Had a customer today trying to embed an http page within an iframe of an https website. Turns out this should *work* but obviously its stupid and is against the point of a secure connection. Modern browsers are smart and don’t do it, so if you try and it doesn’t work.. that’s your answer.
HTML/CSS
How to disable wordpress in a single query.
This is just a quickie I hijacked off another web site but it came in really handy since a client couldn’t access their wordpress admin panel and we don’t really support it. Just log in to SSH or PHPMyAdmin and run the query that follows:
wp_options SET option_value = ” WHERE option_name = ‘active_plugins’;
*BOOM* no more WP plugins. Then if you’re troubleshooting it go through and reactivate till it breaks again. If not tell em they are on their own.
If you are doing this via SSH you will need to go into the MySQL shell. That can usually be done by typing “mysql” or “mysql -u username -p” and entering the password for the user. If you need this you can grab it from wp-config. After that you need to select the db to use. You do that by going:
mysql>use dbname_here;
This will put you into the appropriate db. Then you run the query above. This is of course assuming you’re using the default schema for naming the tables. If you are not wp_options needs to be changed to just “options” or schema_options as necessecary. If you don’t know what your schema is you can do:
mysql>show tables;
Mod_limitipconn
I have had a few clients with chronic security issues on machines, DoSes are by far the most common attack. It’s easy enough for anyone of average (or below average, up for debate) intelligence to carry out. A few zombie machines and some basic software and all of a sudden you can take down a decently massive web site.
There are a few caveats to mod_limitipconn, the biggest being if you run a site with a very large amount of images. Images are loaded last on a page, and also are loaded at once. This can be a perilous position because of the fact that mod_limitipconn can cause issues with dead images if not done properly. This is why you have to tune it. In general there is no CPanel integration so you’re going to be doing this by hand. For you people out there with other panels, your milage may vary.
First thing is installing it. This is a relatively simple process, be sure you have APXS installed so you can do this. Download the software from http://dominia.org/djao/limitipconn2.html and install it using their commands. You can also probably get packages from a place like Dag if that’s your thing. Certain distros such as Debian also come with a ready to rock version. After we get it installed, we need to go into httpd.conf and make some alterations.
MaxConnPerIP 10 NoIPLimit images/*
There are a few things to note here. For people that have static content on their systems, you would set an instance of “images” for each static content directory that you were using. This includes things like Javascript, CSS, and conventional images. The reason for this is if using mod_limitipconn for system hardening an attacker will usually not target an image. This can happen, but it’s also not as “profitable” as a DoS using a page because you don’t pull the images and other content on the page (increasing bandwidth usage) and static content tends to be super efficient compared to PHP or other server side scripting so it tends to be far more robust.
You can also do other cool tricks such as format based setting of the connection limits.
# local per-directory settings here MaxConnPerIP 1 OnlyIPLimit audio/mpeg video
By putting this in with the main confiugration above, you can set up additional subdirectories and limit connections based on media type. This can slow a leecher down significantly because they can’t pull everything at once.
Since we have the basics covered, just a few words on tuning the configuration. The biggest thing you need to do is view the sites you use this on. Sites with mod_limitipconn can behave erratic behavior if an initial setup is done but left untuned. This can include random broken images and other content not showing up. There are two things we are concerned with to tune; the first is that the most static content possible is set to very loose or no limitations, the second being that you get the base connections as low as sanely possible. If you can get it around 5 that would likely be the most pages someone would “sanely” load of a typical site without having issues. The other thing is that if you have embedded pages in your site you will have to increase this number significantly. Just go slowly and when the page fully loads add say 10-20% to that amount. If you get reports of broken content it would likely be safe to up this number some at that point to “dial in” that perfect configuration.
Dealing with time consuming customers
It’s not daily but I do have to deal with customers that feel as if I should be doing nothing but slaving over them and their web projects. Today one of my newer customers, 2 months now, asked me to setup a store and update a few pages on his website for him. Went ahead and invoiced the work, got it paid and started the procedure. Turns out his entire site is a Frontpage mess and a total headache of scattered unclosed tags. Trying to figure which tags went to what was an absolute nightmare. One of these moments actually,
Anyway, this customer also wanted us to post some ads from CJ.com on his site, no idea where he wanted them or how he wanted them placed, just throw them on there. Well he calls up after we make the changes saying how terrible they look and how he didn’t want them on certain pages, see the irony yet?
Just another one of those days dealing with people who truly have no idea what they want. I won’t even mention how the e-commerce store went over, apparently credit card processing is something magical..