- Brief description about MySQL
- How to install MySQL on Linux (Ubuntu)
- Create a demo database and a user
- Install phpMyAdmin and configuration in
- Restrict phpMyAdmin access to users
Brief description about MySQL
Database plays a major role in any application whether web or mobile. So it is one of the main tasks to secure our database.
There are many databases in the market today like, Oracle, MySQL, MongoDB etc.
In this article we are going to talk about MySQL.
MySQL is the world’s most popular open-source database. It has become the leading database choice for web-based applications, used by high-profile web properties including Facebook, Twitter, YouTube, Yahoo! and many more.
We can access the database via terminal, but the terminal is always not comfortable to work with. Specially if we have a lots of data.
To access the database developers often use 2 of the most popular choice
- MySQL Workbench, which is a desktop application
- phpMyAdmin is a web application.
How to install MySQL on Linux (Ubuntu)
Here we will run a few commands as super user to install packages. So make sure you have the rights to run
sudo apt install apache2
Here we need to install a few packages. As phpMyAdmin is a PHP application we need to install PHP with two of its extensions and one Apache plugin
sudo apt install php php-mbstring php-mysql libapache2-mod-php
After installing these packages, we need to restart the Apache server
sudo systemctl restart apache2
To verify if PHP has been installed and running on the server. Please create a php file in
/var/www/html the directory with
<?php phpinfo(); ?> in it. And try to access the file from your browser.
It should show a PHP info page.
sudo apt install mysql-server
RECOMMENDED: After installing the server, run
mysql_secure_installation. It is a MySQL plugin that ensures, to have a strong password for the users. This step is not covered in this article. But you can read about it here.
As you are a super user, you will be able to login to MySQL shell using
After login to the shell its time to create a user and assign all privileges.
CREATE USER 'demo'@'localhost' IDENTIFIED BY 'nKsKCvyVBhba';
Now lets give all privileges to this user. (In a production application you should give only the required permissions)
GRANT ALL PRIVILEGES ON *.* TO 'demo'@'localhost';
After running this command you should be able to login with these credentials
mysql -u demo -p
and enter the password
sudo apt install phpmyadmin
After installation of phpMyAdmin you need to add the Apache configuration file of phpMyAdmin to the main apache.conf. So open the apache.conf using
And at the end of the file append the path of phpMyAdmin apache.conf file, which is
After adding this line restart apache. And access your IP or domain with phpmyadmin url.
You should see the phpMyAdmin login page.
Here you can login with the user credentials we created a few minutes back.
Now, anyone can access your phpMyAdmin URL and hackers can do brute force attacks on this page. They will try to log in with every default credential they have in their database.
The first step you can take to prevent hackers to access the login page is not use the default url which is phpmyadmin. Currently, my phpMyAdmin looks like this
After making the changes my phpMyAdmin looks like this, look at the URL.
You can set the url anything you want. So if you have changed the url with a string only you know. Hackers won’t even find the login page. So you have prevented almost 70% of the attack.
But how did we do this. Let me tell you.
We need to open the apache2.conf file in /etc/phpmyadmin directory with the following command
There you will see on the third line
Alias /phpmyadmin /usr/share/phpmyadmin
Here instead of
/phpmyadmin you can write any string you want. After making the changes restart the apache server. Now you can access the page from the browser.
Securing phpMyAdmin one step further
After accessing the site you can easily log in with the MySQL users credentials. But now we will add another layer of security to even showing the login page. Let’s see how it looks
Using this method, the user will be asked to give username and password to view the login page of phpMyAdmin
So how did we achive this
Here we have used Authentication method of Apache. You can read about it here.
Goto /etc/phpmyadmin and run the following command
sudo htpasswd -c filename admin
admin is the username and hit enter and enter your password
You can keep this file anywhere on the system.
Next goto /usr/share/phpmyadmin
And create a .htaccess file and put these configs
AuthType Basic AuthName "Restricted Data" AuthUserFile /etc/phpmyadmin/filename Require valid-user
And close the file, then you shold see the basic authentication popup.