Tag Archives: Apache

Recent Web Hosting Vulnerabilities

If you have a spare moment to go through your control panels and check your up-to-date status, here are some recent warnings you might want to check against:

Serious Vulnerability Warning For Parallels Plesk Issued – traxarmstrong.com


Serious Vulnerability Warning For Parallels Plesk Issued - traxarmstrong.com | How to Grow Your Business Online | Scoop.it
From traxarmstrong.com – End of April 2013

There is a serious bug in Plesk Panel one of the most widely used hosting control panel solution that contains multiple privilege escalation vulnerabilities…

This blog goes to list the specific operating version that puts you at risk of this security vulnerability. You are NOT at risk if you have Apache web server running Fast CGI (PHP, perl, python, etc.) or CGI (PHP, perl, python, etc.).

Lesson Re-learned: Backups !


Lesson Re-learned: Backups ! | How to Grow Your Business Online | Scoop.it

From accuweaver.com – 1 week ago

I just shot my blog in the foot, or more accurately, I didn’t follow IT 101 and back things up before making a change. I had moved my site to be completely WordPress based a while ago…

Rob Weaver goes on to explain his own experience of how he came about relying on a faultless Plesk Auto-installation. And while I couldn’t help but chuckle, I’ve also been there. He’s currently rebuilding his site from a lucky idea of downloading the html files generated from his WP Cache Plugin.

Not too long ago I made a similar mistake of failing to save website backups… I rebuilt pages from the Google Cache HTML files, and recent pages that were not indexed were (and I’m not sure how lucky this is) rebuilt from scraper site copies. Yes! Those SEO fraudsters and mimics had decided my writing had enough value to be indiscriminately copied!

 

Hackers Increasingly Target Shared Web Hosting Servers


Hackers Increasingly Target Shared Web Hosting Servers for Use in Mass Phishing Attacks | How to Grow Your Business Online | Scoop.it

From www.cio.com – End of April 2013

Nearly half of phishing attacks seen during the second half of 2012 involved the use of hacked shared hosting servers, APWG report says.

Mass phishing attacks are also dubbed “whaling”. They tend to rely on auto-installations of PHP databases, where the username or database label is numerically generated – and therefore more predictable for patient hacker attacks.

If you’re on a shared web hosting plan. It might be a good idea every now and again to go into PHPmyAdmin and change password access, or even the database name to make predictability of these combinations less likely.

 

by – Juliana

How to Set Up Python CGI & Care for a Pet Python

 

English: Python logo Deutsch: Python Logo

Snakes can be scary, and pythons are one of the deadliest. This article should help you stay safe when approaching the Python CGI program in your hosting package. The following information should help you keep Python happy and well-fed so you can use it to your advantage – to understand why Python itself is such a popular language, configure it properly, and avoid any potential frustrations. I will also give you advice on how to properly care for your pet python, in case you are on the wrong website.

For this article, I referenced several resources from around the web, including “Python CGI Programming” from w3resource, “Five Minutes to a Python CGI” from Gnosis Software, “Writing Portable CGI,” and “Python CGI Programming” (same title as above, different article) from tutorialspoint.

Care of your python #1: Always make sure that your python has plenty of water. Contrary to popular belief, pythons do not enjoy coffee, unless it has 2% milk and two spoonfuls of sugar. Pythons do not like to have to ask twice to get their coffee just the way they like it. Also, your python likes to dunk a chocolate biscotti into its coffee.

Python is Awesome

Gnosis Software’s David Mertz, PhD, is a huge fan of Python. Python is free, and it’s sophisticated. According to Mertz, Python “combines a clear language with powerful (but optional) object-oriented semantics.” Python beats Perl, he says, because it is easier to understand and support. What really sets Python apart, in my analysis of Mertz’s thoughts, is its brevity. Brevity is crucial to coding because it greatly increases efficiency – shortening the distance between a concept and its virtual representation.

Care of your python #2: Never let your python go hungry. Yes, it enjoys chocolate biscotti – but you can’t just feed it that all day. It likes vegetables, especially salads featuring artichoke hearts. Spare yourself the misery of handing your python a carefully prepared salad and hearing it hiss, “Where are the hearts?”

CGI – What’s Not to Love? A Couple Things.

CGI can bog down a server. For this reason, it has often been badmouthed. CGI, however, should not be counted out: it’s a fast tool for developers (at the level of the actual construction of the code) and portability of script between servers. However, note two downsides and how they can be overcome:

1.)    Difficulty with portability

You should be able to move CGI from one server to another without too much difficulty. However, when you are developing the script, it is wise to pay attention to any requirements you’re making related to configuration.  Take a dynamic approach rather than an absolute one. It’s a similar attitude to the trend toward responsive design: the less you are dependent on one particular environment, the less “tied” you are to that type of server. You don’t want a certain server or OS to have a stranglehold on your network. Dynamic paths will allow your script to be more adaptive: wherever it is, it’s always easy to move.

