Disable phpmyadmin access to database? webFTP access to files?


#1

With all the recent data thefts lately, I’ve been looking at the security of my websites. Notwithstanding the particularly appalling password security at DH, I’ve been thinking about the automatic links that DH provides to everyone’s databases through phpMyAdmin.

I’ve seen phpMyAdmin probes in my Apache access logs where they request dozens of setup and install scripts for a variety of phpMyAdmin versions. I can only assume that they are probing for these versions because of known exploits.

Examples:

[quote]
3 0.02% May/ 9/11 8:42 PM /phpMyAdmin-2.6.0-pl2/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /phpMyAdmin-2.6.2-beta1/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /phpmy-admin/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /phpMyAdmin-2.6.1-rc1/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /phpMyAdmin-2.5.5-rc1/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /phpMyAdmin-2.6.0/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /pma2005/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /mysql/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /phpmyadmin2/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /phpMyAdmin-2.7.0-rc1/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /xampp/phpmyadmin/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /phpMyAdmin-2.6.4-rc1/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /mysqlmanager/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /phpMyAdmin-2.6.0-alpha2/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /pma/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /phpMyAdmin-2.6.0-alpha/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /phpMyAdmin-2.6.1-pl1/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /phpMyAdmin-2.8.0-beta1/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /phpMyAdmin-2.5.5-pl1/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /phpMyAdmin-2.6.2/scripts/setup.php
3 0.02% May/ 9/11 8:41 PM /dbadmin/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /phpMyAdmin-2.7.0-pl1/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /phpMyAdmin-2.6.4-pl1/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /phpMyAdmin-2.2.3/scripts/setup.php
3 0.02% May/ 9/11 8:42 PM /phpMyAdmin-2.5.5/scripts/setup.php[/quote]

I have no control over this setup, along with a few other subdomains and URL directories, which DH provides/imposes on every domain, so if a vulnerability is found in phpMyAdmin, squirrelMail, webFTP, or the stats program, or anything else, every site at DH would be vulnerable. Accessing DH’s stats, for example, is done through Basic Authentication, which means passwords are being sent in cleartext. How many people have assigned the same password to their stats as to other critical parts of their account / website?

Is there any way to disable these services? I realise they are provided for convenience, but for those of us who never use them, preferring to do everything through an SSH tunnel for example, these are nothing but unnecessary risks.

What are others doing to prevent data theft and security breaches?

[hr]
Just looked at my logs and discovered more probes:


#2

Hmm, seems that no one ever replies to threads I start. Maybe I’m in left field.

Anyway, after seeing similar scans in my logs again, I contacted support and they can indeed shut off access to phpmyadmin if you ask them. You can’t do it on your own, but it’s possible.

I think it should be an option in the panel though. There’s no reason to have a bunch of doors to your data, even if they are locked, if you don’t use them. I use only one door - ssh with public key login in and tunnel everything though that.

My security includes:
Enhanced security - home folder readable only by adm and me
FTP - disabled
Databases - only accessible from within DH
app location - apps are not stored within the web root. typically only one index file resides there which includes all necessary files from outside the web directory. assests such as images, css, etc are in the web directory

Of course I need to make sure my apps don’t have logic flaws or accept SQL injection queries…

What do others do to enhance security and protect their data?


#3

Thank you for following up on your own question, bobcat.

I too have wondered how to disable the automatic phpmyadmin functionality on my MySQL server hostname. I don’t want that to be inviting to hackers or people that are just relatively curious.