An earlier version of this tutorial was written by Brennan Bearnes.
该教程的早期版本由Brennan Bearnes编写 。
介绍 (Introduction)
While many users need the functionality of a database management system like MySQL, they may not feel comfortable interacting with the system solely from the MySQL prompt.
尽管许多用户需要像MySQL这样的数据库管理系统的功能,但他们可能不满意仅从MySQL提示符与系统进行交互。
phpMyAdmin was created so that users can interact with MySQL through a web interface. In this guide, we’ll discuss how to install and secure phpMyAdmin so that you can safely use it to manage your databases on an Ubuntu 18.04 system.
创建了phpMyAdmin ,以便用户可以通过Web界面与MySQL进行交互。 在本指南中,我们将讨论如何安装和保护phpMyAdmin,以便您可以安全地使用它来管理Ubuntu 18.04系统上的数据库。
先决条件 (Prerequisites)
Before you get started with this guide, you need to have some basic steps completed.
在开始使用本指南之前,您需要完成一些基本步骤。
First, we’ll assume that your server has a non-root user with sudo privileges, as well as a firewall configured with ufw, as described in the initial server setup guide for Ubuntu 18.04.
首先,我们假定您的服务器具有一个具有sudo特权的非root用户,以及一个配置了ufw的防火墙,如Ubuntu 18.04初始服务器设置指南中所述。
We’re also going to assume that you’ve completed a LAMP (Linux, Apache, MySQL, and PHP) installation on your Ubuntu 18.04 server. If this is not completed yet, you can follow this guide on installing a LAMP stack on Ubuntu 18.04.
我们还将假设您已经在Ubuntu 18.04服务器上完成了LAMP(Linux,Apache,MySQL和PHP)安装。 如果尚未完成,则可以按照本指南在Ubuntu 18.04上安装LAMP堆栈 。
Finally, there are important security considerations when using software like phpMyAdmin, since it:
最后,使用诸如phpMyAdmin之类的软件时,需要考虑一些重要的安全性考虑,因为它:
- Communicates directly with your MySQL installation 与您MySQL安装直接通信
- Handles authentication using MySQL credentials 使用MySQL凭证处理身份验证
- Executes and returns results for arbitrary SQL queries 执行并返回任意SQL查询的结果
For these reasons, and because it is a widely-deployed PHP application which is frequently targeted for attack, you should never run phpMyAdmin on remote systems over a plain HTTP connection. If you do not have an existing domain configured with an SSL/TLS certificate, you can follow this guide on securing Apache with Let’s Encrypt on Ubuntu 18.04. This will require you to register a domain name, create DNS records for your server, and set up an Apache Virtual Host.
由于这些原因,并且由于它是经常被攻击的广泛使用PHP应用程序,因此您永远不要通过纯HTTP连接在远程系统上运行phpMyAdmin。 如果您没有使用SSL / TLS证书配置的现有域,则可以按照本指南在Ubuntu 18.04上使用Let's Encrypt来保护Apache 。 这将要求您注册一个域名 , 为您的服务器创建DNS记录 ,并设置一个Apache虚拟主机 。
Once you are finished with these steps, you’re ready to get started with this guide.
完成这些步骤后,即可开始使用本指南。
第1步-安装phpMyAdmin (Step 1 — Installing phpMyAdmin)
To get started, we will install phpMyAdmin from the default Ubuntu repositories.
首先,我们将从默认的Ubuntu存储库中安装phpMyAdmin。
This is done by updating your server’s package index and then using the apt packaging system to pull down the files and install them on your system:
这是通过更新服务器的软件包索引,然后使用apt打包系统来拉下文件并将它们安装在系统上来完成的:
- sudo apt update sudo apt更新
- sudo apt install phpmyadmin php-mbstring php-gettext 须藤apt install phpmyadmin php-mbstring php-gettext
This will ask you a few questions in order to configure your installation correctly.
这将问您几个问题,以便正确配置您的安装。
Warning: When the prompt appears, “apache2” is highlighted, but not selected. If you do not hit SPACE to select Apache, the installer will not move the necessary files during installation. Hit SPACE, TAB, and then ENTER to select Apache.
