Last week was a very frustrating time for me. For whatever reason, an unusually number of botnets decided to zero in on my Drupal site and created what I call an unintentional  Denial of Service attack (DOS). The attack was actually from spambots looking looking for script vulnerabilities found mainly in older versions of e107 and WordPress. Since the target of these spambots were non-Drupal pages, my Drupal site responded by delivering an unusually large number of "page not found" and "access denied" error pages. Eventually, these requests from a multitude of IPs were too many for my server to handle and for all intents and purposes the botnet attack caused a distributed denial of service that prevented me and my users from accessing the site.

These type of attacks on Drupal sites are nothing new and have been observed and discussed at great length at Drupal.org. However, my search at Drupal.org as well as Google didn't really find a solution that completely addressed my problem. Trying to prevent a DDoS attack isn't easy to begin with and at first the answers alluded me.

I originally looked at Drupal for the solution to my problems. While I've used Mollom for months, Mollom is designed to fight off comment spam while the bots attacking my sight were looking for script vulnerabilities that didn't exist. So with Mollom being the wrong tool to fight off this kind of attack, I decided to take a look at the Drupal contributed model Bad Behavior. Bad Behavior is a set of PHP scripts which prevents spambots from accessing your site by analyzing their actual HTTP requests and comparing them to profiles from known spambots then blocks such access and logs their attempts. I actually installed an "unofficial" version of the Bad Behavior module which packages the Bad Behavior 2.1 scripts and utilizes services from Project Honey Pot.

As I had already suspected, looking for Drupal to solve this botnet attack wasn't the answer. Pretty much all Bad Behavior did for me was to take the time Drupal was spending delivering "page not found" error pages and use it to deliver "access denied" error pages. My Drupal site is likely safer with the Bad Behavior module installed, but it was the wrong tool to help me reduce the botnets from overtaxing Drupal running on my server. Ideally, you would like to prevent the attacks ever reaching your server by taking a look at such things as the firewall, router, and switches. However, since I didn't have access to the hardware, I decided it was time to look at my Apache configuration.

We lasted nine months. That's right, for nine months we hosted our Drupal site with a shared hosting account. Last January, I knew we were taking a gamble but the monthly cost savings for hosting the site was just too tempting. In this end though, CMS Report was too busy and exceeded the shared hosting provider's CPU usage policy.

So, during the past few days I've been busy moving the site onto a a Virtual Private/Dedicated Server. This time, I'm going with GoDaddy but as far as self-managed VPS/VDS goes there are a lot of good companies you can go with. Although I can do Web server administration in my sleep, I think I'm going to miss having someone else doing the server management for me. I know there are better hosting options for professional Drupal sites but I don't think I'm in need for a high-end hosting plan for this amateur site of mine.

One of the common mistakes website owners make is not recognizing the growth of their site. We all try to do things as cheap as possible and often fail to recognize the increasing size of our content management system or the increasing popularity of our site. In the Fall of 2007 I made this mistake. The hosting provider locked access to my site and I spent a stressful week getting my database from the hosting company and placed onto a new server.

Lots of people do interesting things once they've jail-breaked their iPhone. Dan Poltawski is no exception when he tries to turn his once client-only device into a Moodle Server.

Having ended up with a spare iPhone from a recent upgrade I decided to try jail-breaking the old one and see what software was out there away from the restrictions of the app store. I discovered that lighttpd, php and sqlite were all available from the software repositories for download - these three combined are enough to run a Moodle server. So out the window went cleaning my flat and sensible tasks - I had to make my phone into a Moodle server!

Once you start reading the article you will find that his first attempt at installing and using Moodle on his iPhone wasn't that successful. Still, Moodle on the iPhone is an interesting concept. To say the least, the concept is much more interesting than the YouTube video he provides of his experience. Dan, couldn't you at least added some background music or some audio of you swearing at your iPhone?

CMS Report is switching servers this weekend and making some DNS changes.  In other words, we may be down for a few hours on Saturday or Sunday.  If we run into problems, we can switch back to our original server.

Update: Bulk of the transfer was completed by 10 PM CST.  I will need to do some fine tuning here and there though.  More later...

Last October, Packt Publishing sent me one of their latest books on the Plone CMS, Professional Plone Development. This is a book I had been saving for review until I had a chance to install and use Plone myself. Plone is one of those CMS that I've really wanted to learn more about by installing it on the server myself. Unfortunately, too many things on my "I want" list have had to compete with my "I need" list and I never got around to installing Plone. With no Plone on the server, I unfortunately never got around to reviewing the Plone book written by Martin Aspeli either.

This book is aimed at "developers who want to build content-centric web applications leveraging Plone’s proven user interface and flexible infrastructure". Given the fact that I haven't installed Plone myself, I can't honestly give a thumbs-up or thumbs-down on the book. However, what I can do is talk a little about the book and let you decide for yourself if this book is worthy of your hard earned money.