2.)    Slow train coming down the line

Speed can become a problem with CGI. That’s a fair complaint, but there are simple solutions out there to expedite the processing time. FastCGI is a simple solution to speed things up. You can look for other alternatives as well – there are plenty out there. You can even write your own with the CGIHTTPServer module within Python. Don’t get into the speed-up software unless it’s needed. It does complicate the process, but sometimes it’s desirable. It’s good to know it’s there if you need it.

Care of your python #3: OK, so your python has food and beverages now. You know what it also likes? Shoulder massages. Did you know that pythons have shoulders? Well, that’s just the thing – they don’t. Nonetheless, your python will never be happy unless you locate its shoulders and massage them. Good luck.

Configuration for Python CGI – Apache

Let’s look at basic configuration of Python for a number of different servers. We will start with Apache.

Let’s look at a few different ways to configure an Apache server.

Using ScriptAlias:

ScriptAlias can be used to designate a directory so that Apache knows all of its files are CGI scripts. According to w3resource, your line will look something like this within the httpd.conf file:

ScriptAlias /cgi-bin/ /usr/local/apache2/cgi-bin/

If you want your CGI files within Apache’s default directory, search that file for ScriptAlias and remove the number at the beginning of each line.

Creating a different directory:

Using something other than a default directory to run CGI scripts involves the following:

Options +ExecCGI

  • “somedir” should specify the directory you want to use.
  • You also want to let the server know what specific file extensions you are referencing with a snippet such as this (which designates .cgi and.pl files):

AddHandler cgi-script .cgi .pl

Specifying a user directory:

The following code will allow you to access CGI from a user’s directory. It tells the server that anything that has a .cgi extension should run as CGI:

<Directory /home/*/public_html>

Options +ExecCGI

AddHandler cgi-script .cgi

</Directory>

Utilizing .htaccess:

You can also use the .htaccess file for CGI scripts if you would like. The following snippet will work for that:

Options +ExecCGI

AddHandler cgi-script cgi pl

To let the system know you want any of the files within any directory to run as CGI scripts, use the below:

Options +ExecCGI

SetHandler cgi-script

Care of your python #4: One thing pythons don’t often talk about in public is their almost fetishistic obsession with international news, finance, and style. You can’t often find a python who isn’t reading deeply into her newspaper of choice. Frequently, said python will be staring intently at a picture of a model, wondering what she has that the python doesn’t. Moral of the story: Get your python news-media, and get it frequently.

Configuration for Python CGI – Internet Information Services (IIS)

You will need to have a Python interpreter installed on your Windows system in order for the below to work. The following details are specific to Windows 7 but should be similar on other Microsoft systems.

Within the Taskbar, go to Control Panel > Programs > Turn Windows features on or off. Note that there is often a delay at this point. Once the window opens, look for Internet Information Services > Application Development Features > CGI. Check the CGI box, and then click OK. Again, it will take a moment for the installation to complete.

Go to the Start menu, and run “inetmgr.” Within that window, look at the panel on the left. Right-click Default Web Site, and left-click Add Application. Click ‘OK’ and wait till the features are installed. Under Alias, type a name (such as MyPetPython). Under Physical Path, direct the server to wherever it is that Python is located. Click OK.

Return to Default Web Site (left panel). Look for Internet Information Services > Handler Mappings > CGI-exe. Right-click it, and left-click Add Script Map. Type *.py for the request path. Under Executable, give the application’s path. Sample: C:\Python27\Python.exe %s %s. Click OK. Now any Python files can be kept in your MyPetPython folder, accessible by your IIS server.

Care of your python #5: Many people are overprotective of their pythons. They keep the python under lock and key, never allowing it to come out and interact with the larger world. Pythons love playing cards, shopping for accessories and unmentionables, knocking on doors in support of libertarian political efforts, and generally being involved in the big picture. Don’t try to stop a python from giving its part to society and engaging in the larger human/snake effort.

Configuration for Python CGI – Lighttpd

To run CGI on Lighttpd by default, the following code should be used:

$HTTP[“url”] =~ “^/cgi-bin/” {

cgi.assign = ( “” => “” )

}

This snippet is what you should use if you want to run CGI in the directory of a user:

$HTTP[“url”] =~ “^(/~[^/]+)?/cgi-bin/” {

cgi.assign = (“” => “”)

}

Care of your python #6: Sending a python to extended education or to make its way abroad is difficult for us as guardians. We want the python to stay here with us, help us in our old age, and take over the family business. We want to be near the python as it dotes over its grandchildren and perhaps eats them. We don’t want it to go away to technical school to learn how to make it in the shipping and packing industry or to move to France and become part of an international organic farming and artistic compound. Again, though, don’t be overprotective. You must let the python roam free.

