Phpmyadmin security


#1

Hi all,
First post as a new account holder.

Could someone comment on the security issues around phpmyadmin, pls. I have used it with other hosts, as it is an intuitive way for me to manage databases, not realising that there is a security issue. How concerned should I be? Has dh been hacked via phpmyadmin before?

I have downloaded Putty and connected via the shell, but this is not intuitive for me. Is it possible to do EVERYTHING you can do with phpmyadmin, using Putty? Just seems like another hill to climb for me.

Is there a recommended intuitive/GUI client-side db admin application which takes advantage of Putty/shell’s inherent security but offers something like the phpmyadmin GUI?

Just another observation as a dh n00b: things seem quite slow to update/propagate. eg, it took >18 hours for a database setup on a dh subdomain(no redirecting of existing domains). Leaves the user wondering whether the transaction failed. With my other host, db setup is instantaneous.

However, there are potential benefits to dh, and a pretty active forum, so I’m persevering.

thx, russellt


#2

if your domain is not using https, then every time you access your database with phpmyadmin, you are passing your username and password over the wires in cleartext. how secure is that?

i run phpmyadmin locally and connect through an ssh tunnel on port 3307.

also, ever domain is enabled by default for phpmyadmin. go to any domain hosted by dreamhost and add /dh_phpmyadmin and you’ll get the login prompt. there’s no limit to the number of times you can try to log in, so if your username and password are weak, then a brute force attack will get you in. you should aim for at least 12 character username and passwords with a huge mix of characters. also, ask support to disable the default access for all of your domains. do it for ftp as well.


#3

bobocat,
Thanks for the reply. Your comments on phpmyadmin security give me sufficient cause for concern that I’ll try something different.

Using Putty, i can tunnel to the server and access the command line. However, i can’t make my WAMP localhost phpmyadmin interface ‘find’ the tunnel. Any tips? I have added my dreamhost server to the phpmyadmin config.inc.php file with the following cfg settings: host: localhost, port: 3307, connect_type: tcp, auth_type: http, AllowNoPassword: FALSE. (Also tried host:‘127.0.0.1’.) So the remote server is now an option on the phpmyadmin GUI. However, on clicking, I get a phpmyadmin error - ‘Mysql server has gone away’.

As I am able to connect using Putty, i am assuming the session settings are correct, but perhaps the tunnel settings are wrong. Under tunnels, i am setting the source port to 3307, same as the config.inc.php setting, and have tried various arrangements of the destination host name. Is the tunnel destination the name of the database, the db server or the dh host name? i have tried arrangements such as dbname.mysql.subdomain.dreamhosters.com:3306, mysql.subdomain.dreamhosters.com:3306. But no joy. I’d welcome any tips you have.

thx, russellt


#4

i haven’t used putty in a long time. please check the instructions for creating an ssh tunnel and port forwarding. I use mysql locally as well, so I forward 3307 to 3306 @ dreamhost. the address is the same as you would use for a regular ssh connection. i.e. you are just logging in with putty (sort of) using your domain, credentials, and port 22. In connection->SSH->tunnels I have L3307 mysql.mydomain.com:3306, then from there, phpmyadmin will request from 127.0.0.1:3307 using the credentials for your database.

i’m pretty sure that’s how i set it up. i put it all as an alias in my bash profile. it’s one of the reasons why i switched to ubuntu some time back. these things are much easier than on windows. unfortunately i’m using windows at the moment so i can’t confirm. the info from putty above is quite old so it may not work :-). I may have given up and just used ubuntu.

On that note, you can install WUBI or Ubuntu in VirtualBox or something and avoid all of the Windows quirks.

I’ve started a few notes in the wiki on phpMyAdmin. Please update when you’ve figured out the correct settings.


#5

Got it working. The tunnel destination is mydbhostname.dhsubdomain.dreamhosters.com:3306. I can now see server:localhostdb and server:localhost:3307(remote dh database). I’m sure I tried that combination before, but it didn’t work, possibly because of local cache. So, tip for others, - ocassionally clear the cache Ctrl+F5.

thx for your help.