Show Notes for AlternaGeek Episode 5

AlternaGeek.com Podcast, Episode 5 for July 10, 2007
Featuring Linuxchic, Code Ninja and TechMonkey.

Apache mod_security – http://www.modsecurity.org

mod_security is a Web Application Firewall build as an Apache plugin. mod_security provides realtime monitoring and attack detection. It monitors HTTP requests and can identify and stop attacks before the request reaches your web applications. mod_security is configured using rules. A core set of rules are included that identify common web exploits like:

SQL Injection
Cross Site Scripting
SPAM Comments

mod_security rules are configured with the appropriate “action” for the rule. The action types that are provided are:

deny – deny the request
allow – stop rule processing and allow the request
status:nnn – respond with a HTTP status nnn
redirect:url – redirect the request to the absolute URL url
exec:cmd – execute a script cmd
log – log the request to the error log
nolog – do not log the request
pass – ignore the current rule match and go to the next rule
pause:nnn – stall the request for nnn milliseconds. Be very careful with this action; one Apache instance will be busy stalling the request. You could actually help the attackers in creating a denial of service attack.

Selecting A Web Hosting Provider

There are a lot of details to consider when selecting a web hosting provider. Everyone’s needs are different as is their knowledge of technnology. Some things to consider:

Type of site – Personal/Commercial/Other
Platform – Windows or Linux
Managed or Unmanaged
VPS or dedicated or shared

It is important to research possible hosting providers. A good starting point is Web Hosting Reviews at http://whreviews.com. This site provides good articles on what to look for in a hosting provider and what things to be cautious about. There are articles covering topics such as:

Presales questions
Unlimited bandwidth
Uptime guarantees
Overselling
Server load
Windows Vs. Linux
Shared hosting

There are also very helpful sites where hosting company customers can participate in discussions of the various hosting providers and their individual experiences. Two such helpful sites are WebHostingTalk and HostHideout.

Wordpress Plugins

Akismet : A preinstalled plugin (you will need to insert an API key and activate it) that checks comments and trackbacks for spam against the Akismet web service.

Challenge restricts comment spam by throwing the commenter a challenge. The default challenge is an addition and multiplication math question. The challenge and the answer can also be user-defined. They can be of anything including PHP-evaluatable expressions.

Referrer Bouncer: A plugin to bounce back referrer spam attempts; requires no upfront configuration, no mod-rewrite. It is like the strong silent bouncer at your favorite club. Tested on WordPress 1.5.x and 2.0. It should work with earlier versions too.

Comment Timeout: A plugin that allows you to selectively close comments on your blog to help reduce spam. There are three ways in which it can do this:

It lets you close comments on old entries that do not have an ongoing, active discussion.
It examines your spam queue and your Bad Behavior logs to let you close comments and trackbacks across the board to troublesome IP addresses.
It allows you to reject comments that contain too many hyperlinks, or links in BBCode format.

ImgProtectr: A plugin that will take any text you pass to the imgProtectr() template tag and put an image with the specified text in it’s place. This is primarily intended for use in templates where you would have an email address displayed.

WP-Hardened-Trackback: Hardened Trackback generates single-use, expiring trackback url’s with AJAX. Whenever someone tries to send a trackback without a valid key it will be ignored.