How to Install and Secure phpMyAdmin in CentOS / RHEL 8?

PhpMyAdmin is an open-source web-based graphical tool written in PHP to manage MySQL or MariaDB database. In this post, I will show you how to install and secure phpMyAdmin on a CentOS 8 / RHEL 8 server.

Why use phpMyAdmin?

Through this web interface, you can perform all the typical operations like managing databases, tables, columns, relations, indexes, users, permissions, etc, while also able to execute any SQL statement directly.

PhpMyAdmin has well-maintained documentation with support for 72 languages (including both Right-to-left and Left-to-right languages).

Apart from all the basic functions like managing databases, tables, columns, relations etc. phpMyadmin also offers a wide range of features to the administrators.

Features of phpMyAdmin:

• Intuitive and user-friendly web interface.
• Browse and drop databases and tables.
• Create, copy, drop, rename and alter databases.
• Create, copy, drop, rename and alter tables.
• Alter fields and indexes.
• Perform database and table maintenance.
• Execute, edit or bookmark any SQL statement.
• Execute multiple queries.
• Manage user-account and privileges.
• Import data from CSV and SQL.
• Export data to various formats: CSV, SQL, XML, PDF, Spreadsheet, Word.
• Administer multiple servers.
• Search globally in a database or a subset of it.
• Creating graphics of database layouts in various formats.
• Transform stored data into any format using a set of predefined functions. (for example, displaying BLOB-data as image or download-link)
• And many other great features.

Pre-Requisites to install phpMyAdmin on CentOS 8 / RHEL 8

• LAMP Stack installed and running on CentOS 8 or RHEL 8

Check the following post, if you have not setup LAMP stack yet.

How to Install LAMP stack in CentOS 8 / RHEL 8?

• You will need root Access or sudo privileges to follow this post.

• Basic Linux Knowledge.

Install phpMyAdmin on CentOS 8 / RHEL 8

Before we proceed to install phpMyAdmin on CentOS / RHEL, it is recommended to update software packages.

sudo dnf update

1. Let start the installation process by downloading the latest version of PhpMyAdmin from its official site phpmyadmin.net using the wget command:

wget https://files.phpmyadmin.net/phpMyAdmin/5.0.2/phpMyAdmin-5.0.2-all-languages.zip

As of writing this post, the latest version of PhpMyAdmin is 5.0.2. You can go to phpmyadmin.net to get the latest version available.

2. Extract the zip file you just downloaded using unzip command.

unzip phpMyAdmin-5.0.2-all-languages.zip

3. Move the extracted files to /usr/share/phpmyadmin directory.

sudo mv phpMyAdmin-5.0.2-all-languages /usr/share/phpmyadmin

4. Change directory to /usr/share/phpmyadmin

cd /usr/share/phpmyadmin

5. Rename the sample configuration file to config.inc.php

sudo mv config.sample.inc.php config.inc.php

6. Open the config.inc.php using any text editor of your choice. I am using Nano command line text editor.

sudo nano config.inc.php

Find the line that states:

$cfg['blowfish_secret'] = ' ';

Now, you have to create a password that is 32 chars long. Either type 32 random characters or use the following command:

date +%s | sha256sum | base64 | head -c 32 ; echo

This above command will generate a 32 chars long random text, which you can use for cookie auth in phpmyadmin.

$cfg['blowfish_secret']= 'password_here';

Replace password_here with the password you created.

Save and exit the file. (In Nano editor use Ctrl+o to save and Ctrl+x to exit Nano editor.)

7. Import the create_tables.sql using the following command:

sudo mysql < /usr/share/phpmyadmin/sql/create_tables.sql -u root -p

8. Create a tmp directory under /usr/share/phpmyadmin

mkdir /usr/share/phpmyadmin/tmp

9. Change the ownership of the /usr/share/phpmyadmin directory to “apache” user.

sudo chown -R apache:apache /usr/share/phpmyadmin

Also, give necessary permission to tmp directory we created before:

sudo chmod 777 /usr/share/phpmyadmin/tmp

Configure Apache for PhpMyAdmin

1. Create a new phpmyadmin configuration file for Apache.

sudo nano /etc/httpd/conf.d/phpmyadmin.conf

2. Add the following lines to the file.

Alias /phpmyadmin /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin/>
   AddDefaultCharset UTF-8
   <IfModule mod_authz_core.c>
     # Apache 2.4 
     <RequireAny>
      Require all granted
     </RequireAny>
    </IfModule>
    <IfModule !mod_authz_core.c>
      # Apache 2.2
      Order Deny,Allow
      Deny from All
      Allow from 127.0.0.1
      Allow from ::1
    </IfModule>
</Directory>

<Directory /usr/share/phpmyadmin/setup/>
   <IfModule mod_authz_core.c>
     # Apache 2.4
     <RequireAny>
       Require all granted
     </RequireAny>
   </IfModule>
   <IfModule !mod_authz_core.c>
     # Apache 2.2
     Order Deny,Allow
     Deny from All
     Allow from 127.0.0.1
     Allow from ::1
   </IfModule>
</Directory>

3. Save and Exit the file and restart httpd service for the changes to take effect.

sudo systemctl restart httpd

4. Check httpd service status.

sudo systemctl status httpd

Configure SELinux and Firewall

SELinux Stands for Security-Enhanced Linux. It is a set of kernel modifications that improve security.

Let’s configure SELinux to avoid security policies interfering with phpmyadmin.

1. Install the necessary software package.

sudo dnf install policycoreutils-python-utils

2. Run the following commands to configure SELinux for phpmyadmin directories.

sudo semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/phpmyadmin/'

sudo semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/phpmyadmin/tmp(/.*)?"

sudo restorecon -Rv '/usr/share/phpmyadmin/'

Let’s also configure firewall rules to avoid any interruptions.