警告:出现提示时,“Apache2的”突出显示,但未被选中。 如果未按SPACE键选择Apache,则安装程序将在安装过程中不移动必要的文件。 点击SPACE , TAB ,然后按ENTER选择Apache。
For the server selection, choose
apache2对于服务器选择,选择
apache2Select
Yeswhen asked whether to usedbconfig-commonto set up the database当询问是否使用
dbconfig-common设置数据库时,选择“Yes- You will then be asked to choose and confirm a MySQL application password for phpMyAdmin 然后将要求您选择并确认phpMyAdminMySQL应用程序密码。
The installation process adds the phpMyAdmin Apache configuration file into the /etc/apache2/conf-enabled/ directory, where it is read automatically. The only thing you need to do is explicitly enable the mbstring PHP extension, which you can do by typing:
安装过程将phpMyAdmin Apache配置文件添加到/etc/apache2/conf-enabled/目录中,在该目录中将自动读取该文件。 您唯一需要做的就是显式启用mbstring PHP扩展,您可以通过键入以下内容进行操作:
- sudo phpenmod mbstring 须藤phpenmod mbstring
Afterwards, restart Apache for your changes to be recognized:
之后,重新启动Apache以使您的更改被识别:
- sudo systemctl restart apache2 sudo systemctl重新启动apache2
phpMyAdmin is now installed and configured. However, before you can log in and begin interacting with your MySQL databases, you will need to ensure that your MySQL users have the privileges required for interacting with the program.
phpMyAdmin现在已安装并配置。 但是,在登录并开始与MySQL数据库进行交互之前,需要确保MySQL用户具有与程序进行交互所需的特权。
第2步-调整用户身份验证和特权 (Step 2 — Adjusting User Authentication and Privileges)
When you installed phpMyAdmin onto your server, it automatically created a database user called phpmyadmin which performs certain underlying processes for the program. Rather than logging in as this user with the administrative password you set during installation, it’s recommended that you log in as either your root MySQL user or as a user dedicated to managing databases through the phpMyAdmin interface.
将phpMyAdmin安装到服务器上后,它将自动创建一个名为phpmyadmin的数据库用户,该用户将对该程序执行某些基础过程。 建议不要以root用户MySQL或专用于通过phpMyAdmin界面管理数据库的用户身份登录,而不是使用在安装过程中设置的管理密码以此用户身份登录。
为MySQL根帐户配置密码访问 (Configuring Password Access for the MySQL Root Account)
In Ubuntu systems running MySQL 5.7 (and later versions), the root MySQL user is set to authenticate using the auth_socket plugin by default rather than with a password. This allows for some greater security and usability in many cases, but it can also complicate things when you need to allow an external program — like phpMyAdmin — to access the user.
在运行MySQL 5.7(及更高版本)的Ubuntu系统中,默认情况下,MySQL 根用户设置为使用auth_socket插件而不是使用密码进行身份验证。 在许多情况下,这可以提高安全性和可用性,但是当您需要允许外部程序(例如phpMyAdmin)访问用户时,也会使事情复杂化。
In order to log in to phpMyAdmin as your root MySQL user, you will need to switch its authentication method from auth_socket to mysql_native_password if you haven’t already done so. To do this, open up the MySQL prompt from your terminal:
为了以root用户MySQL身份登录phpMyAdmin,您需要将其身份验证方法从auth_socket到mysql_native_password如果尚未这样做)。 为此,请从终端打开MySQL提示符:
- sudo mysql 须藤MySQL
Next, check which authentication method each of your MySQL user accounts use with the following command:
接下来,使用以下命令检查每个MySQL用户帐户使用的身份验证方法:
- SELECT user,authentication_string,plugin,host FROM mysql.user; 选择用户,authentication_string,插件,主机from mysql.user;
Output
+------------------+-------------------------------------------+-----------------------+-----------+
| user | authentication_string | plugin | host |
+------------------+-------------------------------------------+-----------------------+-----------+
| root | | auth_socket | localhost |
| mysql.session | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | mysql_native_password | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | mysql_native_password | localhost |
| debian-sys-maint | *8486437DE5F65ADC4A4B001CA591363B64746D4C | mysql_native_password | localhost |
| phpmyadmin | *5FD2B7524254B7F81B32873B1EA6D681503A5CA9 | mysql_native_password | localhost |
+------------------+-------------------------------------------+-----------------------+-----------+
5 rows in set (0.00 sec)
In this example, you can see that the root user does in fact authenticate using the auth_socket plugin. To configure the root account to authenticate with a password, run the following ALTER USER command. Be sure to change password to a strong password of your choosing:
在此示例中,您可以看到root用户实际上使用auth_socket插件进行了身份验证。 要将根帐户配置为使用密码进行身份验证,请运行以下ALTER USER命令。 确保将password更改为您选择的强密码:
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';
ALTER USER'root'@'localhost'由mysql_native_password标识为' password ';
Then, run FLUSH PRIVILEGES which tells the server to reload the grant tables and put your new changes into effect:
然后,运行FLUSH PRIVILEGES ,告诉服务器重新加载授权表并使新更改生效:
- FLUSH PRIVILEGES; 冲洗特权;
Check the authentication methods employed by each of your users again to confirm that root no longer authenticates using the auth_socket plugin:
再次检查每个用户使用的身份验证方法,以确认root不再使用auth_socket插件进行身份验证:
- SELECT user,authentication_string,plugin,host FROM mysql.user; 选择用户,authentication_string,插件,主机from mysql.user;
Output
+------------------+-------------------------------------------+-----------------------+-----------+
| user | authentication_string | plugin | host |
+------------------+-------------------------------------------+-----------------------+-----------+
| root | *DE06E242B88EFB1FE4B5083587C260BACB2A6158 | mysql_native_password | localhost |
| mysql.session | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | mysql_native_password | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | mysql_native_password | localhost |
| debian-sys-maint | *8486437DE5F65ADC4A4B001CA591363B64746D4C | mysql_native_password | localhost |
| phpmyadmin | *5FD2B7524254B7F81B32873B1EA6D681503A5CA9 | mysql_native_password | localhost |
+------------------+-------------------------------------------+-----------------------+-----------+
5 rows in set (0.00 sec)
You can see from this output that the root user will authenticate using a password. You can now log in to the phpMyAdmin interface as your root user with the password you’ve set for it here.
