Block /phpmyadmin for none DirectAdmin logged-in users

nservices

Verified User
Joined
Dec 11, 2008
Messages
293
Hi,
it's possible to add some script / check to the /phpmyadmin URL that allow access only if the client already logged-in to the DirectAdmin Panel?

so, if hacker have the db access but don't the DA access, is still can't login.

Regards,
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,159
Location
GMT +7.00
Hello,

By default you login into Directadmin as an user and its name is not the same with a MySQL user which you use to connect to your DB. I mean if you login into directadmin as bob, and by default you are not allowed to connect to MySQL as bob, you need to have another user let's say bob_db1 to connect to your DB, for example with the same name bob_db1. Thus to authorize in directadmin and in phpmyadmin different usernames are used. So there can not be one form for authentication without changes on Directadmin's side, so Signon authentication mode cannot be used here. Please correct me anybody if I'm wrong here.

Thus to achieve the desired requests to phpmyadmin might need to be proxy'ed via Directadmin, or you need to check and validate cookies created by Directadmin in phpmyadmin. But still you will need to authenticate in phpMyAdmin using a valid MySQL user.

Another issue is that some of us may share access to phpmyadmin with members of a team, and if you need to give a developer an access to phpmyadmin you might not want that he/she access Directadmin.

Please anyone share your thoughts.
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,989
Random idea, create:
Code:
/usr/local/directadmin/scripts/custom/all_post.sh
with code
Code:
#!/bin/sh
HTA=/var/www/html/phpMyAdmin/.htaccess
echo -n > $HTA
echo '<Limit GET POST>' >> $HTA
echo ' order deny,allow' >> $HTA
echo ' deny from all' >> $HTA


for ip in `grep ^ip= /usr/local/directadmin/data/sessions/da_sess_* | cut -d= -f2`; do
{
 echo "allow from $ip" >> $HTA
};
done;


echo '</Limit>' >> $HTA
echo '<Limit PUT DELETE>' >> $HTA
echo '       order deny,allow' >> $HTA
echo '       deny from all' >> $HTA
echo '</Limit>' >> $HTA


exit 0;
it's not the most disk-efficient, but would keep the .htaccess updated with IPs only listed in the sessions.

Just keep in mind that "demo" counts in that list, so just be sure to not allow demo logins if you use this method.. or tweak it a bit more to only count IPs that do not have demo in their session file.

John
 
Top