Effective Ways to Block Automated phpMyAdmin Brute Force Attacks on Web Servers


2 views

If you're seeing repeated requests for paths like /php-myadmin/, /myadmin/, or /mysql/ in your server logs, you're experiencing automated scanning attempts that target common PHP administration tools. These aren't targeted attacks but rather opportunistic scans from botnets searching for vulnerable installations.

Simple IP blocking proves ineffective because:

  • Attackers use distributed botnets with thousands of IPs
  • Cloud hosting providers recycle IP addresses
  • Basic firewall rules can't keep up with the volume

1. Web Server Configuration (Apache Example)

<DirectoryMatch "(phpMyAdmin|myadmin|mysql)">
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
</DirectoryMatch>

2. Nginx Protection

location ~* ^/(phpMyAdmin|myadmin|mysql|dbadmin) {
    deny all;
    return 444;
}

Implement request throttling for suspicious patterns:

# iptables example
iptables -I INPUT -p tcp --dport 80 -m string --string "GET /phpMyAdmin" \\
    --algo bm -m recent --set --name httpbad --rsource
iptables -I INPUT -p tcp --dport 80 -m string --string "GET /phpMyAdmin" \\
    --algo bm -m recent --update --seconds 60 --hitcount 5 \\
    --name httpbad --rsource -j DROP

If using Cloudflare, create a firewall rule:

# Cloudflare Firewall Rules language
(http.request.uri.path contains "phpMyAdmin" or 
 http.request.uri.path contains "myadmin" or 
 http.request.uri.path contains "mysql") and 
 not ip.src in {192.0.2.1 198.51.100.1} 
→ Block

Automate blocking with Fail2Ban:

[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /var/log/nginx/access.log
maxretry = 2

With corresponding filter:

[Definition]
failregex = ^<HOST> -.*"(GET|POST).*/(phpMyAdmin|myadmin|mysql|adminer).* HTTP.*"
ignoreregex =

For dedicated servers, change the default SSH port:

# /etc/ssh/sshd_config
Port 2222

Remember to update firewall rules accordingly.

Track blocked attempts with:

# Count blocked requests in nginx
awk '{print $7}' /var/log/nginx/access.log | grep -E "(phpMyAdmin|myadmin)" | wc -l

# View blocked IPs in iptables
iptables -L -n -v --line-numbers | grep DROP

Every day, web servers worldwide receive countless automated requests probing for phpMyAdmin installations - /phpmyadmin/, /pma/, /admin/, and hundreds of variations. These aren't targeted attacks but automated bots scanning the entire internet. While they rarely succeed against properly configured servers, they create significant noise in logs and consume resources.

Attempting to block individual IPs is futile because:

  • Attackers use botnets with constantly rotating IPs
  • New scanners come online daily
  • Legitimate IPs might get caught in the crossfire

For Apache users, modify your .htaccess file:


# Block common phpMyAdmin paths
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/(phpmyadmin|myadmin|mysql|dbadmin|pma|admin) [NC]
RewriteRule ^.*$ - [F,L]

For more comprehensive protection:


# Block with regex pattern
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/([pP][hH][pP]?[mM][yY]?[aA][dD][mM][iI][nN]|[mM][yY][sS][qQ][lL]) [NC]
RewriteRule ^.*$ - [F,L]

In your Nginx server block:


location ~* ^/(phpmyadmin|myadmin|mysql|admin) {
    deny all;
    return 403;
}

Or use a more sophisticated pattern:


location ~* ^/([pP][hH][pP]?[mM][yY]?[aA][dD][mM][iI][nN]|[mM][yY][sS][qQ][lL]) {
    deny all;
    return 444; # Close connection without response
}

Install Fail2Ban and create a custom filter:


# /etc/fail2ban/filter.d/phpmyadmin.conf
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*/(phpmyadmin|myadmin|mysql|pma).*HTTP.*"
ignoreregex =

Then create a jail:


# /etc/fail2ban/jail.local
[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
logpath = /var/log/nginx/access.log
maxretry = 1
bantime = 86400

If using Cloudflare, create a firewall rule:


(http.request.uri.path contains "phpmyadmin" or 
http.request.uri.path contains "myadmin" or
http.request.uri.path contains "mysql" or
http.request.uri.path contains "/pma/" or
http.request.uri.path contains "/dbadmin")

Set the action to "Block" or "JS Challenge".

Set up log monitoring to track blocked attempts:


# Grep pattern for Apache
grep -E "/(phpmyadmin|myadmin|mysql)" /var/log/apache2/access.log | awk '{print $1}' | sort | uniq -c | sort -nr

# For Nginx
grep -E "/(phpmyadmin|myadmin|mysql)" /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -nr

This helps identify the most persistent attackers for potential further action.