Firewall vs. custom PHP to protect sensitive dirs

vba_php · November 11, 2020, 8:31am

all,

I have subdirs on one of my sites where I keep sensitive info for downloading purposes (for instance, solutions for clients) and the other day I saw an authorized page render come through. these subdirs are currently PW protected using a godaddy cPanel tool, but everyone knows that hosting companies know nothing about anything. they are pushing the concept of a firewall to get rid of this activity, and they say it will filter IPs so certain countries or regions can be blocked out. and of course, it is a paid-for service. but I know good and well I can do it for free using other methods. heck, I could write a simple query and only allow IP addresses from the client’s country and city if I wanted to. Just not render anything to the page unless it is them.

I got this knowledge from @astonecipher a long time ago: https://www.devdungeon.com/content/http-basic-authentication-php#toc-2

either that, or this one: https://cwiki.apache.org/confluence/display/HTTPD/PasswordBasicAuth

my question is…will this keep unauthorized people out for sure? and how much risk is there? obviously I can’t have proprietary info in a subdir, available for client downloading in the form of a ZIP if bots or other large companies running automation specifically for the purposes of spying in a desperate attempt to find out what others are up to and copy them to keep their profits going, if nothing works.

Can someone shed some light on this? I can do a few workarounds, as I’ve done it for decades, but that takes too much time. thanks. see image below and subsequent links for the occurence that got around Godaddy’s canned software security:

TIME WARNER CABLE IP ADDRESSES that accessed the page:
https://www.ip-tracker.org/locator/ip-lookup.php?ip=67.246.76.48

https://www.ip-tracker.org/locator/ip-lookup.php?ip=cpe-24-59-255-122.twcny.res.rr.com

skawid · November 11, 2020, 10:44am

Security is subjective; it kinda depends on how dangerous you personally view a breach. From what you’ve said these auth methods should be good enough, AS LONG AS YOU ALSO USE SSL. If you don’t then the username and password will be sent “in the clear” and attackers may be able to read them.

vba_php · November 11, 2020, 6:10pm

I believe you. thanks for the response. but I assume by you saying: these auth methods, you are referring to the 2 links I posted that cover HTTP basic authentication, one given to me by @astonecipher?

thanks.

skawid · November 12, 2020, 7:41am

That’s right. Just make sure your website is delivered over HTTPS; do not allow access to the page using standard HTTP.

vba_php · November 12, 2020, 10:39am

should I even be worried about that, or is that even my job to check, if I already have an SSL cert applied to the site anyway?

skawid · November 12, 2020, 11:15am

Having an SSL cert just means people can access your site using HTTPS, but you may find that http://www.yoursite.com still works. It’s up to the server configuration to make sure that people must use HTTPS.

vba_php · November 12, 2020, 6:15pm

that is not an issue, skawid, because all of the redirect XML-oriented code is in the .htaccess files. I have tested every possibility, and all of the possibles automatically re-route to: https://www.domain.com.

that’s what you were referring to, right?

skawid · November 12, 2020, 7:02pm

That’s right. It sounds like you’ve covered all the bases.

vba_php · November 12, 2020, 7:28pm

yeah I think pretty much. I mean, everytime I call a corporation I have to tell the level 1,2, and 3 agents that they are not privey to the knowledge that is necessary to answer my questions. some like hearing that and comply with putting me through, some don’t. some literally will ask me 50 million questions because they think they know it all, and are ticked off that they are not smart enough to get promoted. LOL. oh well! =) thanks for the help. this issue is now closed.