Jump to content


  • Posts

  • Joined

  • Last visited

stoneage's Achievements


Rookie (2/14)

  • Conversation Starter
  • First Post
  • Collaborator
  • Week One Done
  • One Month Later

Recent Badges



  1. Are there any plans to support CloudFlare reverse proxy service? I have been using it a few days and it gives good service: - blocks unwanted web traffic - bandwidth is down by almost 50% The only issue I have is my logs. CloudFlare routes my traffic and handles DNS. In my logs all traffic now appears to come from CloudFlare. Some AWstats statistics are now uninformative. The fix is to install their mod_cloudflare program which will restore the original IP's to logs. And hopefully 'repair' AWstats statistics. - The issue and the fix is explained on their website: http://www.cloudflar.../wiki/Log_Files Is it possible to have mod_cloudflare installed on my server (Danuta)?
  2. Thanks for the larger picture. I just removed the ip block - it is in my interests that Googlebot is active on my site. Will monitor the bandwith it uses though.
  3. For me it was just over 200 MB on Feb 9th before I blocked Googlebot ip. On two previous months it was around 50 MB for the whole month. Before that it topped 20 MB at most if I recall it correctly - did not have many changes on my site content though at that time. Considering it is around 200 megs for you I feel much less alarmed . It is possible that Googlebot just crawls slighly deeper (better?) and this is causing the increase . I believe a better robots.txt may fix this issue. My current file denies only admin folder for robots and allows all other. I might try a different approach: allow robots to some folders and deny all other for them.
  4. Thanks for bringing this issue up . I thought it was happening only on my site. On Feb 8th and 9th I noticed the number of visits jump from 5 to 680. My CMS showed the number of pageviews increased from 500 to 5500. This used a LOT of bandwith (and processing power I guess): 82% af all traffic was generated by this one IP gone wild. On Feb 9th I had to block the ip: xxx.249.66.107 I checked it and it is a Goole IP. This is their NetRange: - I do not know if it is possible to forge an IP. I noticed this issue just a few days after we received the two e-mails that we should keep our scripts updated. The servers were under increasing pressure, and AwStats stats pages did not autoupdate. I wonder if these two issues were related. On my server. Or on wider scale. Anyway, by blocking this one "Googlebot" IP I managed to cut down 82% bandwith which was not generated by normal site visitors. The issue was solved. The issue has not repeated itself. As a permanent solution, will have to use robots.txt to limit its access.
  5. Drupal is on my short list for a new CMS. I have never used PHP-Nuke and hope I never will. I will have to strenghten my admin.php files. Thanks Ayman for this tip. This is a good one.
  6. I want to stay at TCH. I like it here Because 1) TCH puts so much emphasis on security and good service. 2) TCH is reasonable. If a customer has a problem he/she is explained the issue and ample advice is given on how to proceed in solving the issue. My problem is that I cannot satisfy the requirement of having _always the very latest official_ version of any script . This is how I try to deal with security: I try to chooce the most secure script to start with. Some developers put more emphasis on security than others. Some forks are based on improved security. And some new scripts are built with security in mind from step one. They might not be the most popular ones - this increases security too. I do not use the scripts provided with cPanel. I personally believe that when PHP-Nuke is included then security is not at the highest level. It has an awful security record. It is very popular and thus included. - I do not want to spend days fixing a hacked site just because it is supported by cPanel. I hope I am not penalized for trying to use more secure 3rd party scripts. I make some standard security enhancements to scripts. If the script is non-standard then some standard exploits may not apply. A hacker can find easier ones to attack. I modify some meta tags and other identifiers within the confines of copyright. Many exploits apply to a given version of a script. The hacker may find the targets with a careful Google search phrase. My sites cannot be found in such a standard way. It is not 100% safe but I hope to avoid the first wave of random attacts with new exploits. To gain a few extra days to patch the script is just what I need. - A site based on cPanel included script is really visible and thus vulnerable. ---- Because of the many security and nonsecurity related modifications I find it hard to update scripts immediately. It is in my interests to update but to avoid excessive workload I may occasionally have to step over an update. - There is no such thing as 100% security in internet. Eventually one of my sites will fall victim - but I am doing my best to postpone it as much as I can. There are many ways to take security seriously. Having the most up to date version of the script is just one of them. What I outlined above is another. And there are others still. - If I got it right, the second TCH email (on need to update 3rd party scripts) may allow for this diversity. Some of us may not have the luxury of instant updates. Then we need something else instead. Any general security tips you are willing to share?
