Phpmysqladmin


#1

I am working on a project for a friend… isn’t that how all good stories start

He isn’t hugely technical and doesn’t have a fixed IP at home. The project he is building uses a mysql database, normally I would say mysqlworkbench firewalled with IP tables or a VPN to the server.

However, this could be a use case for php mysql admin. How secure is it if exposed to the internet, is there away to make it internet safe? It used to be that hosting providers used it so is it that bad?

Any alternatives?

Ballers unite!
Thanks


#2

I haven’t used phpMyAdmin for sometime, I cant remember it causing any security issues as to be able to access or change any data on the databases you would need to know a mysql user/pass anyway.


#3

I wouldn’t keep it exposed directly to the Internet.

You could use something like: https://www.cloudflare.com/products/cloudflare-access/


#4

This. Slap on HTTP Basic Auth and you should be good :slight_smile:


#5

I replied to this yesterday, but my comment seems to have gone missing. Hmm.

I have a VPN (using Tinc) between my servers, my desktop PC, and my laptop. For ‘internal’ / ‘private’ tools like phpMyAdmin, I usually make them accessible only over the VPN. You could use ZeroTier if you want something that’s easy to configure. It works well even if all PCs on your VPN have dynamic IPs. There’s a thread about it here: Zerotier - Great VPN App

phpmyAdmin is quite secure, but you don’t want to have to deal with people trying to brute force the password. You could install something like fail2ban and block people that try to brute force it, but I feel safer restricting it to the VPN only.


#6

#7

Thanks! I must have missed that post.


#8

Like others have started here I’d argue that PHPMyAdmin is relatively safe and there should be no major security problems as long as you keep it up to date.

Though that to be said, you could put it behind basic http auth and make it even more secure.


#9

Instead of phpmyadmin, I would suggest adminer (1 page php file only, https://www.adminer.org/). You can kill it or configure/secure somewhere anytime too.


#10

You can setup recaptcha to phpmyadmin.

Btw, usually I prefeer https://www.heidisql.com
I really believe that you just need a strong password.
8 letters + numbers is almost impossible to brute force.


#11

Someone that it’s into security told me about some “services” that can precisely do that.
I imagine they have some farms with hash cat.
I’ve just seen some farms with 8x 1080ti s.


#12

Is not like mining crypto, is completely different in this case.
No way to do many attempts with a internet connection, even trying in the same DC.
You need ~90 years to brute force a password, 1000 attempts per seconds in a 36^8(8 lettes+numbers) combination.
Its ridiculous, most of “brute force” in internet are just bad passwords like 12345.