您可以从此输出中看到root用户将使用密码进行身份验证。 现在,您可以使用您在此处设置的密码以root用户身份登录phpMyAdmin界面。
为专用MySQL用户配置密码访问 (Configuring Password Access for a Dedicated MySQL User)
Alternatively, some may find that it better suits their workflow to connect to phpMyAdmin with a dedicated user. To do this, open up the MySQL shell once again:
另外,有些人可能会发现它更适合他们的工作流程,以便与专用用户连接到phpMyAdmin。 为此,请再次打开MySQL Shell:
- sudo mysql 须藤MySQL
Note: If you have password authentication enabled, as described in the previous section, you will need to use a different command to access the MySQL shell. The following will run your MySQL client with regular user privileges, and you will only gain administrator privileges within the database by authenticating:
注意:如果已启用密码验证,如上一节所述,则需要使用其他命令来访问MySQL Shell。 以下内容将以常规用户权限运行您MySQL客户端,并且您将仅通过身份验证在数据库内获得管理员权限:
- mysql -u root -p mysql -u root -p
From there, create a new user and give it a strong password:
从那里,创建一个新用户并为其设置一个强密码:
CREATE USER 'sammy'@'localhost' IDENTIFIED BY 'password';
创建用户' sammy '@'localhost'由' password '标识;
Then, grant your new user appropriate privileges. For example, you could grant the user privileges to all tables within the database, as well as the power to add, change, and remove user privileges, with this command:
然后,授予您的新用户适当的特权。 例如,您可以使用以下命令向数据库内的所有表授予用户特权,以及添加,更改和删除用户特权的能力:
GRANT ALL PRIVILEGES ON *.* TO 'sammy'@'localhost' WITH GRANT OPTION;
将所有特权授予*。*到' sammy '@'localhost'并带有格randint选项;
Following that, exit the MySQL shell:
之后,退出MySQL Shell:
- exit 出口
You can now access the web interface by visiting your server’s domain name or public IP address followed by /phpmyadmin:
现在,您可以通过访问服务器的域名或公共IP地址(后跟/phpmyadmin来访问Web界面:
http://your_domain_or_IP/phpmyadminLog in to the interface, either as root or with the new username and password you just configured.
以root用户身份或使用刚配置的新用户名和密码登录到界面。
When you log in, you’ll see the user interface, which will look something like this:
登录时,您将看到用户界面,该界面类似于以下内容:
Now that you’re able to connect and interact with phpMyAdmin, all that’s left to do is harden your systems security to protect it from attackers.
现在您可以连接phpMyAdmin并与之交互,剩下要做的就是增强系统安全性,以保护其免受攻击者的侵害。
步骤3 —保护您的phpMyAdmin实例 (Step 3 — Securing Your phpMyAdmin Instance)
Because of its ubiquity, phpMyAdmin is a popular target for attackers, and you should take extra care to prevent unauthorized access. One of the easiest ways of doing this is to place a gateway in front of the entire application by using Apache’s built-in .htaccess authentication and authorization functionalities.
由于phpMyAdmin无处不在,因此它是攻击者的首选目标,因此应格外小心,以防止未经授权的访问。 最简单的方法之一是使用Apache内置的.htaccess身份验证和授权功能将网关放置在整个应用程序的前面。
To do this, you must first enable the use of .htaccess file overrides by editing your Apache configuration file.
