phpMyAdmin is secure against bruteforce?

9

Well, my question, is this:

Does phpMyAdmin have any security against bruteforce in the password? That is, at the end of x attempts, the IP gets blocked or something like that?

Thank you.

    
asked by anonymous 09.02.2017 / 01:27

3 answers

13

According to the phpMyAdmin documentation

If you use phpmyadmin for public address, I recommend "unusual" directory nomenclatures, avoiding for example: site/phpmyadmin or site/pma which already decreases the enumeration against the system a little.

    
09.02.2017 / 02:13
2

Friend, I would not recommend leaving PHPMyAdmin exposed on the Web. It is a tool with many vulnerabilities and not only brute force, which can put your applications at risk. I looked for the vulnerabilities that the tool had on the CVE Details site, and found 223 vulnerabilities available. There are ways to only release PHPMyAdmin for your IP, or leave it on the server in idle mode, and you can only turn it on when you use it. I hope I have helped!

link

    
16.02.2017 / 16:05
1

One option is to use fail2ban to block certain access patterns.

With fail2ban installed, the configuration is more or less so, it may vary depending on your server:

  

/etc/apache2/conf.d/phpmyadmin.conf:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{userID}n %{userStatus}n" pma_combined
CustomLog /var/log/apache2/phpmyadmin_access.log pma_combined

fail2ban filter:

  

/etc/fail2ban/filter.d/phpmyadmin.conf

[Definition]
denied = mysql-denied|allow-denied|root-denied|empty-denied
failregex = ^<HOST> -.*(?:%(denied)s)$
ignoreregex =

Add a jail:

  

/etc/fail2ban/jail.local

[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
logpath = /var/log/apache2/phpmyadmin_access.log

And to end apache and fail2ban restart:

service  apache2 reload
service fail2ban reload

Source: link

    
15.02.2017 / 19:04