregex = ^<HOST> -.*(?:%(denied)s)$
ignoreregex =

And we test if our filter is working (try logging into phpMyAdmin with wrong credentials for this to return something meaningful):

fail2ban-regex /var/log/apache2/phpmyadmin_access.log /etc/fail2ban/filter.d/phpmyadmin.conf

Looks good? Good. Then we just have to add our jail to /etc/fail2ban/jail.conf

[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
logpath = /var/log/apache2/phpmyadmin_access.log

Reload fail2ban one last time and you’re done.

service fail2ban reload