How To Restrict phpMyAdmin By IP Address

PhpMyAdmin is a great easy to use web admin interface for your mysql databases. The one down side is it can be a security threat. Seems like many bots on the internet just go looking for phpmyadmin installed on web servers. Then run automated attacks. 

If you have logwatch installed you may often see many failed attemtps.





Example of phpMyAdmin attempts - Secure your phpmyadmin install by IP address



To add an extra layer of security you can prevent any one from accessing phpMyAdmin except by defined IP address. We will be setting this up on an Ubuntu 11.04 Server.


Before we begin we will need to know the IP Address that you will be using to connect to phpmyadmin. If the server you are  going to be accessing is hosted or on another network you can use to find your external address. If your server is only being accessed from your internal network you can use some of the following MixedUpEric articles on how to find your internal IP address.  

How To Find Your IP Address On A Windows System

How To Find Your IP Address On A Linux System


Login to your server at the console or using SSH to connect to it remotely.

The file we will be editing is /etc/apache2/conf.d/phpmyadmin.conf. In this example I am going to use command line text editor nano to keep things simple. If you preffer to use another text editor like vim or emacs feel free to do so. 

sudo nano /etc/apache2/conf.d/phpmyadmin.conf



Edit /etc/apache2/conf.d/phpmyadmin.conf file with nano text editor



Enter your password



Enter your password so you can edit phpmyadmin.conf



Add the following code.

Note: Remove the "#" from the from of the thrid line and replace ENTER.YOUR.IP.ADDRESS with the IP address you wish to allow. 


Order Allow,Deny
Allow from
For example if I wanted to allow the IP address it would look like the following.
Add the IP addresses you wish to allow access to phpmyadmin
Save your changes by hitting CTRL + X to exit
Enter Y to save changes



In Nano Text editor hit CTRL + X to exit


Make sure the file name is /etc/apache2/conf.d/phpmyadmin.conf and hit enter to overwrite it. 



Confirm the name is correct and not a temp file. Then hit enter - File: /etc/apache2/conf.d/phpmyadmin.conf



Now lets restart apache.

sudo /etc/init.d/apache2 restart



Restart apache with the following command /etc/init.d/apache2 restart



Now test it out. You can always remove or comment out yout IP address to make sure it is blocked and then add it back in. 


Here is an example if I try and access phpmyadmin from an IP address that is not added.



Example of being denied to phpmyadmin because IP address has not been added to the phpmyadmin.conf file



If the IP address has been added the user should see the login page. 



If the IP address was add to the allow list the user should see the login page for phpmyadmin



If you are looking for another layer of security for your web server check out OSSEC.

If you enjoyed this post, please share it on your favorite social network by clicking on the “Share / Save” bar below.