  7. Many Thanks silica, Thumbs Up The %40 trick works! - Works without a subdomain as well: Ftp user: child@myserver.com pass: password domain: myserver.com ftp://child%40myserver.com:password@ftp.myserver.com I knew I could count on tch. Very pleased to get over this problem. Again: Rock Sign
  8. Thanks Don, Got half way there! I can access the folder (/public_html/pictures/) using my default username and password as you suggested. This works: ftp://user:password@domain.ext/public_html/pictures/ The problem remains how to access that particular folder (or subdomain if set up) using an additional ftp account I created with Cpanel. This is quote from Cpanel "FTP Account Maintenance" "When logging into the ftp server please use the username exactly as it appears below. If the username includes a "@", make sure to include it when logging in. Example: Use "john@doe.org" and not "john". " My new ftp account: "child@myserver.com" and the folder this account has access to: "(/pictures)" Ftp user: child@myserver.com pass: password domain: myserver.com This does not work: ftp://child@myserver.com:password@ftp.mys..._html/pictures/ ftp://child@myserver.com:password@ftp.myserver.com The query may not leave IE browser (5.5) before it pops-up an error. Maybe there is an alternative way to express the ftp username in Cpanel or a way to wrap it? I came over this problem some time ago and hit the brick wall with it. It would be so nice to have a button to push to upload some pictures to the correct folder. I want to have this button on a protected page. Logging in twice is not my idea of user friendly IF. Rock Sign Thumbs Up P.S., Sorry for a confusion. I never got so far as to set up a sub-domain and try this on it. I hit the wall earlier. Its the @ within the ftp-username.
  9. Hi, I have a similar problem , different flavor: I have created a subdomain: child.myserver.com. Then I created a new ftp account. Cpanel gave the username as child@myserver.com. When I use SmartFtp everything works fine. My problem: I want to use integrated IE browser ftp. On a protected page I want to put a direct link to browser ftp. I guess this is the way to write the address: ftp://user:password@ftp.myserver.com - Tested: This works for NON sub domains. For subdomain the address becomes ftp://child@myserver.com:password@ftp.myserver.com There is simply one "@" too many. It does not work. Is there a workaround? (I tried replacing @ for & #64 and for its UTF equivalent in several ways but it did not help)
  10. Hi schmuck, You made very interesting questions. Not able to help much. However this is what I've learned: Just over a year ago I made a site using postnuke. Then I followed the integration of phpBB2 into postnuke - surprisingly difficult task: how to sync the time! From that experience: 1) It could be possible. Someone has to write the integrating code though. Some changes have to be made either to the Gallery or to the phpBB2 code (unless you go 3) route below). Take a look at phpBB2 mod pages - someone could have done it already. One must be careful from which program to erase the 'proprietary' login routine. Postnuke and phpBB2: phpBB2 was modified but some argued it should have been done the other way around. And look at OSsuite.org: they integrated fast developing osCommerce into a 'static' Nola (noguska.com) package. OSsuite was outdated when it came out... General point: In my opinion this is a big problem with opensource programs. They are great alone but integration is a pain. One needs to be able to do PHP. I recall there is/ (was?) a general attempt somewhere to make the datatables of different programs 'work together'. Does anyone know where it was? 2) Have no experience with MT. Postnuke is good at integrating. And it is a bit heavy - I hear on heavy use sites it needs serious horsepower. Security system is extremely flexible (e.g., you can lock out a specific article from a specific user) but -many say- difficult at first sight. 3) Logging into a website: Yes it is possible. However it might be a bit intimidating. It might be a good idea to have some content available to all. A kind of tour of the premises. Beyond that you could have a whole website protected by one login script. There are tons of them at hotscript.com. Also look at aMember on TCH help pages. Easy way? If each application lets the user to choose his/her password (and username) then you could ask your customers to register once for each application. Present this to the customer as a security measure. If everything is private they might buy it. - The benefit of this is easy program update. As no changes have been made to the code it can be updated with minimum of effort. In the long run this becomes more and more important.
  11. For complex forms I opted for nms-FormMail. It is a drop-in replacement for original FormMail by Matt. This is why: - it seems secure enough. Written with security in mind. Used by many ISPs. - well maintained. Last update less than a month ago. - it is backward compatible with the original FormMail. It retains all form formatting. This saves a LOT of time. - good documentation. Both readme and examples docs. - available in easy and expert (modular package) downloads. For added security I renamed the file from FormMail.pl to piggy.pl - works great. Could this be secure enough for TCH?
  12. Many thanks for your script surefire! I had used sort and print_config fields in my forms. I will have to do some form rewriting as this script (or DodoMail) does not support those fields. Any word on the FormMail fix from cPanel? Is it good? - I might wait for it a day and save myself a lot of work.
  13. Had this problem a while ago. Could not find an answer. Found several interesting opinions and attempts in here:
  • Create New...