This has been a very cold week in the Dakotas. Sunday morning the temperature dropped to around -14 degrees Fahrenheit (that's around -26 degrees Celsius). These are real temperatures and not wind chill.

Needless to say, I am not spending a whole lot of time outside this month. However, these cold temperatures are very geek friendly. I am spending my time at the computer and getting some very needed things done.

Some of the items I have been working on that may be of interest to you:

1. I am starting to make some decisions on where I want to take CMS Report from here. I'm considering to go more "professional" with the site. The changes I would like to make may involve some willingness on my part to partner with someone who has similar interests and more experience in these matters.

Yes, another challenge for those of us that work in the IT department! Just what we wanted, right? We're spending all this time reworking the corporate Intranet so everyone can collaborate better. What happens when we're done and no one shows up?

It could be tempting to conclude that because your employees enjoy
keeping a personal blog or spending time with contacts on social
networking sites like Facebook and LinkedIn, that they would want to participate in an internal corporate version of those sites.
But don't be so sure.

A new study has found that the phenomenon of social networking and
collaboration does not yet have a natural extension behind the
enterprise firewall.

Can't we just get a break?

Seriously though, I'm curious how your office Intranet is doing? Have you recently added collaboration and social networking tools to your server? If so, how well is the improved server working for you? What recommendations do you have for others to follow? Inquiring minds want to know!

Recently posted at XOOPS.org was a how-to for optimizing XOOPS on your server.

Optimizing Xoops, its modules and your server - Sometimes, people are telling that Xoops is rather slow and it can be true but there are ways to improve things.

Instant Zero is in charge to maintain some websites using Xoops, so we decided to share with you our knowledge in this domain and we hope that you will find it useful.

In this article, and in 5 points, you are going to see what you can do for your site.

The tips given discuss how to make tweaks to your server, XOOPS, the database, files used, and the CSS to help optimize your XOOPS site. As usual, some of these same techniques can be applied to more than just one content management system.

Honestly, I'm not trying to put so much focus on Drupal when you consider CMSReport.com is a site that is supposed to put focus on at least 29 other content mangement systems.  It's just that there is so much coming out from the Drupal community that it is hard to ignore.  The latest is Victor Kane's experience with setting up a virtual private server (VPS) for the Drupal CMS.

Well, after realizing the limitations of shared hosting for Drupal development, I decided to go with the big boys and use a dedicated server or VPS solution, at least for development. So I can make a multisite install for the docs and I can make subdomains for each development site.

So after perusing various options, I decided for linode. After checking out the various plans, I decided on the Linode 300, and got 50% more disk space by paying for a year.

The good news for non-Drupal users, is that the VPS how-to can easily be applied to other CMS applications.  Check out the complete story.

Yesterday, I upgraded the PHP version on my server from 5.2.4 to 5.2.5. PHP 5.2.5 brings improved "stability of the PHP 5.2.x branch with over 60 bug fixes, several of which are security related". I also reintroduced eAccelerator back onto the server. I stopped using eAccelerator last spring, not so much because I had any real issues with it, but because I spent the summer months hosting my sites on the cheap.

This time, when I compiled the new version of PHP 5.2 onto my server, I also made the decision to not load the latest version of PHP 4. Although most of the Web applications I run on the server are PHP 5 compatible, I've always made sure I also had access to a version of PHP 4. The time has finally come though where I really don't have a need or desire to host a content management system that is only PHP 4 compatible.

A nice reminder from Donncha...

Daylight Saving Time (DST) kicked in this morning in Ireland, the UK and many other parts of the world when the clocks went back 1 hour. The US is next week from what I remember. If your server is using UTC time, check Options->General, the “Times in the weblog should differ by” textbox in your blog and adjust accordingly!

Complete Story

Last weekend, both Linux Today and Linux.com provided links and excerpts to an article I posted here at CMS Report.  You can see some of the stats on my newly quantified site at quantcast.com.  While those managing large sites shouldn't be too impressed with those numbers, I'm personally pleased with the current level of traffic this little 'ol site of mine is seeing.  I'm not only "Wowed" with the number of people visiting my site to read the posts, but I'm also grateful for the opportunity to learn from those of you that leave some quality comments for all to consider.

More importantly, this past weekend's traffic bump was the first real test I had for CMSReport.com since it's been hosted on the new VPS.  I've done very little tweaking of the VPS, so I'm looking forward to seeing how much I'll be able to improve the server's performance once I find some free time.  Either way, it is very doubtful that CMSReport.com would have stayed up under the previous shared hosting plan.  The VPS gives me a lot of room for growth...oh yea!