Lock PMA to preapproved IPs

GoWilkes

• October 08, 2020 15:11

I have someone breaking in to my PMA!! Can you guys and gals suggest a way to block all access attempts unless the IP range is pre-approved? I don't ttink that cPHulk would help because then I would have to approve every IP of every user, I need this to be site-specific.

• 

  SamuelM

  • October 09, 2020 02:35

  Hello @GoWilkes Assuming you are using the version of phpMyAdmin that is provided by cPanel, cPHulk can be used to protect it. You can in fact specify IP ranges for cPHulk and not just single IP addresses. You would need to use CIDR notation to add IP ranges to cPHulk's whitelist or blacklist. For example 192.168.1.0/24 represents IP addresses 192.168.1.1 through 192.168.1.254. For more documentation on whitelisting IP addresses in cPHulk please see this article:

  0
• 

  GoWilkes

  • October 09, 2020 03:41

  But that would be server-wide, right? Not for the one site? That complicates things, I wouldn't know the IP ranges for every client... especially those that use a mobile device. My own site is different, I can restrict it tightly and understand, but a client wouldn't be the same.

  0
• 

  SamuelM

  • October 09, 2020 23:11

  Yes, that is correct, the cPHulk whitelist applies server-wide. Note that phpMyAdmin access is restricted to port 2083 and is tied to the cPanel username and password. If you suspect that there is unauthorized access to phpMyAdmin, I recommend you reset the affected cPanel user's password.

  0
• 

  GoWilkes

  • October 10, 2020 04:47

  I did change all of my passwords, but the next day they were right back in there! I know they don't have root access because I DO get an email for that, but somehow they're getting in to PMA. I found that they were adding an Adsense script to everything, trying to divert my Adsense earnings to their account! I reported it to Adsense, so they'll probably do something in the next year or so :-/ I'm assuming there's no built-in way to restrict it, so I wrote my own .htaccess that seems to be working. Posted here for future readers: RewriteCond %{REQUEST_URI} /(?:phpMyAdmin|cpanel|frontend)/ [NC,OR] RewriteCond %{SERVER_PORT} ^2083$ [OR] RewriteCond %{REQUEST_URI} /(?:whm|configserver)/ [NC,OR] RewriteCond %{SERVER_PORT} ^2087$ # where "123.45.x.x" represents my pre-approved IP RewriteCond %{REMOTE_ADDR} !^123\.45\. RewriteRule ^ - [F]
  

  0
• 

  cPanelChris

  • October 10, 2020 05:45

  Hello @GoWilkes , I am not aware of any built-in method for restricting phpMyAdmin access specifically. Thank you for providing your solution. Regarding the repeated unauthorized access to phpMyAdmin, you may want to contact a security professional or system administrator to look into this further. One possibility that occurs to me is that the email account associated with the cPanel account has been compromised and is being used to perform password resets. cPanel does not provide security or general system administration services, but we do have a listing of system administrators

  0

Please sign in to leave a comment.