phpMyAdmin does not, by default, do any checking of IPs unless you configure it to do so. Therefore, anyone in the world can attempt to login to your MySQL server via phpMyAdmin and bruteforce their way in.
This is not an ideal situation, a database holds a lot of important information, passwords, usernames, emails, maybe even credit card details. And to allow any hosts to login is just asking for trouble…
If you have only a few users then this should be easy, but it can be adapted to increase its complexity (say if you want to have a user login elsewhere to update their IP before they can login to phpMyAdmin).
Now, I have a dynamic IP, so IP access control is only going to work until my IP changes and by default, phpMyAdmin does not allow you to specify a hostname in the AllowDeny directive of your configuration.
So, my router dynamically updates my hostname, to signify my home IP, where I can connect via VPN to if I ever need to administer any of my services which are protected by a hostname/IP check and phpMyAdmin is one service I want to protect using this.
The workaround for this is simple, but you’ll need a domain name, and one you can dynamically update (these are free if you don’t have your own domain name, try No-IP).
- First of all, ensure your IP is updating dynamically on whatever hostname you’ve specified, if it isn’t – fix that first.
- Open up config.inc.php in your phpMyAdmin directory and add the following section (after the line that says $i++):
$cfg['Servers'][$i]['AllowDeny'] = array ( 'order' => 'explicit', 'rules' => array ( 0 => 'allow % from 127.0.0.1/32', 1 => 'allow % from '.gethostbyname('host1.site.com').'/32', ), );
- For each of the hosts you wish to give access to, simply add an extra line, like so:
2 => 'allow % from '.gethostbyname('host2.site.com').'/32', 3 => 'allow % from '.gethostbyname('host3.site.com').'/32', 4 => 'allow % from '.gethostbyname('host4.site.com').'/32',
- Save the file and attempt to connect, if you’ve done it all correctly it should login. To test, try logging in somewhere else or connect to a VPN.