PhpMySQLadmin

Michael · January 8, 2019, 9:22pm

I am working on a project for a friend… isn’t that how all good stories start

He isn’t hugely technical and doesn’t have a fixed IP at home. The project he is building uses a mysql database, normally I would say mysqlworkbench firewalled with IP tables or a VPN to the server.

However, this could be a use case for PhpMySQLadmin. How secure is it if exposed to the internet, is there away to make it internet safe? It used to be that hosting providers used it so is it that bad?

Any alternatives?

Ballers unite!
Thanks

Razza · January 8, 2019, 10:03pm

I haven’t used phpMyAdmin for sometime, I cant remember it causing any security issues as to be able to access or change any data on the databases you would need to know a mysql user/pass anyway.

Andrei · January 8, 2019, 11:32pm

I wouldn’t keep it exposed directly to the Internet.

You could use something like: Access | Zero Trust Network Access

doghouch · January 9, 2019, 12:12am

This. Slap on HTTP Basic Auth and you should be good

Daniel · January 9, 2019, 7:15pm

I replied to this yesterday, but my comment seems to have gone missing. Hmm.

I have a VPN (using Tinc) between my servers, my desktop PC, and my laptop. For ‘internal’ / ‘private’ tools like phpMyAdmin, I usually make them accessible only over the VPN. You could use ZeroTier if you want something that’s easy to configure. It works well even if all PCs on your VPN have dynamic IPs. There’s a thread about it here: Zerotier - Great VPN App

phpmyAdmin is quite secure, but you don’t want to have to deal with people trying to brute force the password. You could install something like fail2ban and block people that try to brute force it, but I feel safer restricting it to the VPN only.

Wolveix · January 9, 2019, 7:17pm

Daniel · January 9, 2019, 7:18pm

Thanks! I must have missed that post.

mrclown · January 12, 2019, 11:29am

Instead of phpmyadmin, I would suggest adminer (1 page php file only, https://www.adminer.org/). You can kill it or configure/secure somewhere anytime too.

lucast · January 16, 2019, 4:15pm

You can setup recaptcha to phpmyadmin.

Btw, usually I prefeer https://www.heidisql.com
I really believe that you just need a strong password.
8 letters + numbers is almost impossible to brute force.

crotaphiticus · January 16, 2019, 4:52pm

Someone that it’s into security told me about some “services” that can precisely do that.
I imagine they have some farms with hash cat.
I’ve just seen some farms with 8x 1080ti s.

lucast · January 17, 2019, 12:12am

Is not like mining crypto, is completely different in this case.
No way to do many attempts with a internet connection, even trying in the same DC.
You need ~90 years to brute force a password, 1000 attempts per seconds in a 36^8(8 lettes+numbers) combination.
Its ridiculous, most of “brute force” in internet are just bad passwords like 12345.