Someone contacted me after their Linux, Apache2, MySQL, PHP website experienced a phishing attack. I logged onto their server, added a firewall, deleted all phishing files, and I set file_uploads = Off in the /etc/php/8.1/apache2/php.ini file.
The website has a lot of pages that allow you to upload files. Is there a way for me to allow users from just one or two specific IP addresses to still use these pages to upload content? I read that I can't use if(<valid ip address>) ini_set('file_uploads', 'On'); in the latest versions of PHP. Are there other approaches for me to consider?
Background
From what I can tell, the reason their site got attacked was because they have a lot of HTML forms that allow you to upload attachments. There is no form validation or content sanitization at all. This explains why I saw files like danger.zip and unzip.php on the server, where by the danger.zip contains a bunch of viruses and phishing material and unzip.php is a webpage that performs the operation unzip(danger.zip);.
OK, this is my current solution. I'm not going to press Accept on my own answer until enough people tell me ways to improve it. Or maybe someone can give a better answer.
Assume the following:
1.1.1.1 is the IP address of a Content Admin who wants to work with the CMS on the website2.2.2.2 is the IP address of the server hosting the website and the CMS.https://my-application.com is the website the public sees. No one can upload files because file_uploads = Off in the /etc/php/8.1/apache2/php.ini file. This website is served out of the directory /var/www/my-application on the server with IP 2.2.2.2.https://supersecretwebsite.com is a url that a developer and the Content Admin has agreed upon to keep as a secret url that no one should know about.Step 1 - On the server 2.2.2.2, I create a file called /etc/apache2/sites-available/supersecretwebsite.com.conf with the following contents:
<VirtualHost *:443>
ServerName supersecretwebsite.com
# The production website is also hosted out of this DocumentRoot
DocumentRoot /var/www/my-application
# ... other options ...
# allow file upload just for this vhost
php_admin_value file_uploads 1
<Location />
Order deny,allow
Deny from all
# only the content admin's IP address can visit this website
Allow from 1.1.1.1
</Location>
</VirtualHost>
Then I run the command a2ensite supersecretwebsite.com.conf && systemctl restart apache2.
Step 2 - The Content Admin most go to his Windows Laptop and open up the file C:\Windows\System32\drivers\etc\hosts and add the entry 2.2.2.2 supersecretwebsite.com.
Step 3 - Content Admin person can uplaod files while visiting https://supersecretwebsite.com but not when visiting https://my-application.com