We already know how to install phpMyAdmin with LAMP stack on Ubuntu 20.04. Today, let us see how to install phpMyAdmin with LEMP stack on Ubuntu 20.04 LTS edition. And then we will also discuss a few security practices that will help to secure phpmyadmin from common threats. First, make sure you have setup LEMP stack on Ubuntu 20.04 as described in the following link.
After installing LEMP stack, install and secure phpMyAdmin as described in the following sections.
Table of Contents
Install phpMyAdmin With LEMP Stack On Ubuntu 20.04 LTS
Run the following command to install phpMyAdmin from the Terminal:
$ sudo apt install phpmyadmin
In the next window, you will be prompted to select the web server that should be automatically configured to run phpMyAdmin. As you can see in the below screenshot, Nginx is not available in the web server list. The Apache and lighthttpd are only listed here. So do not select any web server and just leave it blank. Choose OK and hit ENTER to continue:
PhpMyAdmin requires a database installed and configured before it can be used. You can do it with dbconfig-command.
Choose Yes to configure database for phpmyadmin with dbconfig-common:
You need to provide a password for phpmyadmin to register with the MySQL database server. If password is not given, a random password will be generated.
Enter a strong password and hit ENTER to continue:
Re-enter password:
As of writing this guide, when I tried to set the password for phpmyadmin, it throws the following error:
An error occurred while installing the database: mysql said: ERROR 1819 (HY000) at line 1: Your password does not satisfy the current policy requirements . Your options are: * abort - Causes the operation to fail; you will need to downgrade, reinstall, reconfigure this package, or otherwise manually intervene to continue using it. This will usually also impact your ability to install other packages until the installation failure is resolved. * retry - Prompts once more with all the configuration questions (including ones you may have missed due to the debconf priority setting) and makes another attempt at performing the operation. * retry (skip questions) - Immediately attempts the operation again, skipping all questions. This is normally useful only if you have solved the underlying problem since the time the error occurred. * ignore - Continues the operation ignoring dbconfig-common errors. This will usually leave this package without a functional database.
This error occurs because we have enabled the VALIDATE PASSWORD component as described under section titled "2.2 Change authentication method for MySQL root user" in the LEMP stack installation guide attached above.
To fix this issue, you need to temporarily disable the Validate Password component and re-enable it after setting the password for phymyadmin. Click OK to close the above error message and choose "abort" to cancel the phpmyadmin installation.
Now log in to the Mysql prompt by running the following command:
$ mysql -u root -p
From the mysql prompt, tun the following command to disable the Validate Password plugin:
mysql> UNINSTALL COMPONENT "file://component_validate_password";
Please note that the above command will only disable the plugin, but do not remove it. You can enable it later. Then type "exit" to exit from Mysql prompt.
mysql> exit
Now try installing phpmyadmin again using command:
$ sudo apt install phpmyadmin
Choose "Yes" and hit ENTER to configure database for phpmyadmin with dbconfig-common. This time phpmyadmin installation will work without any issues.
Once phpmyadmin is installed, re-enable Validate Password plugin. To do so, login to your Mysql prompt:
$ mysql -u root -p
From the mysql prompt, tun the following command to disable the Validate Password plugin:
mysql> INSTALL COMPONENT "file://component_validate_password";
Type exit to quit from mysql prompt.
mysql> exit
Now create a symbolic link to configure Nginx web server to run phpmyadmin using command:
$ sudo ln -s /usr/share/phpmyadmin/ /var/www/html/phpmyadmin
This command will create a symlink named "phpmyadmin" under Nginx root directory. This symlink actually points to the /usr/share/phpmyadmin directory, where the actual files are stored.
Done! We have successfully installed PhpMyAdmin with LEMP stack.
Access phpMyAdmin Dashboard
Open your web browser and navigate to "http://IP-Address/phpmyadmin" from the address bar.
You should see the phpmyadmin login page. Enter the database user and its password:
You will be pleased with phpMyAdmin dashboard.
From here, you can create, delete and manage databases.
Create dedicated user to access phpMyAdmin dashboard
Once phpMyAdmin is installed, a database user named 'phpmyadmin' will be automatically created with the administrative password you set during the installation. You can login to phpmyAdmin dashboard using 'phpmyadmin' user or mysql root user as shown above. However, it is recommended to create a dedicated user to manage databases via phpMyAdmin web interface.
To do so, login to mysql shell using command:
$ mysql -u root -p
Enter your mysql root password. You will now be in mysql shell.
Enter the following command to create a new dedicated user for phpmyadmin:
mysql> CREATE USER 'phpmyadminuser'@'localhost' IDENTIFIED BY 'Password123#@!';
Here, phpmyadmin is the new user for accessing phpmyadmin dashboard. The password for phpmyadminuser is Password123#@!. Replace these values with your own.
Next give the appropriate privileges to the 'phpmyadminuser' using command:
mysql> GRANT ALL PRIVILEGES ON *.* TO 'phpmyadminuser'@'localhost' WITH GRANT OPTION;
Finally exit from mysql shell:
mysql> exit
We have now created a dedicated user for managing the databases via phpmyadmin web interface. Let us go ahead and access phpmyadmin dashboard.
