Setting PHPMyAdmin on another port than port 80

[ACPanda]

Hi,

I am new to DirectAdmin, just converted form trial license after trying,

I have a question regarding the PHPMyadmin:

They are many hackers scanning for phpmyadmin, pma, etc in the logs, everyday.
It will be easy for the hacker to hack in sooner or later.

The best way is to use firewall to allow certain port for phpmyadmin like how we allow Directadmin port 2222.
In that case we can allow only the Directadmin users access from their office IP address with the firewall.

Question: How can I set the phpmyadmin to listen on another port, eg. port 2223?
or better, to be shared with DirectAdmin port 2222 since, all the users will need to access port 2222
to get into DirectAdmin anyway. Perhaps under the DirectAdmin subfolder.

I tried to find my way in DirectAdmin folders, but it seems different from XAMPP which i am more familiar and perhaps also the need to do something in custombuild, so more details to find the file and instructions would be helpful.

Securing phpmyadmin should also be a part of DirectAdmin installation Guide, i think, since this is the very first thing we need to secure.

Thanks.

ACP

 

[wattie]

PHPMyAdmin is a PHP application which is a scripting language - not a standalone software. Therefore it depends on Apache (and the PHP-FPM compiler). It will run on whatever port Apache runs.

What you can eventually do is the following:

1. Run Apache on both port 80 and another port - say 6127 for example.
2. Set .htaccess file in the phpmyadmin folder with which you check the PORT and throw 403 Forbidden if it is 80.

The last will be something like

RewriteEngine on 
RewriteCond  %{SERVER_PORT} !^80$
RewriteRule .* / [F]

Please note that this will cause you problems inside DirectAdmin - all it's links will continue to be defaulting to the http port 80. Therefore they will not work - if you wish to access phpmyadmin, you have to do it manually, not through link in DA. So you have to teach your customers to go to http://domain.tld:6127/phpmyadmin. It will not be very comfortable for sure.

 

[ACPanda]

Thank you so much for your suggestion, it sounds logical for me and that's what i think i want to do.

I see many different http.conf files at different folders, in XAMPP, we will just go to the extra folders and look for vhost file.
could you point me to which file to edit for:

> 1. Run Apache on both port 80 and another port - say 6127 for example.

ACP

PHPMyAdmin is a PHP application which is a scripting language - not a standalone software. Therefore it depends on Apache (and the PHP-FPM compiler). It will run on whatever port Apache runs.

What you can eventually do is the following:

1. Run Apache on both port 80 and another port - say 6127 for example.
2. Set .htaccess file in the phpmyadmin folder with which you check the PORT and throw 403 Forbidden if it is 80.

The last will be something like

RewriteEngine on 
RewriteCond  %{SERVER_PORT} !^80$
RewriteRule .* / [F]

Please note that this will cause you problems inside DirectAdmin - all it's links will continue to be defaulting to the http port 80. Therefore they will not work - if you wish to access phpmyadmin, you have to do it manually, not through link in DA. So you have to teach your customers to go to http://domain.tld:6127/phpmyadmin. It will not be very comfortable for sure.

 

[wattie]

It should be in /etc/httpd/conf/httpd.conf

I never done it but I think you must add "Listen 6127" on the line after the default "Listen 80".

You may also need to add the port to the vhosts (not sure but most probably). There are two config files to possibly look in:

/etc/httpd/conf/ips.conf
/etc/httpd/conf/extra/httpd-vhosts.conf

 

[ACPanda]

Hi,

Thanks, i have successfully done that based on your suggestions. Here's sharing the details steps for those who need to do the same.


1. /etc/httpd/conf/httpd.conf => i added this after Listen 80:

Listen 80
#for allowing phpMySQ to listen on port 6127L. More settings also at httpd-vhost.conf 
[B]Listen 6127[/B]

2. /etc/httpd/conf/extra/httpd-vhosts.conf => i duplicated the existing SSL (port 443) section and changed the port number to 6127:

<VirtualHost my_server_ip:6127>
    ServerAdmin webmaster@localhost
    UserDir public_html
    DocumentRoot /var/www/html/phpmyadmin
    ServerName localhost
    ScriptAlias /cgi-bin/ /var/www/cgi-bin/
    CustomLog /var/log/httpd/homedir.log homedir
    CustomLog /var/log/httpd/access_log combined
    ErrorLog /var/log/httpd/error_log

    SSLEngine on
    SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
    SSLCACertificateFile /etc/httpd/conf/ssl.crt/server.ca
    
    <IfModule !mod_ruid2.c>
        SuexecUserGroup webapps webapps
    </IfModule>
</VirtualHost>

3. htaccess (place the file in /var/www/html/phpMyAdmin-4.9.0.1-all-languages):

# For restricting the phpmyadmin port access
# Access URL: https://x.x.x:6127/pma/index.php or https://x.x.x.x:6127/phpmyadmin/index.php 

RewriteEngine on 
# Disallow 80 or 443
#RewriteCond  %{SERVER_PORT} ^80$ [OR]
#RewriteCond  %{SERVER_PORT} ^443$ 

# Only allow 6127
RewriteCond  %{SERVER_PORT} !^6127$

# forbidden
RewriteRule .* / [F]

4. Check firewall allows port 6127.

Note: There is nothing required to be done for /etc/httpd/conf/ips.conf

ACP

 

[wattie]

I am glad that I helped here

Important notice: anytime you upgrade apache or something related from Custombuild, it will do ./build rewrite_confs and this will effectively overwrite anything you did to the conf files. So check out the help pages how to add these changes permanent.

 

[ACPanda]

Hi wattie,

Thanks a lot and good to know, that custombuild stuff in advanced, which i think i will definitely hit that issue without your hint.

Lastly, a final modified .htaccess to still use the original DirectAdmin phpmyadmin link:

# Auto direct to https://domain.tld:6127/pma/index.php 

RewriteEngine on 

# Condition: disallow 80 or 443
# RewriteCond  %{SERVER_PORT} ^80$ [OR]
# RewriteCond  %{SERVER_PORT} ^443$ 

# Condition: Only allow 6127
RewriteCond  %{SERVER_PORT} !^2223$

# Rule 1: shows forbidden and die
# RewriteRule .* / [F]

# Condition redirect from: http://domain.tld/pma 
#                                     https://domain.tld/pma 
#                              To: https://domain.tld:6127/pma 

# Rule 2 : Redirect to port 6127 when user click the menu link
RewriteRule .* https://domain.tld:6127/pma [R=301,L]

# Note: Remember to open firewall for 6127

I am glad that I helped here

Important notice: anytime you upgrade apache or something related from Custombuild, it will do ./build rewrite_confs and this will effectively overwrite anything you did to the conf files. So check out the help pages how to add these changes permanent.