Configuration for Python CGI – nginx (“engine x”)

Nginx, unlike all those servers listed above, will not execute a program such as CGI without an intermediary. Python instead must be run on an nginx machine via uWSGI or FCGI. Here is information on the latter.

Care of your python #7: Your python, bottom line, wants to know at all times that you love it and will never needlessly allow it to suffer. When your python gets out its guitar and starts to play its songs about what’s wrong with society, nod and smile only to let it know that you appreciate the effort. Don’t allow the python to think the music is enjoyable unless it really is. The python needs to learn what its skills are, not just be told it’s great at stuff. Some people aren’t Bob Dylan, and I don’t know of one snake that is.

Summary & Conclusion

Hopefully that gives you a sense of why Python CGI is so widely used. You should be able to configure it on your server, provided you have one of the ones listed above (otherwise, consult the documentation for your particular server). You should also be able to create scripts that are easier to port to another server when needed and speed up the server when it becomes excessively slow. Finally, you should now have a sense of how to properly care for your pet python. Did you know it also eats mice? Not cool, I know. Don’t judge it though. That’s point #8.

by Kent Roberts and Richard Norwood

Tips to Save Bandwidth

Save the rainforests, and save your bandwidth – bandwidth, if you don’t know, is the amount of data that can run through your server at one time. Hosting companies will typically limit the amount of bandwidth you can use, and being careful means your site can keep operating as quickly as possible for anyone who visits it, including polar bears.

Bandwidth Usage

If your site loads more easily, that means you can process more browser requests at the same time and that you are generally conserving. No reason to run servers too hard and burn up energy – plus, obviously, it costs you money and slows down the speed at which your site loads.

For this piece I used information from a Jean-Baptiste Jung article for Cats who Code and an anonymous piece from Calomel.org.

Bonus Tip! Bonus bandwidth-saving tip: stop looking at the site yourself. You’re just using up your bandwidth. Also carefully vet people before allowing them to visit your site. Put up a pop-up on your landing page: “Are you sure you want to use up my bandwidth?” with “Yes, I’m Selfish,” and, “No, I’m a Good Person” buttons.

Tip 1: CSS Rather than Images

All the popular browsers are now able to pull up the complexities of graphics built with CSS, and CSS will use much less bandwidth than an image file will.

Some older browsers can’t view CSS graphics accurately. You can use the below piece of code to enable viewing for users of Internet Explorer 6. You’re forwarding them to an alternate stylesheet so that people who haven’t updated their software since August 27, 2001, can view your website just like everyone else. I still use IE6 myself. What’s all the hoopla about these new browsers and new versions? Twelve years later, I’m still sold. It’s called loyalty.

<!–[if IE 6]>

<link href=”ieonly.css” rel=”stylesheet” />

<![endif]–>

Tip 2: Compress Your Data

You want all the information on your site to be as tightly composed as possible. Data compression involves using code with fewer bits/bytes. (For the uninitiated, there are typically 8 bits in 1 byte, similarly as with letters and words. The functionality is similar to words too – to increase efficiency and memory by transferring data in small groups.) You can save up to 80% of bandwidth by compressing. You can also save up to 80% of room in your house by compressing your belongings.

Your server will typically have a module to allow for compression. For example, with lighttpd and Apache, the module is mod_compress (also a demand you can make to a “mod” individual to make themselves smaller and more manageable).  Newer releases of Apache version 2 also have a mod_deflate module (a very cruel thing to demand of a “mod”) that allows you to compress specified file types. You can compress CSS and HTML up to 90%. Do not compress the jpg’s though: they are already compressed.

Any page that you compress using mod_compress – and the reason this command is particularly useful – will be saved on the server. It compresses once and keeps the file for repeated use when it receives an additional request from another user.

Compression, unlike teaching emotionally-disturbed children how to steal from their parents without getting caught, has a downside. The server must package the data, meaning that encrypting and decrypting must take place locally. Your energy use on your server will still be affected then in CPU – but it’s not substantial. It doesn’t take more than a few seconds to compress a typical website. (A human being usually takes 7 to 12 minutes to compress, by comparison.)

Tip 3: Optimize Images

OK, so you’ve implemented CSS wherever you can. You still have some images though, because hey, everyone needs to see pictures of your custom dining sets (frankly, much less important than most custom dining set shops realize).

