0

I am currently building a simple CMS, and I would like to isolate it as much as possible. The application itself will have php login function, however I was thinking to add one more layer of security utilising Apache built-in security.

How secure is to isolate a PHP directory on a server using integrated apache password check? The general logics is that Apache security should be pretty tough to crack.

Thanks!

mrmut
  • 484
  • 5
  • 18
  • So you are saying you don't trust your own authentication code? – PeeHaa Jun 30 '14 at 16:20
  • Let we see... I am learning PHP for a month now, and I am making a CMS to go live.--Of course that I don't trust my code! :) Being a sysadmin for quite a while thought me that one should never be too certain into any technology, however well it _looked_ implemented. **Heartbleed** recently thought us a lesson or two, so I am trying to future-proof my code the best I can with my limited knowledge. – mrmut Jun 30 '14 at 21:12
  • Hearthbleed is not really a case of "wow that looks realy good implemented" :P – PeeHaa Jun 30 '14 at 22:37
  • Yes, yes, but what if they had built in another layer of security? Even a trivial additional layer of protection could prevent the breach. – mrmut Jul 01 '14 at 07:18

1 Answers1

-1

I understand your concerns about your code in progress. It is better to work on localhost till you reach a point when you are certain in your code, but what you can do:

  1. Password protect your folder (can be sniffed).
  2. Limit your folder access by IP (can be faked)
  3. Make this php script run as a separate user with access rights only for this folder, so even if you have security breach it won`t impact your server or other scripts running on it.
  4. Make sure you are using database user that have permissions only for your test database.
  5. Create a fake domain, put a record in your hosts file and make your script accessible only from this domain (for example: app.staging.lo)

All this combined will be secure enough to keeps you away from troubles.

Predte4a
  • 906
  • 7
  • 6
  • Thanks; will be able to play with several of these. The 2, 3 and 4 ideas are not available to me due to host limitations (cloud service, limited settings). As there will be only one user, I was thinking about locking the *any* login process for period of 10 minutes, after 5 tries. That, combine with your precautions might be enough, I suppose. I guess I am most concerned about automated brute attacks. - THANKS! – mrmut Jun 30 '14 at 16:52