为此,必须首先通过编辑Apache配置文件来启用.htaccess文件覆盖。
Edit the linked file that has been placed in your Apache configuration directory:
编辑已放置在Apache配置目录中的链接文件:
- sudo nano /etc/apache2/conf-available/phpmyadmin.conf 须藤纳米/etc/apache2/conf-available/phpmyadmin.conf
Add an AllowOverride All directive within the <Directory /usr/share/phpmyadmin> section of the configuration file, like this:
在配置文件的<Directory /usr/share/phpmyadmin>部分中添加AllowOverride All指令,如下所示:
<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php
AllowOverride All
. . .When you have added this line, save and close the file.
添加此行后,保存并关闭文件。
To implement the changes you made, restart Apache:
要实现您所做的更改,请重新启动Apache:
- sudo systemctl restart apache2 sudo systemctl重新启动apache2
Now that you have enabled .htaccess use for your application, you need to create one to actually implement some security.
既然已经为应用程序启用了.htaccess使用,则需要创建一个以实际实现某种安全性。
In order for this to be successful, the file must be created within the application directory. You can create the necessary file and open it in your text editor with root privileges by typing:
为了使此操作成功,必须在应用程序目录中创建文件。 您可以创建必需的文件,并通过输入以下内容以root用户权限在文本编辑器中将其打开:
- sudo nano /usr/share/phpmyadmin/.htaccess 须藤纳米/usr/share/phpmyadmin/.htaccess
Within this file, enter the following information:
在此文件中,输入以下信息:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/phpmyadmin/.htpasswd
Require valid-userHere is what each of these lines mean:
这些行的含义如下:
AuthType Basic: This line specifies the authentication type that you are implementing. This type will implement password authentication using a password file.AuthType Basic:此行指定要实现的身份验证类型。 此类型将使用密码文件实现密码验证。AuthName: This sets the message for the authentication dialog box. You should keep this generic so that unauthorized users won’t gain any information about what is being protected.AuthName:设置身份验证对话框的消息。 您应该保留此通用名称,以便未经授权的用户不会获得任何有关受保护内容的信息。AuthUserFile: This sets the location of the password file that will be used for authentication. This should be outside of the directories that are being served. We will create this file shortly.AuthUserFile:这将设置用于身份验证的密码文件的位置。 这应该在正在提供的目录之外。 我们将很快创建此文件。Require valid-user: This specifies that only authenticated users should be given access to this resource. This is what actually stops unauthorized users from entering.Require valid-user:这指定仅应向经过身份验证的用户授予对此资源的访问权限。 这实际上是阻止未经授权的用户进入的原因。
When you are finished, save and close the file.
完成后,保存并关闭文件。
The location that you selected for your password file was /etc/phpmyadmin/.htpasswd. You can now create this file and pass it an initial user with the htpasswd utility:
您为密码文件选择的位置是/etc/phpmyadmin/.htpasswd 。 现在,您可以创建此文件,并使用htpasswd实用程序将其传递给初始用户:
sudo htpasswd -c /etc/phpmyadmin/.htpasswd username
须藤htpasswd -c /etc/phpmyadmin/.htpasswd 用户名
You will be prompted to select and confirm a password for the user you are creating. Afterwards, the file is created with the hashed password that you entered.
系统将提示您选择并确认要创建的用户的密码。 然后,使用您输入的哈希密码创建文件。
If you want to enter an additional user, you need to do so without the -c flag, like this:
如果要输入其他用户,则需要不带 -c标志,例如:
sudo htpasswd /etc/phpmyadmin/.htpasswd additionaluser
须藤htpasswd的/etc/phpmyadmin/.htpasswd additionaluser
Now, when you access your phpMyAdmin subdirectory, you will be prompted for the additional account name and password that you just configured:
现在,当您访问phpMyAdmin子目录时,将提示您输入刚刚配置的其他帐户名和密码:
https://domain_name_or_IP/phpmyadminAfter entering the Apache authentication, you’ll be taken to the regular phpMyAdmin authentication page to enter your MySQL credentials. This setup adds an additional layer of security, which is desireable since phpMyAdmin has suffered from vulnerabilities in the past.
输入Apache身份验证后,将带您到常规phpMyAdmin身份验证页面输入MySQL凭据。 此设置增加了一层额外的安全性,这是可取的,因为phpMyAdmin过去曾遭受漏洞的困扰。
结论 (Conclusion)
You should now have phpMyAdmin configured and ready to use on your Ubuntu 18.04 server. Using this interface, you can easily create databases, users, tables, etc., and perform the usual operations like deleting and modifying structures and data.
现在,您应该已经配置了phpMyAdmin,并且可以在Ubuntu 18.04服务器上使用了。 使用此界面,您可以轻松创建数据库,用户,表等,并执行常规操作,如删除和修改结构及数据。
1989
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
