Still using phpMyAdmin? Let me extend my condolences. Here are two ways to protect Adminer by IP address on Nginx.



So what is Adminer? The official website words it better than we can: "Replace phpMyAdmin with Adminer and you will get a tidier user interface, better support for MySQL features, higher performance and more security...database management in a single PHP file."

This single file can downloaded from the project website. To install simply drop it inside any web accessible folder. In our case that is the public web directory processed by nginx.

For the well seasoned, Adminer's built-in plugin extensions such as login-sqlite, login-table and others can provide equal or better security methods than our recommedations soon to follow. Further, proper security is not monolithic; its best in layers that both overlap and are redundant. Security should be applied like a dense titanium onion, not a shield.

Adminer's greatest security feature is the ability to store a hashed password in your database above and beyond the sql database password. For a non-root user or for a user that does not have correct MariaDB database permissions requiring a special password to be created might be problematic. There is also the consideration that even a hashed password could better stored outside of a database accessible through the browser which is the whole point of Adminer.

Firstly, you better be using HTTPS and a certificate from Let's Encrypt to access Adminer regardless of what plugin you use or don't use. If not, go get that done and then come back here. Sending passwords in a browser without encryption is a middleman's wet dream.

Then again, IPs can be spoofed right?

An IP can be spoofed in a manner of ways including tools from Kali Linux, through the router, inside an operating system like TAILS, with a VPN and other methods we're sure commentators will educate us about. Truth be told our black hat experience is well...classified!

Most moderate spoof attacks are blind-spoofing that require brute-force, strong-arm processing and DDoS methods your average script kiddies enjoy. Severe spoofing is called non-blind (= your toast already) by accessing the physical network in a previous manner (email phishing, usb insertion, etc). If you are being explicitly targeted for non-blind spoofs brighter days are behind you my friend. I hope you disabled root and are using some time of Yubi key-type device...?

To finally answer the question in really over simplified terms any person with the ability to [blind] spoof your IP address can send requests, try to get (hopefully encrypted) packets or try to initiate commands to and fro. Its like someone knocking on your locked front door but they never have your hand to turn the key they supposedly possess.

Back to the Adminer IP whitelist tutorial!

The first and the more robust method to protect the adminer.php file by IP block is directly with your nginx configuration. This file for the uninitiated would reside in the /etc/nginx/sites-available/ folder in Ubuntu. It might be called default or named after your domain or company. The rule would like something like the following:

# DENY ADMINER ACCESS EXCEPT SPECIAL
location = /adminer.php {
# SOME INTERNAL IP ADDRESSES
allow 01.123.45.678;
allow 00.111.22.333;
# ALTERNATIVE OFF-SITE IP ADDRESSES
allow 98.876.654.43;
# NO ONE ELSE
deny all;

# NGINX RULES IF YOUR BROWSER DOWNLOADS BARE .PHP INSTEAD OF PROCESSING THEM
try_files $uri $uri/ /index.php?$args;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}


The first two IP addresses are within your network. The third IP address should be an off network IP location in case the primaries are unexpectedly changed or some other act of god stops them from functioning properly. The deny rule is self explanatory.

The second section of the snippet is the magic juice that nginx needs to serve your adminer.php file. You may find you do not need the second section because your nginx file is already well crafted to serve raw php files rather than sending them as downloads in the browser.

So what if you can't access the nginx configuration file locations, don't have sudo privileges on the server to reload the nginx service with sudo service nginx restart or you are locked down to the public web directory?

More PHP to the rescue!

First, create a new php file named adminerIPwhitelist.php (or whatever matches your adminer.php name) with the following:

/* BLOCK ALL BY IP */
$whitelist = array('01.123.45.678', '00.111.22.333', '98.876.654.43');
if (in_array($_SERVER['REMOTE_ADDR'], $whitelist)) {
//Action for allowed IP Addresses
} else {
//Action for all other IP Addresses
echo '<p>You are not authorized to access this resource.</p>
<p>Your identifying information has been reported to MX Toolbox blacklist(s).</p>';

echo "<p>IP Address: ".$_SERVER['REMOTE_ADDR'] . "</p>";
echo '';
exit;
}

Second, within your adminer.php file enter this bit of code at the top right below the <?php tag: require_once('adminerIPwhitelist.php'); You can fire up the Tor browser from to simulate a foreign visitor from outside your network to test your php. You will be confronted with the warning:


You can use the nginx location block snippet to IP protect most any file served to a browser and the inline php operation to protect most any other file that is capable of executing php.

This will allow you to better protect your database administrative login by restricting it to your allowed IP range only. You should still use Adminer's hashed password approach as well. The next step could be to limit adminer access to a particular port. A further step would be to integrate something like Fail2ban to immediately block visits not in your IP whitelists. Better still would be to incorporate 2FA through the use of a mobile application like FreeOTP, etc.

gripfastistech.com gives back to the community seeking to help others for free with battle-tested tips, tricks and tutorials like this one. If we give away our expertise for free, imagine what we can do you as one of our clients! Contact us to know more and be sure to subscribe to our blog through our RSS feed here.

About the Writer
Chris Lessley
Author: Chris Lessley
A server admin, dev ops warrior and website designer since 2002, Chris is a lover of all things Linux and open-source! Each blog topic has been tested by fire in the real world and shared with the hope to help others. Need more help? Hire me! Chris' other interests include fine art and the humanities in the classical tradition and can be found writing for our friends over at gripfastart.works. If you like this content, kindly consider donating to keep this website free to all, without ads.

Comments powered by CComment

Member of The Internet Defense LeagueOpen Source Initiative