1. Add new firewall rules for http and https, by running the command:

sudo firewall-cmd --permanent --zone=public --add-service=http

sudo firewall-cmd --permanent --zone=public --add-service=https

2. Reload the firewall for the changes to take effect.

sudo firewall-cmd --reload

Access phpMyAdmin from sub-directory

You can access phpMyAdmin from sub-directory by default.

Type “phpmyadmin” preceding with your server’s IP address or domain name in your web browser to access phpMyAdmin.

http://server-ip-address-or-domain-name/phpmyadmin

Configure VirtualHost for PhpMyAdmin

If you want to run phpmyadmin from a sub-domain, then follow the below procedure to create a virtual host for PhpMyAdmin.

1. Open the phpmyadmin.conf that you created when configuring apache for phpmyadmin.

sudo nano /etc/httpd/conf.d/phpmyadmin.conf

2. Add the following lines to the beginning of the file.

<VirtualHost *:80>
ServerName pma.example.com
DocumentRoot /usr/share/phpmyadmin
ErrorLog /var/log/httpd/pma-error.log
CustomLog /var/log/httpd/pma-access.log combined

Replace example.com with your domain name.

3. Add closing virtualhost tag to the end of the file.

</VirtualHost>

4. Run the following command to check for syntax errors.

httpd -t

The above command should return “Syntax OK”.

5. Restart httpd service.

sudo systemctl restart httpd

Don’t forget to configure DNS records for the subdomain to work. DNS propagation may take up to 24 hrs.

Go to your newly created subdom­­­­ain to access phpmyadmin.

http://subdomain.domain-name

Secure PhpMyAdmin on CentOS 8 / RHEL 8

PhpMyAdmin is always a target for hackers as it manages the database of a server, so if you are managing database remotely or over the internet, then it’s highly recommended to secure phpMyAdmin after installing it on CentOS / RHEL server.

Disable Root Login for PhpMyAdmin

If any unauthorized person managed to get root access, he/she will have access to every database on the server.

It will be a good security measure to create different users to manage different databases on the server.

To disable root access via phpmyadmin follow the steps:

1. Open the config.inc.php file.

sudo nano /usr/share/phpmyadmin/config.inc.php

2. Make sure these lines are in that file and “AllowRoot” is set to false. If not then add these lines:

/* Authentication type */
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['AllowRoot'] = false;

Save and Close the file.

2. Restart httpd service

sudo systemctl restart httpd

Now, try logging in using the root account of the database from phpMyAdmin interface.

You’ll get access denied.

Now, to create users to manage database:

3. Login to MySQL root via terminal and create a different user for each database.

mysql -u root -p

CREATE USER 'rahul'@'localhost' IDENTIFIED BY 'secretpassword';

GRANT ALL PRIVILEGES ON websiteone.* to 'rahul'@'localhost';

Replace “rahul”, “secretpassword” and “websiteone” with your username, password and database name respectively.

Check if the new user can access the database by logging into PHPMyAdmin interface.

Create different users for different databases and use them to manage the database remotely.

Allow from Specific IP

It would be a great idea to allow the phpMyAdmin interface from a specific IP address.

To allow from specific IP follow the steps:

1. Open the phpmyadmin.conf for editing.

sudo nano /etc/httpd/conf.d/phpmyadmin.conf

2. Find all the lines that state:

Require all granted

3. Replace with

Require ip specific_ip_address
Require ip 127.0.0.1
Require ip ::1

Replace “specific_ip_address” with an actual IP address you want to allow.

4. Save and close the file and restart httpd service.

sudo systemctl restart httpd

Password Protect PhpMyAdmin Interface

Only allow authorized users to access the phpMyAdmin interface using authentication. You can block unauthorized users even from accessing PHPMyAdmin web-page or subdomain.

To add password protection to the phpmyadmin page, follow the steps below.

1. Create a directory in a secure location. I am creating a directory named phpmyAdmin in /etc.

sudo mkdir /etc/phpmyadmin

2. Use “htpasswd” command to create a username and password for authentication when accessing the password-protected page (phpMyAdmin page in this case) and store the generated file in /etc/phpmyadmin directory.

sudo htpasswd -c /etc/phpmyadmin/.htpasswd rahul

Replace “rahul” with your desired username. If you want to add additional users, then run the command again without -c and with a different username:

sudo htpasswd /etc/phpmyadmin/.htpasswd seconduser

-c creates a new htpasswd file.

Only use -c when you are running htpasswd command for the first time otherwise it will overwrite the existing htpasswd file.

3. Edit the phpmyadmin.conf file to only allow authorised users to access phpMyAdmin page.

sudo nano /etc/httpd/conf.d/phpmyadmin.conf

Add the following lines below – “AddDefaultCharset UTF-8”

AllowOverride None
AuthType Basic
AuthName "Authentication Required"
AuthUserFile /etc/phpmyadmin/.htpasswd
Require valid-user

4. Save and close the file and restart the httpd service for the changes to take effect.

sudo systemctl restart httpd

Test Everything

Finally, test if everything is working correctly by going to phpMyAdmin web interface.

If you have enabled the password authentication then you should see an authentication dialog for accessing the interface. This means the password protection we enabled previously is working.

After providing the correct authentication details, you will be able to access the phpMyAdmin interface.

If you have allowed phpMyAdmin from specific IP address, then try to access phpMyAdmin from any other IP other than allowed IP to check if the IP restriction is working properly.

Conclusion

That’s it! You have successfully installed and secured phpMyAdmin on CentOS 8/ RHEL 8. Now, login to phpMyAdmin and enjoy managing database from the web.