Solutions to the unsafe phpmyadmin directory: 1. Modify the phpMyAdmin directory name; 2. Add user authentication to the phpMyAdmin directory; 3. Add host-based access control
Solution to the unsafe phpmyadmin directory:
1. Modify the phpMyAdmin directory name:
Do not modify the directory name, it is easy for others to gain insight into the directory name, causing security risks. For example, assuming the domain name of a Linux host is: Client Validation, then without changing the directory name, enter: Client Validation in the address bar and you will enter the phpMyAdmin management program. Therefore, if you rename the phpMyAdmin directory to a directory that is not easy for others to know, such as mynameadmin, then when you manage your own database, you only need to type: Client Validation to manage the database through the browser. (Note: The phpMyAdmin directory name will still be used below. If the directory name has been changed, just rename phpMyAdmin to the new directory name.)
2. Add user authentication to the phpMyAdmin directory:
This is a commonly used method when many websites require user verification. In this way, when the user browses and enters the directory for the first time, a prompt window will appear, prompting the user to enter the user name and password for verification. This is done by using The standard mod_auth
module of Apache Server is implemented. The specific operation method is as follows:
1. Edit the Apache Server configuration file with VI and make sure that the following two sentences are not commented in the file. If these two sentences If there is a "#" symbol before the words, remove the "#" symbol.
DocumentRoot /data/web/apache/public/htdocs AccessFileName . htaccess AllOerride All
2. The passwd program creates a user file:
htpasswd - c /data/web/apache/secrects/.htpasswd 88998
Among them, -c
indicates the option to tell htpasswd that you want to generate a new user file. /data/web/apache/secrects/
is the directory where you want to store the .htpasswd
file. The file name is .htpasswd
, 88998
It is the user name used during verification. After typing the above command, the system prompts you to enter the password. This password is the password needed for verification. The password is encrypted in the .htpasswd file. Now use more to view the /data/web/apache/secrects/.htpasswd file. You can see that there is a line of username and a string of encrypted passwords.
3. Create the .htaccess
file:
Use a text editor to create the .htaccess file in the directory phpMyAdmin (if it has been renamed, it will be the new directory name), Add the following statement to the file:
AuthName "用户验证" AuthType Basic AuthUserFile /data/web/apache/public/htdocs/phpMyAdmin/.htpasswd require user 88998
After saving the operations, go to the phpMyAdmin directory and a verification window will be prompted. Enter the username and password you just created with the htpasswd command. Enter this directory.
3. Add host-based access control:
After modifying the directory name and adding an access verification mechanism, it should be said that the current phpMyAdmin is very safe. , but since the phpMyAdmin directory is generally only used by database administrators, in order to prevent others from knowing the directory name and verification password, you can also add the following host-based access control. Host-based access is achieved by verifying the user's machine IP, that is, only Only IPs that meet the conditions can query the directory, otherwise access is denied.
Modify.htaccess
The file is as follows:
AuthName "用户验证" AuthType Basic AuthUserFile /data/web/apache/public/htdocs/phpMyAdmin/.htpasswdrequire user 88998 order deny,allow deny from all allow from 202.100.222.80
Three host-based access control instructions are added here. The value of the first order instruction is a list separated by a comma. This The list indicates which command has higher priority. The second command deny defines the hosts that cannot access the directory. The third command allow defines the hosts that can access the directory. In this way, the directory except the IP address 202.100.222.80 Except for the machine that can access this directory, no one else can access it. Readers can use this address as the user database administrator IP.
Summary: By combining the above three points, the security of the phpMyAdmin directory can be well ensured. It will be difficult for non-database administrators to read data through the phpMyAdmin program. What we are talking about here is for the phpMyAdmin directory. If you need to add access restrictions to other directories, you can also follow this method.
Related tutorial recommendations: phpmyadmin
The above is the detailed content of What should I do if the phpmyadmin directory is not secure?. For more information, please follow other related articles on the PHP Chinese website!