First, let’s change the address to access phpMyAdmin. By Default, it’s ser.ver.ip/phpmyadmin.
I’ve copied the original phpmyadmin apache config file so I can customize it as I want, and still have the original one in case mine is broken. sudo cp /etc/phpmyadmin/apache.conf /etc/phpmyadmin/apache-custom.conf
At the top of the custom file, change the 3 line Alias /phpmyadmin /usr/share/phpmyadmin to something else, like Alias /phpthisismine /usr/share/phpmyadmin
Now, I don’t know how your apache is setup to take into account the phpmyadmin configuration file. On my server, it wasn’t added automatically, so I’ve added it myself in /etc/apache2/apache2.conf. At the bottom, just add Include /etc/phpmyadmin/apache-custom.conf.
Now, in order to deal with those stupid bots, if they ever find the URL, it would be nice to have fail2ban take care of those f*ckers. The problem is, phpMyAdmin doesn’t log any failed login attempt (bummer !).
Well actually, this is what I found:
phpMyAdmin uses php’s apache_note function to make this work. AFAIK this function is only available in mod_php mode. This will not work with mod_fcgi & co.
And I’m using php-fpm so I need to modify phpMyAdmin to log failed attempts. Let’s edit /usr/share/phpmyadmin/libraries/plugins/auth/AuthenticationCookie.class.php (I know, that’s bad, but what can I do ?).
Find the authFails() function and inside, right after the last header() call, add error_log(‘phpmyadmin: authentification failed’);
[Wed Jan 18 06:56:33.915985 2017] [:error] [pid 12423:tid 140093452912384] [client 22.214.171.124:64335] FastCGI: server "/usr/lib/cgi-bin/php" stderr: PHP message: phpmyadmin: authentification failed, referer: http://126.96.36.199/phpthisismine/index.php
Now let’s setup fail2ban. Create a file /etc/fail2ban/filter.d/apache-phpmyadmin.conf and place that inside
failregex = .*\[client <HOST>:[0-9]+\] phpmyadmin: authentification failed.*
Now edit your local fail2ban configuration file. Mine is /etc/fail2ban/jail.local and add
enabled = true
filter = apache-phpmyadmin
port = http,https
logpath = %(apache_error_log)s
Reload fail2ban sudo service fail2ban reload and you’re all set !
Sources (source 1, source 2, source 3).