Thrudigital

Today I checked my server’s log files and found an attempt to access phpMyAdmin, so I decided to take steps to protect that directory. phpMyAdmin uses password protection to ensure that only authorized users can enter the area, but it’s an ordinary protection based upon HTML forms. So, to stop sending requests, I protected the directory itself. So let’s go quickly through what you should do when you want to protect  a directory:

0) Login via SSH (type “ssh IP_ADDRESS -l USERNAME“; where IP_ADDRESS is the IP address of your server and USERNAME is your login), and enter your password. You will probably also need to login as root, so type “su” and enter the root password.

Sponsored links

1) Find the Apache’s httpd.conf, as it is necessary to modify this file. If you’re a newbie, you may find this command very useful:

find / -name httpd.conf

It effectively does what it says on the tin: it tries to find the file named httpd.conf on your server (this is specified by “/” – use another path if you know where to search).

2) When you know the path (say it’s /etc/httpd/conf), type this command:

cd /etc/httpd/conf

Once again, if your server’s installation is structured differently, you must use another path.

3) Now modify the file httpd.conf. Before you do so, back up the existing file. So type these two commands:

cp httpd.conf httpd.conf.old
nano httpd.conf

4) When you’re done, you should see the content of the httpd.conf file on your screen. Find this part of the source code:

<directory>
Options FollowSymLinks
AllowOverride None
<directory>

The word “None” is bold because it determines that options like password protected directories are not allowed. Feel free to replace that “None” with “All” or “AuthConfig“. The “All” thing simply allows you to enable other features in the future, so I recommend it. Now, we have configured the default .htaccess file. Scroll down and you should find something like:

AllowOverride None

Once again, modify that line to:

AllowOverride All

This is all connected to the httpd.conf file. Press CTRL-X and you should be asked to confirm the filename and overwrite. Type “y” or “yes” and press ENTER.

5) Now change the current directory to the directory you want to protect. Say that you want to do the same thing as I did, and that phpMyAdmin is installed in /usr/share/phpMyAdmin. So type this:

cd /usr/share/phpMyAdmin

If you want to protect another directory, simply use another path according to your server’s configuration and structure of directories. Now, the very important part. Type:

nano .htaccess

If the .htaccess file already exists, you must add/modify a few lines. But let’s assume that the file doesn’t exist, so add this piece of code here:

AuthName “Password restricted area”
AuthType Basic
AuthUserFile /usr/share/phpMyAdmin/.htpasswd
Require valid-user

Please note that the text in bold, has to be modified for your setup. In any event, you have to specify the directory where the .htpasswd file is stored. It doesn’t necessarily have to exist at the moment.

If you already see an .htaccess file in the directory which you want to protect, make sure that the above-mentioned lines are not declared more than once.

When you’re done, press CTRL X and confirm the filename.

6) Now let’s create passwords and users. Type this:

htpasswd -cmb .htpasswd USER PASSWORD

Again, the bold text must be modified by you. USER is your username and PASSWORD is the password for the user. Just to be sure, after typing the above-mentioned command, type this:

nano .htpasswd

This should display some content. If it doesn’t, something went wrong

7) Now, let’s test if the password protection really works. Type the URL into your browser. If you’re not asked for a password and login, you must restart httpd. This can be done easily by typing:

/etc/rc.d/init.d/httpd restart

If necessary, use find / -name httpd in order to find the httpd file.

After restart, the desired directory should be password protected.