# running myphpadmin in a secret port number



## beesatmsu (Apr 27, 2010)

It works fine when I specified a port number for myphpadmin to run (say 8888), but the "problem" is that all my other virtual hosts on the same machine responds to the port number.

in other words,  http://server1.com:888, http://server10.com:888 all point toward to the myphpadmin page, it beats the purpose of the secret port number, since now you have 10 hosts responding to the port...

I tried "listen myphp.xxx.com:8888", and it does not help -- other hosts still responds to 8888.

the only way I can do it is to waste another IP and specify (listen 1.2.3.4:888), with all the other virtual hosts using a different IP...

there should be a way to make it so only myphpadmin.xxx.com:888 responds correctly?


----------



## rhyous (Apr 28, 2010)

Well, yes, this is due to the fact that Apache is not really caring which URL you hit as much as the IP Address.  You are either open on port 888 for your IP Address or you are not.

Apache only sends urls somewhere different if you have a virtual host specified.  So if you configure a separate virtual host for those pages, you could create a simple page for each site on port 888 that redirects them back to the regular port 80 version of the site.

There is always a default site though.  If DNS returns an IP Address for a site, an no virtual host is configured, the default page for that IP is displayed.

I guess if you have control over you DNS you could configure DNS entries for those other URLs that are invalid.


----------



## anomie (Apr 28, 2010)

@beesatmsu: Instead of playing with port numbers, I would recommend that you alias your phpMyAdmin app to, e.g., /padmin. And then require HTTP digest authentication for /padmin. It'll act as an extra / outer layer of security.


----------



## beesatmsu (Apr 29, 2010)

rhyous, thanks for explaining it.

anomie, thanks. will investigate that.  it is just that phpmyadmin can so easily wipe out a table that I was scared.


----------



## SirDice (Apr 29, 2010)

Your changed port will not be 'secret' for very long. Never rely on security through obscurity.


----------



## beesatmsu (Apr 29, 2010)

thanks to sirdice... I found what digest authentication is about. but not about /padmin, is there a link somewhere?


----------



## anomie (Apr 30, 2010)

beesatmsu said:
			
		

> about /padmin, is there a link somewhere?



The /padmin alias was an arbitrary, example name I chose. 

Assuming you're running Apache web server, check out the Alias directive. Next, see Directory and (possibly) Location.


----------



## beesatmsu (Apr 30, 2010)

anomie, thanks.

I of course did not use phpmyadmin, instead I used xxx.mydomain.com, but still do not want someone to guess it. so right now it is xxx.mydomain.com:yyyy, maybe I can limit it to a few ips accessing this url. 

are there things one can do to phpmyadmin or other protected dir in general, to limit how many times one can fail at a log in and then time out (much like it here on this forum. once I tried 3 times and had to wait for 15 min).


----------



## anomie (Apr 30, 2010)

OK, so you put it in a Virtualhost container. I'd recommend forcing it to go over SSL as well, even if you need to create a self-signed cert to do the job. (That is my opinion.) 

You can protect your alias (or virtualhost, in your case) with HTTP digest authentication. Any users that want to access phpMyAdmin will need to know the "biguser/EXCELLENT%.%pass" credentials. Once they're through that, they are presented with the phpMyAdmin login page, where you've enabled phpMyAdmin's cookie authentication. Of course, they'll need valid MySQL credentials to log in there. 

To answer your question: I don't know about an automatic lockout mechanism after n failed logins off the top of my head. Use strong passwords, and monitor your logs.


----------

