Monthly Archives: October 2014

WordPress Comment Spam

2014-Oct-06

Not only are bots trying to beat on sshd, but they were also annoying me with comment spam.

 

Only 4 attempts per hour to talk to sshd so far.  That will pick up.

$ uptime && iptables -vnL | grep tcp\ dpt\:22
11:29:15 up 18:45,  1 user,  load average: 0.00, 0.01, 0.05
74  3456 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22

 

Inspired by http://mywifequitherjob.com/how-to-prevent-comment-spam-from-crashing-your-wordpress-blog-and-taking-down-your-server/, I installed the Cookies for Comments WordPress plugin and made one tweak to my lighttpd.conf

$HTTP["url"] =~ "^/wp-comments-post.php.*$" {
	$HTTP["cookie"] !~ ".*f88ca0021aa9ade19e8258a9d4637c66.*" {
		url.access-deny = ( "" )
	}
}
$HTTP["url"] =~ "^/wp-login.php.*$" {
	$HTTP["cookie"] !~ ".*f88ca0021aa9ade19e8258a9d4637c66.*" {
		url.access-deny = ( "" )
	}
}
$HTTP["url"] =~ "^/xmlrpc.php.*$" {
                url.access-deny = ( "" )
}

That’s the real cookie value for this site, this is what it’s for if you see it in the cookies list,  and you can see where it shows up in the source code of this page.  Bonus points when, after seeing some log entries for some of these,  I realized it would also work for simple brute-force login robots as well.  Scope creep as a feature!

If you are trying to GET/POST the comments .php file,  AND you don’t have this cookie value set,  then go straight to 403 Forbidden.  Do not load php and jam up system resources, do not try to show a nice error message.

Will now go open up comments the way I wanted to originally and wait and see if this means problem solved or at least significantly reduced.

Future development,  if it becomes more of a problem:   Fail2ban, perhaps working an iptables tarpit.

Migrating WordPress blog to a new VPS

2014-Oct-06

Lesson learned:  stay away from service providers who try to be everything.

If the service provider thinks that being a domain name registrar, DNS host, web host, and email hosting are all one and the same “hosting” – R U N   A W A Y.   If you don’t – then you deserve everything you get, with interest.  Including the extra advertising popup you are forced to step past in order to actually get into your account control panels.

The experiment to try a blog at a hosting company only lasted 4 months.

In the end, it took one SSL certificate to do them in.   Their automation broke because they don’t host email for my domain,  and some really bizarre ideas came up after their customer support discovered that they also didn’t host my DNS.    Part of the extra confusion is my responsibility.  I have a tendency to tell tech support people too much,  and they have a tendency to focus intently on a detail that is most likely irrelevant to the issue at hand.

When compared to the hosted solution and the amount of effort I spent trying to communicate with customer service –   it turns out I can spend less effort and, actually, also less dollars to manage my own VPS.  While the initial set up effort is much higher,  the ongoing maintenance effort is less and much more satisfying than dealing with confused support and still getting nowhere.

Anybody with a bit of whois-fu can dig up that the new provider is RamNode,  well reviewed at http://lowendbox.com/.   I even get much better latency from home to Seattle than Boston.

It’s much much too early to form an opinion about them because nothing’s gone wrong yet.

 

 

Migrating WordPress to a VPS

Get the VPS going

Continue reading