0

I need the best way to access a webserver to upload/modify a PHP script. The website contains very sensitive information, gaining unauthorized access to this server and modifying files would lead to an extremely huge financial loss.

I guess the best way would be to lock the access SFTP to a specific IP/IP range using firewall rules. But since my IP changes every few days this option isn't viable. Which method would you recommend?

Is SFTP open to any IP better than let's say cPanel using 2FA?

schroeder
  • 123,438
  • 55
  • 284
  • 319
user1324762
  • 111
  • 2
  • A side note: if "gaining unauthorized access to this server and modifying files would lead to an extremely huge financial loss", may I suggest using a language / ecosystem with a better reputation for security than PHP? It is *possible* to write secure PHP code, but a lot of people don't bother / don't know how, and the language + its standard libraries do you zero favors here. I don't know the statistics on how many PHP servers are breached through their deployment vector vs. through the application itself, but I expect the latter to be quite large, possibly the vast majority. – CBHacking Feb 20 '22 at 22:21
  • Do you really think that PHP itself is security more risky? I would say it is about code itself and not language. – user1324762 Feb 21 '22 at 12:30
  • There are a few language design choices in PHP that I think are not conducive to security - perhaps the most notable being its extremely loose typing, for which `strict_types` is an incomplete patch - but also both the standard library (full of functions that will do anything - including returning any one of many different values - rather than throw an exception) and the developer ecosystem show a concerning lack of concern for security. Like I said, you *CAN* write secure code in PHP, just like you can in C or Perl, but I recommend against all of those for a highly secure system. – CBHacking Feb 22 '22 at 04:01

1 Answers1

1

I would recommend ssh (sftp) with 2FA such as Google Authenticator. I would also insert AllowUsers username into sshd_config to limit login to the sole user(s) that need access. You may also consider running ssh on a different port which will cut down on an enormous amount of dumb scans trying to log into your server.

I believe these precautions are equal or superior to cpanel with 2FA.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198