Sunday, August 23, 2009

Beware of phpMyAdmin

If you ever end up working on a web site that is being hosted by a hosting service you will probably get stuck with phpMyAdmin as the means of remotely administering the site. The following thread again from the CentOS mailing list gives a good discussion as to why this isn't a good set up:

http://article.gmane.org/gmane.linux.centos.general/81345

There is also a discussion of some of the alternatives but the bottom line is that there aren't any really good alternatives. The best is to get secure shell access (ssh) and then do your admin work from the command line but there are quite a few people who are intimidated by the command line. SIGH.

Cheers,
Dave
Posted by at

3 comments:

  1. dtdenverAugust 23, 2009 at 5:29 PM

    Dave,
    The author says he has neither ftp or telnet is active. Do you have any idea how this file could have been downloaded?
    I have recently been working with ssh, using SSH Tectia to set up a sftp script. I relied heavily on their support (we had to buy it) and then bought an O'Reilly book SSH, the Secure Shell, The Definitive Guide. Have you ever heard of this book?
    When you say use the command line for the admin work, is it possible to do the web site maintenance from the command line of SSH?

    ReplyDelete
  2. DaveAtFraudAugust 24, 2009 at 1:23 PM

    From the log fragment the author posted it looks like it was an HTTP get. This was at the bottom of his original post:

    P.S. I found the following entry in my error_log of /var/log/httpd/ :

    [Sun Aug 16 04:26:19 2009] [info] Server built: Jul 14 2009 06:02:39
    --00:21:14-- http://code.go.ro/paypal.com.tar
    Resolving code.go.ro... 81.196.20.134
    Connecting to code.go.ro|81.196.20.134|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 645120 (630K) [application/x-tar]
    Saving to: `paypal.com.tar'

    You can definitely do site admin work from an ssh command line. ssh gives you a full login shell. The only problem is that a lot of people don't like the command line.

    Cheers,
    Dave

    ReplyDelete
  3. EntSecStudent1122August 24, 2009 at 5:18 PM

    Dave looks like your right with the http get function hence the port :80 on the end of the ip address. This is a lack of understanding of the admin of this website. When starting a service or installing somthing on your web server you need to make sure its completely patched and configured correctly and all defaults have been changed. Ideally the admin should install and patch on a test server then trasfer entire package over to the web server. I think the generall practice is to put your database behind a firewall not on a outwardfacing webserver probably a good discussion for class.

    Brian

    ReplyDelete

Subscribe to: Post Comments (Atom)

Followers

About Me

My photo
B.Sc. ('78) and M.Sc. ('80) in Math from Ohio State followed by 12 yrs at TRW and a variety of software development positions since then. Currently living in Colorado and enjoying "trial retirement". For fun I climb mountains in the summer and ski down them in the winter, fix gourmet food and have an excellent wine cellar.