System Administration

Denial of Service on an Apache server

Last week was a very frustrating time for me. For whatever reason, an unusually number of botnets decided to zero in on my Drupal site and created what I call an unintentional  Denial of Service attack (DOS). The attack was actually from spambots looking looking for script vulnerabilities found mainly in older versions of e107 and WordPress. Since the target of these spambots were non-Drupal pages, my Drupal site responded by delivering an unusually large number of "page not found" and "access denied" error pages. Eventually, these requests from a multitude of IPs were too many for my server to handle and for all intents and purposes the botnet attack caused a distributed denial of service that prevented me and my users from accessing the site.

These type of attacks on Drupal sites and numerous other content management systems are nothing new. However, my search at Drupal.org as well as Google didn't really find a solution that completely addressed my problem. Trying to prevent a DDoS attack isn't easy to begin with and at first the answers alluded me.

I originally looked at Drupal for the solution to my problems. While I've used Mollom for months, Mollom is designed to fight off comment spam while the bots attacking my sight were looking for script vulnerabilities that didn't exist. So with Mollom being the wrong tool to fight off this kind of attack, I decided to take a look at the Drupal contributed model Bad Behavior. Bad Behavior is a set of PHP scripts which prevents spambots from accessing your site by analyzing their actual HTTP requests and comparing them to profiles from known spambots then blocks such access and logs their attempts. I actually installed an "unofficial" version of the Bad Behavior module which packages the Bad Behavior 2.1 scripts and utilizes services from Project Honey Pot.

As I had already suspected, looking for Drupal to solve this botnet attack wasn't the answer. Pretty much all Bad Behavior did for me was to take the time Drupal was spending delivering "page not found" error pages and use it to deliver "access denied" error pages. My Drupal site is likely safer with the Bad Behavior module installed, but it was the wrong tool to help me reduce the botnets from overtaxing Drupal running on my server. Ideally, you would like to prevent the attacks ever reaching your server by taking a look at such things as the firewall, router, and switches. However, since I didn't have access to the hardware, I decided it was time to look at my Apache configuration.

Mollom Stats from CMS Report

After two years of spam protection by Mollom people are beginning to proudly show off their ham/spam stats. Davy Van Den Bremt over at Drupal coder writes:

If you're happy about Mollom, just shout it out on Twitter, Facebook, your blog, ... by putting up a screenshot of your stats and saying how many spam has been caught by Mollom. You can find the stats of your site on your Mollom account. If you're using Drupal, you can find them under Administer > Reports > Mollom Statistics.

If you're using Twitter, use the hashtag #mollomstats. I'm looking forward see how much crap content Mollom has spared us from.

ocPortal and Bitnami team together for easy CMS installation

Two providers of integrated solutions: ocPortal, an open-source Content Management System, and Bitnami, which makes "stacks" for easy installation of web applications, have partnered to release a "stack" for ocPortal 4.1.10. Jointly developed/tested by both companies, users of almost any background can now easily download and run ocPortal on the "big three" operating systems, Windows, Linux, and Mac.

Drive your own website

I've never agreed and disagreed so much with one article as this one from The Sydney Morning Herald, Drive your own website.

I agree...

I hate being held to ransom. And I'm sure you do, too. But that's the scenario you're creating when you hand over your website to a web designer or developer and relinquish control over when and how you can change your content...

...That's why I think it's vital for small-business owners to use their own content management systems (CMS). My recommendation is to initially use a designer to create the overall look but after that you at least want to be able to change the text on your website whenever you want.

I disagree...

If you are planning to use a free CMS, such as Wordpress, Drupal or Joomla, expect a steep learning curve and a lot of time poring through forums and blogs trying to figure out how to insert that picture just the way you want.

On the other hand, monthly subscription-based models can offer more flexibility. While you might baulk at being tied to a monthly subscription, the benefit is this is usually accompanied by technical support - so you can call or email for help

The fact of the matter is whether you're going to be using a CMS that is propriety, open source, or subscription based...there is always a learning curve involved.  The advice I often give to those looking for a CMS is to look at which CMS meet the requirements then worry about the licensing along with the how/where the site will be hosted. The fact is that if the CMS doesn't meet your requirements...no subscription-based model for that CMS is going to meet your needs.  Also, if you think Wordpress has a steep learning curve...you likely haven't done your homework on Web content management systems.  Just my opinion...

Drupal on a Budget II

I have never had good luck hosting my Drupal sites on shared hosting plans.  My last venture into budget hosting was a disaster with the hosting company locking me out of my own account due to too many requests to the remote database.  The truth is that I've only been happy with running my personal Drupal sites on virtual private servers (VPS).  However, I'm having a difficult time justifying my yearly costs of using a VPS to host my sites.

Moving onto Acquia Drupal

Acquia logoLast year I was one of the beta testers for Acquia's Drupal distribution and the Acquia Network.  I was evaluating Acquia's products and services for a potential intranet project at work.  For this particular project, unfortunately, it looks as if Acquia or Drupal wasn't the right solution.  Our regional folks wanted a solution similar to Microsoft's Sharepoint that is more integrated with Microsoft Office and heavily featured in document management.  That's alright though because there are a number of smaller intranet projects at work where Drupal is the perfect solution and a lot of

Something bad going on with PHP-Fusion

Yesterday, PHP-Fusion announced that someone had hacked into their site and changed the download link for PHP-Fusion Version 7.

Hello all,

We had an issue a few days ago where a malicious person gained
access to our site as a super administrator via a weak account/gained
password. They apparently changed the download link of PHP-Fusion
version 7 to spendspace and it was packaged as a .rar file.

If you downloaded one of these files, please reinstall your entire site using a fresh copy from SourceForge.

While this isn't a good thing, it is a positive that PHP-Fusion disclosed the possibility that the link led to a version of PHP-Fusion that may have been maliciously changed.  I can recall a number of other projects (open source and propriety) that have found their source code made vulnerable by someone intruding into their servers.  What is always important to customers in these cases is disclosure and transparency.  So far, PHP-Fusion seems to be doing the right thing.

However, as of this Thursday morning...it looks like PHP-Fusion's hosting company has suspended their account. At the time of this writing, there is no words given as to the reasons for the suspension.  I suspect the suspension is likely to be security related.  Perhaps, we'll see an announcement at SourceForge on the status of PHP-Fusion if their home site doesn't come back online soon.