On Aug 21, 2009, at 5:47 PM, "Gregory P. Ennis" PoMec@PoMec.Net wrote:
On Fri, Aug 21, 2009 at 5:31 PM, Ray Van Dolsonrayvd@bludgeon.org wrote:
Nope, but you can take steps to prevent (or make it more difficult) for people that shouldn't be accessing it from accessing it.
Apache allow from, etc... basic authentication, make sure you're using HTTPS and selinux.
Along these lines (following up here, though it's mostly to the OP), you may also want to look at your php.ini for some hardening as well. The default php.ini ships with allow_url_fopen enabled, which tells php to treat remote files like they're local. In some cases this is needed, but I really consider it a huge security hole, and if disabling doesn't break your website, I would suggest you do so.
Jim,
Great suggestion. Thank you!!!!!
You weren't the only one who had phpmyadmin used to exploit their server.
There was a thread not too long back of another who's server was hacked through some phpmyadmin script injection exploit.
For everyone who reads this:
Do Not run phpmyadmin on a forward facing server!
It is for behind the firewall only! And even then to restricted users over SSL protected by password.
-Ross