Tag: security

PHPMyAdmin – MySQL administration page

The main admin page for mysql is phpmyadmin. it is secured through a local firewall of sorts in the form of the phpmyadmin.conf file. there are explicit “allow” and “deny” statements for IPs here. I was a firewall guy for many years and this is actually a great security method. Nice and simple. KISS!

Anyway, because of some limitations in Drupal regarding aggregated news items, I need to have access to the sql db itself. I could do this via sql statements from the command line, but for what I need to do I need to see the tables and prefer a nice GUI. And PHPMyAdmin is a pretty nice GUI. Since I have my Drupal servers, (S, Q and Prod) secured via SSL, there is no issue with changing the security from deny to allow for any host other than localhost.

<Directory /usr/share/phpMyAdmin/>
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
# Deny from All
Allow from All
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>

this reflects the change that I made. Look at the # in front of the deny statement and the addition of the allow all statement. that’s all you need. BUT, make sure to have ssl enabled to protect your mysql password.

SSL, Linux and you

Today I am going to place an SSL cert on my quality site and then, following change management BPs, my prod site.

i’ve worked with ssl for years in the corporate environment and relatively easy to do. and simpler than a lot of people realize. you don’t need to spend four figures with verisign to leverage ssl. ssl can be free and the only trade off is that you’ll need to install the cert in your local store (not hard to do at all) so that your browser will recognize and trust it, or just deal with a message that the cert may not be valid because it doesn’t “chain” in the local store.

Here’s one good link:

http://slacksite.com/apache/webserver.php

http://wiki.centos.org/HowTos/Https – this is applicable to centos, which is what i am using in qual/prod

if you want to see all the certs in your local store you can do it with the certificates snap in for the mmc on your windows box. i won’t go into all the steps but if someone has questions, post and i’ll help.

the bottom line is, use ssl. you don’t want to use a user name and password field over port 80. that is just inviting trouble. and even the cheap certs like digicert are fine. with verisign, you’re paying for a cert that will be recognized by as many browsers worldwide as possible. and you’re paying for their cust service. which is really good. if your site will be local to the us, buy a cheap cert and use it.