Open web browser and navigate to "http://IP-Address/phpayadmin. Enter the newly created database user and its password. Congratulations! You have logged-in with a dedicated user to the phpMyAdmin web dashboard.
Secure phpMyAdmin
This section provides a few tips to secure PhpMyAdmin installation. Please note that the following steps alone couldn't protect phpMyAdmin 100% secure. However, they will at least slow down any attempts of a perpetrator to break into your phpmyadmin dashboard.
Disable MySQL root login to phpmyadmin dashboard
Allowing mysql root user to access phpMyAdmin dashboard is not safe, especially when managing databases over network. This is why we created a dedicated user in the previous section. Since we already have a dedicated user, we can safely disable mysql root login to access phpmyadmin dashboard to minimize the attacks.
Generally, phpmyadmin is installed under /usr/share/phpmyadmin/ directory and its configuration files are stored in /etc/phpmyadmin directory.
Edit phpmyadmin config file:
$ sudo nano /etc/phpmyadmin/config.inc.php
Add/modify the following parameters:
[...] $cfg['Servers'][$i]['auth_type'] = 'cookie'; $cfg['Servers'][$i]['AllowRoot'] = FALSE; [...]
Save and close the file.
Restart Nginx web server using command:
$ sudo systemctl restart nginx
Now try to log in to phpmyadmin as root user. You will get the Access denied error message:
Change phpmyadmin web interface URL
This is most common tactic followed by bots to get access to phpmyadmin. You can prevent this by changing the URL to something hard to guess. Changing the phpmyadmin URL will avoid the bots or automated scripts to perform URL scanning and brute-force attacks.
Remember we created a symbolic link called "phpmyadmin" under Nginx root directory?
$ ls -l /var/www/html/ total 8 -rw-r--r-- 1 root root 612 Jun 2 07:15 index.nginx-debian.html -rw-r--r-- 1 root root 20 Jun 2 07:35 info.php lrwxrwxrwx 1 root root 22 Jun 2 08:14 phpmyadmin -> /usr/share/phpmyadmin/
Here, phpmyadmin is the symlink that points to /usr/share/phpmyadmin directory.
We are going to change the symlink name using command:
$ sudo mv /var/www/html/phpmyadmin /var/www/html/ostechnix
Make sure the name contains random characters and is very difficult to guess.
From now on, whenever someone try to access the phpmyadmin page by navigating to http://IP-Address/phpmyadmin URL, s/he will get the following error message:
Because we changed the URL. The new URL to phpmyadmin is http://IP-Address/ostechnix.
Password-protect phpMyAdmin Login page
We can add an extra layer of security by restricting access to the phpmyadmin login page with basic HTTP authentication method. Meaning - we enable password protection for phpmyadmin login page, so the users will have to enter an additional username/password before accessing the actual phpMyAdmin login page.
First, we need to generate a password file using htpasswd utility. The htpasswd utility is part of the apache2-utils package. So let us install it using command:
$ sudo apt install apache2-utils
Now, create an encrypted password file with command:
$ sudo htpasswd -c /etc/nginx/.htpasswd ostechnix
Replace "ostechnix" with a username of your choice. Enter a strong password twice to generate the password file.
To view the contents of the newly generated file, sue "cat" command like below:
$ cat /etc/nginx/.htpasswd
You will see an output like below:
ostechnix:$apr1$Us9YABHL$CMPDIuHaOB2lK/DVIzA2C/
Next, we need to mention the path of the above password file in our Nginx default configuration file. If you followed our LEMP installation tutorial attached above, the default Nginx configuration should be /etc/nginx/sites-available/default.
Edit the default Nginx config file:
$ sudo nano /etc/nginx/sites-available/default
Add the following lines, under the "location" block:
[...] location /ostechnix { auth_basic "Restricted Zone"; auth_basic_user_file /etc/nginx/.htpasswd; } [...]
Remember we have changed phpMyAdmin URL (http://IP-Address/ostechnix) in the previous step? That's why I have mentioned the block name as "ostechnix" in the above block. Replace it with your own. Save and close the file.
Check the Nginx configuration file for any syntax errors using command:
$ sudo nginx -t
Sample output:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
If you don’t see any errors, restart nginx service to take effect the changes.
$ sudo systemctl restart nginx
Now try to access your phpMyAdmin URL from your browser. You will be prompted to enter a username and password:
Enter the correct username and password which will be created earlier using "htpasword" utility. Now you will be redirected to the actual phpMyAdmin login page, where you can enter the database user and its password to login to phpMyAdmin web dashboard.
3 comments
In every article on every linux/tech website, everyone ALWAYS uses the LAMP/LEMP stack. Why does everyone think/believe/whatever that MySQL or it’s stepchild Maria are the “go to” holier than holy DBs? How about some love for Postgres?
I really don’t know. I guess LAMP and LEMP are most commonly used stacks by many VPS providers. By the way, I will make a guide for PostgreSQL, MariaDB and other popular databases in future.
Thanks for sharing.