Secure phpMyAdmin install with Fail2ban

First, let’s change the address to access phpMyAdmin. By Default, it’s ser.ver.ip/phpmyadmin.

I’ve copied the original phpmyadmin apache config file so I can customize it as I want, and still have the original one in case mine is broken. sudo cp /etc/phpmyadmin/apache.conf /etc/phpmyadmin/apache-custom.conf

At the top of the custom file, change the 3 line Alias /phpmyadmin /usr/share/phpmyadmin to something else, like Alias /phpthisismine /usr/share/phpmyadmin

Now, I don’t know how your apache is setup to take into account the phpmyadmin configuration file. On my server, it wasn’t added automatically, so I’ve added it myself in /etc/apache2/apache2.conf. At the bottom, just add Include /etc/phpmyadmin/apache-custom.conf.

Now, in order to deal with those stupid bots, if they ever find the URL, it would be nice to have fail2ban take care of those f*ckers. The problem is, phpMyAdmin doesn’t log any failed login attempt (bummer !).

Well actually, this is what I found:

phpMyAdmin uses php’s apache_note function to make this work. AFAIK this function is only available in mod_php mode. This will not work with mod_fcgi & co.

And I’m using php-fpm so I need to modify phpMyAdmin to log failed attempts. Let’s edit /usr/share/phpmyadmin/libraries/plugins/auth/AuthenticationCookie.class.php (I know, that’s bad, but what can I do ?).

Find the authFails() function and inside, right after the last header() call, add error_log(‘phpmyadmin: authentification failed’);

 

Hell yeah.

Now let’s setup fail2ban. Create a file /etc/fail2ban/filter.d/apache-phpmyadmin.conf and place that inside

Now edit your local fail2ban configuration file. Mine is /etc/fail2ban/jail.local and add

Reload fail2ban sudo service fail2ban reload and you’re all set !

Sources (source 1, source 2, source 3).

Published by

Louwii

Web developer, geek, car enthusiast, photographer, DIYer, video gamer... I like many things, maybe too many?

2 thoughts on “Secure phpMyAdmin install with Fail2ban”

Leave a Reply

Your email address will not be published. Required fields are marked *