Hi stackoverflow community,
I have some doubts in how to manage the users in phpMyAdmin, I am starting a project but I see multiple users with ALL PRIVILEGES.
I should choose one user, set my password, and then delete the other ones?
Having multiple users with ALL PRIVILEGES and without any password can be a security trouble?
What is the difference between the root users? And servers 127.0.0.1, ::1 and localhost?
I leave here an image to be more specific and show graphically what I meaning.
http://i.imgur.com/w2Ga8XS.jpg
http://i.stack.imgur.com/hVFW7.jpg
I would appreciate detailed and understandable answers.
Thank you in advance.
MySQL allows you to restrict permissions to a username, host pair. This means that the user only has the permissions when they login from the specified host. Typically you restrict MySQL admin permissions only if the user on the local machine (ie: the one that is running MySQL). The local machine can be called localhost, 127.0.0.0, or, in IPv6, ::1. So you only have one root user. They will only be given admin privileges when they login from the local host. You shouldn't delete any of them. You should set the password on the ::1 line (I don't know why it's not set).
Related
I would like to allow one of my mysql database access from an external, however I would like to restrict it to be access from 1 ip only. Is there any way to do so:
only apply the setting to 1 database
only allow access to that database from a specific ip
My server is ubuntu 16.
thank you!
A MySQL user can be created for a specific origin address:
CREATE USER bob#'202.1.1.3' IDENTIFIED BY 'very very secure password';
GRANT ALL ON db.* TO bob#'202.1.1.3'
Provided no other GRANTS are given to db, then the bob user from '202.1.1.2' is the only allowed user.
Its generally more secure to give a ssh tunnel access, or access on a non-standard port however. Publicly accessible database servers will have their authentication brute forced.
I'm able to login on phpMyAdmin with a root user and other users, even though I have restricted login to localhost. How can I fix this problem and restrict access to only one specified user remotely. Every other user account shouldn't be accessible remotely, especially root.
phpMyAdmin user accounts
As #Matt Clark points out, the MySQL user privileges consider the connection between MySQL and the web server. In order to restrict users from connecting to phpMyAdmin, you'll have to either configure your webserver to be more restrictive or use some of the protections included with phpMyAdmin.
Luuk mentioned that the AllowRoot directive can allow you to restrict root from connecting, but you might want to look at the allow/deny rules instead (or in addition): https://docs.phpmyadmin.net/en/latest/config.html#cfg_Servers_AllowDeny_rules. These go in your phpMyAdmin configuration file, config.inc.php, in the server-specific section. If you don't already have a config.inc.php file, you can create one in the same directory as the main phpMyAdmin installation, with this content, then put any additional directives at the end.
<?php
$i=0;
$i++;
If you'll always connect from the same IP address or range, something like this might be to your liking, adjusted of course for the proper username and addresses:
$cfg['Servers'][$i]['AllowDeny']['order'] = 'allow,deny';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array('allow jan from 192.168.74.[0-255]');
Or, to allow access from any IP address,
$cfg['Servers'][$i]['AllowDeny']['order'] = 'allow,deny';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array('allow jan from any');
By the way, as two other common security measures, phpMyAdmin also has support for two-factor authentication and can log failed login attempts such that a tool like fail2ban can be used.
I have just reset my root password after a long struggle. I see there are three root users in phpmyadmin. Should I delete two roots and keep only one or I need all the three?
(I am afraid of keeping three roots and changing the root password, may not allow me to enter phpmyadmin again due to multiple root ambiguity. I just wonder how three root users have been created. isn't that localhost and the local IP 127.0.0.1 refer to same local server/system? )
Thanks in Advance for any help,
First of all, there is no such thing as phpmyadmin users. These users are defined in mysql. Phpmyadmin only manages mysql databases.
As #urfusion has pointed out, in mysql a user is made up of an username and a host name part in form of 'user_name'#'host_name'. Host name refers to the computer from which the connection is made. If 2 user accounts have the same username, but different host names, then those are not the same users, even though their access rights might be the same.
The complication in mysql is that a computer may be identified through its name (e.g. mycomputer) or its IP address (e.g. 1.1.1.1), depending on whether mysql is able to resolve the IP address of the host or not. This is why mysql comes with a 'root'%'localhost' and a 'root'%'127.0.0.1', just to make sure that you can connect initially regardless if IP address resolution works or not.
If the host name is left blank or contains '%', it means that with that user id you can connect from any machine. This is the 3rd default root user in mysql.
If you do not want to connect to your mysql database from a different computer as root, then you can remove the 'root'%'%' account. This depends on your operational environment. If php (webserver) runs on the same computer where mysql is, then phpmyadmin requires a user account with localhost or 127.0.0.1 hostname only.
However, I would leave the 'root'%'localhost' and a 'root'%'127.0.0.1' intact just in case IP address resolution does not work. I would also make sure that their access rights are exactly the same (by default they are).
Phpmyadmin(actually MySql) users are identified by a pair of username and hostname. 127.0.0.1, ::1, and localhost all allow you access from your local machine. Without them, you would not be able to connect.
So I didn't recommend you to delete other users
please check users for more information.
delete root user
How do I prevent WAN access to a particular database in SQLyog? I am able to grant full access to particular DB's, but not able to prevent them. I have a Web APP that runs on an internal server and accesses MySQL on the same server. I have created a SQL user with my workstations IP, but I am receiving access denied from dbconnect when I run the APP from my workstation.
Thanks,
Tony Cripps
MySQL does not allow connections from anything other than what you've specified. If you want to disallow access from a particular IP or network, then that mean that you've already gone and granted access to them.
Review the CREATE USER syntax, particularly the section on specifying hostnames.
Review the user accounts that you've already created:
SELECT user, host, password FROM mysql.user;
And then re-create them as necessary.
Other than than that, if you want to completely disallow WAN access then you should be looking at your firewall settings, not MySQL.
I am developing an app with MySQL. I have MySQL (XAMPP) running on my PC. All works fine but now I want to let other users from our network to login, but I found out that when I change user property "localhost" to % (any computer) I get access denied even with my own account.
So, in the short, everytime I change "localhost" to "%" (any computer) I get "access denied". When switch back to localhost I can log easily.
What is wrong please?
Thank you
In MySQL, user#localhost and user#% are two completely different and unrelated users. You need to grant access to your data (and, if applicable, set a password) for user#% in addition to granting access for user#localhost. One does not also provide the other.