Support

From a technical point of view, this is the only way to access this one particular .php file over a browser. It does not affect the security of anything else. It only allows access to that file.

However, if you ask me for a security advice I am a bit weary of what I read in your ticket.

I need to know more about what that script does. If it accepts unauthenticated, unvalidated input and dumps it into your .htaccess you have a massive security hole. Basing your security on an attacker not guessing a filename is very much like hoping that thieves won't enter your unlocked back door because they can't see it from the street.

I actually downloaded the file from the link you posted. We have disabled upload of ZIP files with executable code on our server.

You do not need to access this file over the web. You can trigger it periodically using CRON on your server. Since CRON runs from a command line context you do not need to make an exception in your .htaccess since that is only used for web access.

"Safe" is a relative term. On the face of it, what it does is not outright dangerous. However I have some concerns.

When the blacklist is being fetched there is no SSL certificate validity check. This could allow a man in the middle attack. I'm personally not comfortable with that but I do understand that the chances for that happening are very slim (it'd require a targetted attack by an advanced adversary).

The code to replace stuff in the .htaccess is a bit optimistic. If your .htaccess doesn't follow the format it expects it will start overwriting stuff like there's no tomorrow. I practice defensive coding so I cringed a lot when I saw this script.

Finally, this script reads stuff from a remote URL and replaces stuff in your .htaccess file. Even assuming that it reads safe data and the replacement works great it does consume a bit of resources and does make blocking I/O operations on a file required to load any page or static resource of your site. If an adversary figures out the URL to that file they can call it hundreds of times, bringing your site down (DoS). The irony is that by doing that they are also overwriting the .htaccess so even if they only use a single IP address to attack you you can't easily block them (by blacklisting their IP in the .htaccess, since it's overwritten!). You'd have to delete the script and then block the attacker in the .htaccess.

On top of that, I also understand how these attacks work, how IPs can be spoofed or recycled, therefore why blacklisting IPs is useless except as something you should do temporarily when you are detecting active attacks against your site.

So, would I install that script? No. I can see no real benefit and a few potential problems.