Optimize the images. Photoshop contains a “Save for Web” feature. This option reduces the size as much as it can without significantly losing quality. It’s like a brain without all the meat and blood – like a robot image size decider without a hormonal imbalance.

You can also use a free online service to reduce your image size. Here’s one called Smush It, per Jean-Baptiste. Here, as well, is a plugin for WordPress, if you use that (automatically “smushes” everything you upload). Men, here’s a good pickup line: “Baby, I want to make you an Internet star, but first I need to smush you … repeatedly.”

Tip 4: Caching & the Expires Header

Consider caching when you design your site. The way to control caching is via the Expires HTTP header. The header lets browsers know how long the content is valid, after which it re-accesses the server to check if the object has updated. OCD browsers, though, will keep checking and rechecking the server regardless whether it makes any logical sense or how many times you tell them they’re not helping.

Caching means that the data is stored locally on the site visitor’s machine. What this process allows is less reliance on your server to repeatedly deliver the same material. You not only minimize bandwidth usage with caching. You also greatly increase page load times, which is popular among people who aren’t using the Internet to develop patience so that they no longer need to use the stress ball their court-appointed physician demanded they use during probation until “marked progress” was evident.

Elements of the page that can be given longer expiration periods include logos, headers, and navigation bars.  Other parts of pages that change frequently should be given shorter expirations. Ranch salad dressing should be refreshed any time you have out-of-town company.

You can set expire times typically in three different ways: absolute, last access, or last modification. Absolute is a specified time without additional parameters, whereas access relates to when the data was most recently viewed by the user, and modification refers to when the server most recently updated the content.

The below code contains a sample tag for use on Apache servers. The tag would automatically refresh content after 2 hours, which would make sense in a case where you know that certain data will update at that interval.

# Expires mod

ExpiresActive On

ExpiresDefault “access plus 2 hours”

Tip 5: Prevention of Bandwidth Theft

It’s good to be generous with your bandwidth, which is why you should freely allow hotlinking on your site. A hotlink is when a person refers to your page and loads an image or other content located on your server to present on their own site. In other words, it means they are using your server to load elements of their own webpage.

The way to fight this is to create an image that says, “Don’t Steal My Image” or “Free Hotlinking Image – Please Post to Your Social Media.” You could either store it on your server or on a free image hosting site (the latter would be better because then they aren’t accessing the image even the first time it’s used).

Once you have created the image, save this code to your .htaccess file (updated with your own stuff of course – specifically, be sure to change “yourdomain.com” to “cutepicturesofkittens.xxx”).

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain2.com [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ http://yourserver.com/yourimage.gif [NC,R,L]

Tip 6: Minimize Connections by Users

Each object on the page represents a different connection. If you minimize your number of objects per page, your server will not be bombarded by requests every time someone accesses the site. For this reason, you probably just want to have some text in the middle of the page and that’s it. No media. In fact, you may not want to have anything on the site at all. Say to your customers, “There’s nothing on our website, because I respect your time.”

Number of connections doesn’t just apply to your own content. It also applies to advertising. If the server related to the advertising is not as fast as your site is, it will slow everything down. Typically, pages will load on a browser in order as they appear in the HTML file. Placing a bunch of ads at the top of your site will make your site itself look slow to whoever is viewing it. If ads are slow, consider placing a pop-up on your site that says, “Please wait while these guys I know try to sell you some stuff.”

Tip 7: For Huge Files, Use a Third Party

Obviously huge files take up a lot of bandwidth. No need to have those files on your server. A service like Dropbox can be used to host images that you’d rather move off your own server. Dropbox is a system built for large files, so it’s a great option when you don’t want to overload your own.

Examples of good files to host on Dropbox are all your customers’ personal information in unencrypted form in a file named “Highly Sensitive Information of Rich People.” You also may want to use Dropbox for your “Huge Amount of Uncompressed Nonsense” file.

Tip 8: Eyes Out for Bots

Bots like to look at your data as frequently as possible. If you do not want certain pages to be indexed, place them in the robots.txt file. You can keep the Google bot that looks for images from scanning yours, for example.

Your modified date/time is listed for each page, which is typically the last time you updated it. This information goes out to the bots as well as humans. The bot won’t recheck a page if it sees the page is unchanged. If you want bots to take another look, change HTML files to reflect the current time. The bots are awaiting your instructions. They are here to please you. All they ask if that you give them everything you have, except your heart. They will come later for your heart.

Conclusion

Hopefully a few of those tips will be useful for you. Save that bandwidth. Make yourself sleek and efficient. Smush everyone and everything in your path, including the bots.

by Kent Roberts and Richard Norwood