本文介绍了如何保护 phpMyAdmin的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我注意到我的网站有一些奇怪的请求试图找到 phpmyadmin,比如

/phpmyadmin//下午/

现在我已经通过 apt 在 Ubuntu 上安装了 PMA,并希望通过不同于/phpmyadmin/的网址访问它.我该怎么做才能改变它?

谢谢

更新

对于 Ubuntu 9.10 和 Apache2,相应的设置位于文件 /etc/apache2/conf.d/phpmyadmin.conf 中,该文件是 /etc/phpmyadmin/apache 的链接.conf.该文件包含

别名/phpmyadmin/usr/share/phpmyadmin

如果想要避免不必要的活动,第一个 /phpmyadmin 应该更改为不同的东西,例如:

别名/secret/usr/share/phpmyadmin
解决方案

最大的威胁是攻击者可以利用漏洞,例如;目录遍历,或使用 SQL 注入调用 load_file() 读取配置文件中的纯文本用户名/密码,然后使用 phpmyadmin 或通过 tcp 端口 3306 登录. 作为渗透测试者,我使用了这种攻击破坏系统的模式.

这是锁定 phpmyadmin 的好方法:

  • PhpMyAdmin 缺乏强大的暴力破解保护,因此您必须使用随机生成的长密码.
  • 不允许远程 root 登录! phpmyadmin 可以配置为使用 Cookie 身份验证" 以限制哪些用户可以访问系统.如果您需要一些 root 权限,请创建一个可以添加/删除/创建但没有 grantfile_priv 的自定义帐户.
  • 从每个帐户中删除 file_priv 权限.file_priv 是 MySQL 中最危险的权限之一,因为它允许攻击者读取文件或上传后门.
  • 将有权访问 phpmyadmin 界面的 IP 地址列入白名单.这是一个 .htaccess reulset 示例:

订单拒绝,允许拒绝所有人允许从 199.166.210.1

  • 没有可预测的文件位置,例如:http://127.0.0.1/phpmyadmin.Nessus/Nikto/Acunetix/w3af 等漏洞扫描程序会对此进行扫描.

  • 防火墙关闭 tcp 端口 3306,使其无法被攻击者访问.

  • 使用HTTPS,否则数据和密码可能会泄露给攻击者.如果您不想为证书支付 30 美元,那么使用自签名.你会接受它一次,即使它是由于 MITM 而更改,您会收到通知.

I have noticed that there are strange requests to my website trying to find phpmyadmin, like

/phpmyadmin/
/pma/

etc.

Now I have installed PMA on Ubuntu via apt and would like to access it via webaddress different from /phpmyadmin/. What can I do to change it?

Thanks


Update

For Ubuntu 9.10 and Apache2, the corresponding setting is located in the file /etc/apache2/conf.d/phpmyadmin.conf which is a link to /etc/phpmyadmin/apache.conf. The file contains

Alias /phpmyadmin /usr/share/phpmyadmin

where the first /phpmyadmin should be changed to something different if one wants to avoid the unnecessary activity, e.g.:

Alias /secret /usr/share/phpmyadmin
解决方案

The biggest threat is that an attacker could leverage a vulnerability such as; directory traversal, or using SQL Injection to call load_file() to read the plain text username/password in the configuration file and then Login using phpmyadmin or over tcp port 3306. As a pentester I have used this attack pattern to compromise a system.

Here is a great way to lock down phpmyadmin:

  • PhpMyAdmin lacks strong bruteforce protection, so you must use a long randomly generated password.
  • DO NOT ALLOW REMOTE ROOT LOGINS! Instead phpmyadmin can be configured to use "Cookie Auth" to limit what user can access the system. If you need some root privileges, create a custom account that can add/drop/create but doesn't have grant or file_priv.
  • Remove file_priv permissions from every account. file_priv is one of the most dangerous privileges in MySQL because it allows an attacker to read files or upload a backdoor.
  • Whitelist IP address who have access to the phpmyadmin interface. Here is an example .htaccess reulset:

  • Do not have a predictable file location like: http://127.0.0.1/phpmyadmin. Vulnerability scanners like Nessus/Nikto/Acunetix/w3af will scan for this.

  • Firewall off tcp port 3306 so that it cannot be accessed by an attacker.

  • Use HTTPS, otherwise data and passwords can be leaked to anattacker. If you don't want to fork out the $30 for a cert, thenuse a self-signed. You'll accept it once, and even if it waschanged due to a MITM you'll be notified.

这篇关于如何保护 phpMyAdmin的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-06 17:46