Secure phpMyAdmin- Setup HTTPS (SSL Certificates)

Secure phpMyAdmin series;
1-What is PLEASE_READ_XMG Ransomware
2-Update phpMyAdmin.
3-Change phpMyadmin Default Login Path.
4-Authentication Gateway for phpMyAdmin (Upcoming).
5-Install HTTPS (SSL Certificates) to Secure phpMyAdmin login.
6-Change MariaDB Default Port (Upcoming).
6-Clean PLEASE_READ.WARNING (Upcoming).

if you don’t want to expose your credentials, sniff the HTTP traffic between a client machine and the server to detect login using the database root user’s credentials. To begin sniffing traffic, we typed the following commands and press Enter:

# yum install tcpdump tcpdump port http -l -A | egrep -i

# ‘pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ‘ –line-buffered -B20

It will take some time to display if the username and password have been sent over the wire in plain text format.To avoid this, let’s secure the login page with a certificate.  To do this, install mod_ssl package on CentOS based distributions.

# yum install mod_ssl

Create a directory to store the key and certificate:

# mkdir /etc/apache2/ssl    [On Debian/Ubuntu based systems]
# mkdir /etc/httpd/ssl      [On CentOS based systems]

Create the key and certificate:

----------- On Debian/Ubuntu based systems ----------- 
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

----------- On CentOS based systems ----------- 
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt

Sample Output;

........................+++
.....................................................+++
writing new private key to '/etc/httpd/ssl/apache.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:PK
State or Province Name (full name) []:Punjab
Locality Name (eg, city) [Default City]:Lahore
Organization Name (eg, company) [Default Company Ltd]:Lambdasols
Organizational Unit Name (eg, section) []:Operations
Common Name (eg, your name or your server's hostname) []:srv1-host
Email Address []:admin@XXXXXXXXX.com

Next, verify key and certificate.

# cd /etc/apache2/ssl/   [On Debian/Ubuntu based systems]
# cd /etc/httpd/ssl/     [On CentOS based systems]
# ls -l

total 8
-rw-r--r--. 1 root root 1424 Sep  7 15:19 apache.crt
-rw-r--r--. 1 root root 1704 Sep  7 15:19 apache.key

In Debian/Ubuntu, make sure that Apache is listening on port 443 for the default site 
(/etc/apache2/sites-available/000-default.conf) and add the 3 SSL-related lines inside the VirtualHost declaration:

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

n CentOS based distributions, tell Apache to listen on port 443 and look for the Listen directive in /etc/httpd/conf/httpd.conf and add the above lines below it.

SSLEngine on SSLCertificateFile /etc/httpd/ssl/apache.crt SSLCertificateKeyFile /etc/httpd/ssl/apache.key

Save changes, load the SSL Apache module on Debian/Ubuntu distributions (in CentOS this is loaded automatically when you installed mod_ssl earlier):

# a2enmod ssl

Force phpmyadmin to use SSL, make sure the following line is present in /etc/phpmyadmin/config.inc.php or /etc/phpMyAdmin/config.inc.php file:

$cfg['ForceSSL'] = true;

and restart the web server:

# systemctl restart apache2   [On Debian/Ubuntu based systems]
# systemctl restart httpd     [On Debian/Ubuntu based systems]

Next, launch your web browser and type https://<ip address>/phpMyAdmin(learn how to change PhpMyAdmin login URL)

Important: Please note that it is only saying that the connection is not secure because we are using a self-signed certificate. Click on Advanced and confirm the security exception. After confirming the security exception, and before login in, let’s start sniffing HTTP and HTTPS traffic:

# tcpdump port http or port https -l -A | egrep -i ‘pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ‘ –line-buffered -B20

Then login using the same credentials as earlier. The traffic sniffer will only capture gibberish at best: