An unsecured phpMyAdmin is one of the biggest security risk on most servers. First we create all users as username@localhost, then we open up a webinterface, allowing everybody to login as “@localhost”.

Great, isn’t it? So let’s use our old buddy fail2ban to reduce this risk quite a bit.

Out goal? Block a user’s IP for a certain amount of time after several failed logins.

First things first: we need a logfile. Usually, phpMyAdmin doesn’t log anything - but since we’re on our own Server, we can change that (given we’re using apache2).

The phpMyAdmin Documentation provides a possible solution.

But we have to keep a few things in mind:

  • LogFormat/CustomLog have to be applied at Server Context or VirtualHost Context (see here). So our phpMyAdmin installation has to be it’s own VirtualHost. A subdomain will work fine.
  • phpMyAdmin uses php’s apache_note function to make this work. AFAIK this function is only available in mod_php mode. This will not work with mod_fcgi & co.

Having taken this into consideration, we add these lines to our Apache Config in the according VirtualHost Section:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{userID}n %{userStatus}n" pma_combined
CustomLog /var/log/apache2/phpmyadmin_access.log pma_combined

Don’t forget to reload your apache2 configuration:

service apache2 reload

Now we create our fail2ban filter


denied = mysql-denied|allow-denied|root-denied|empty-denied
failregex = ^<HOST> -.*(?:%(denied)s)$
ignoreregex =

And we test if our filter is working (try logging into phpMyAdmin with wrong credentials for this to return something meaningful):

fail2ban-regex /var/log/apache2/phpmyadmin_access.log /etc/fail2ban/filter.d/phpmyadmin.conf

Looks good? Good. Then we just have to add our jail to /etc/fail2ban/jail.conf

enabled = true
port = http,https
filter = phpmyadmin
logpath = /var/log/apache2/phpmyadmin_access.log

Reload fail2ban one last time and you’re done.

service fail2ban reload