OneDayBlogSilence

Posted by Nessa | Tags: , | Posted on April 24, 2007

0

I received a note from a friend that on April 30th, participating blogs are supposed to do a blank post with nothing but a single graphic, as a way of honoring the people who were shot at VA tech earlier. I’m not usually one to bathe in tragedy after it happens, but since I have a lot of friends and former colleagues from ECPI that go there, I doesn’t seem to be a bad idea.


http://www.onedayblogsilence.com/OneDayBlogSilence.com.html

Suhosin Will Make your PHP Hard

Posted by Nessa | Tags: ,,, | Posted on April 20, 2007

0

SuhosinI noticed a vague mention of Sohosin on a PHP blog that I read on occasion and I decided to give it a whirl to see if it’s as sexy as is sounds. So far my server hasn’t crashed, so I’m willing to recommend it to anyone who’s interested in hardening their PHP. Ok, sorry. I really can’t say that without chuckling. Yes, welcome back to third grade.

If you check out the developer’s site you should pretty much get the idea of what it does, but basically closes some of the security holes that we see with PHP all the time. Not to say that it will make your php 4.3/MySQL3/globals on/port 22 open server any more secure, but if you’re running any of the latest stable security releases you might be somewhat interested.

I’m currently running PHP 5.2.1, which is the latest release of PHP5 at the time of this writing. You can essentially install this on any PHP4+ server that you have root SSH access to. I opted to install the DSO, as I absolutely hate recompiling PHP. Installing Suhosin as a dynamic shared module will not require you do recompile anything, and is therefore the preferred method for lazy people.

Note: I’m using the latest (and only) release at the time of my writing, but head over to the download page to see if there is anything newer:

http://www.hardened-php.net/suhosin/download.html


cd /usr/src
wget
http://www.hardened-php.net/suhosin/_media/suhosin-0.9.20.tgz
tar -xvzf suhosin-0.9.20.tgz
cd suhosin-0.9.20

Now to install:

phpize
./configure
make
make install

It should return a line something like this:

Installing shared extensions: /usr/local/lib/php/extensions/no-debug-non-zts-20060613/

Now, all you have to do is add this line to your php.ini and restart Apache. Of course, the path should be what the installation output gave you:


[Suhosin]
extension="/usr/local/lib/php/extensions/no-debug-non-zts-20060613/suhosin.so"

**If you are running eAccelerator, this should be above the eAccerelator configuration

When you load up your phpinfo file you should see the module loaded near the Zend section. Everything should be fine as-is, but it you’re one of those people who has to reconfigure everything, knock yourself out.
Suhosin

Optimizing PHP, Revisited.

Posted by Nessa | Tags: ,,, | Posted on April 16, 2007

1

I wrote an article a while back on PHP optimization, but it was pretty lacking in most aspects, probably because I’m a lazy poster. I’ve revisited that article and reposted to hopfully have it be a little more helpful on the area.

Timing Your PHP Scripts

Posted by Nessa | Tags: , | Posted on April 15, 2007

1

This was just a little code addon that I put together as part of a tutorial I wrote on a friend’s site (and copied on mine) about PHP optimization. Added to a page on your site, it will calculate how much time it took for a page or script to execute using PHP’s microtime() function. I only added this to my main page, but you can easily create a plugin or include file to show the generation time of all your pages.

First, add this code to the very beginning of your PHP file:

<?php
$stime = microtime();
$sarray = explode(" ", $stime);
$stime = $sarray[1] + $sarray[0];
?>

Now, add this to the very end:

<?php
$etime = microtime();
$earray = explode(" ", $etime);
$etime = $earray[1] + $earray[0];
$ttime = $etime - $stime;
$ttime = round($ttime,3);
echo "This page loaded in $ttime seconds.";
?>

That was easy, wasn’t it? You should now see a little line at the bottom of your page that shows how long it took to execute. There is an example on the bottom of my home page.

13 Sexiest WordPress Plugins

Posted by Nessa | Tags: , | Posted on April 13, 2007

13

I decided to post a list of the WordPress plugins that I’ve found to be the most useful, a majority of which I use on my own site.
To see a list of plugins to avoid, see my other post.

Keep People from Jacking your Images

Posted by Nessa | Tags: ,, | Posted on March 19, 2007

0

I get this question a lot, so I figured I’d post it here. For those of you who don’t have the convenience of a cPanel-based system, you can block image hotlinking in your .htaccess. Image hotlinking is basically when someone uses an image from your website on their site, but has your site in the <img src..> tags (instead of their own site) so the image loads remotely, and therefore sucks up your bandwidth and resources.

Load up the .htaccess file in your website root (public_html or www folder, usually) and add these lines anywhere in the file:


RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://v-nessa.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://v-nessa.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://v-nessa.net/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://v-nessa.net$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.v-nessa.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.v-nessa.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.v-nessa.net/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.v-nessa.net$ [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ http://v-nessa.net [R,NC]

I’m using my two sites, v-nessa.net and it’s parked domain, v-nessa.com. These are sites that I want to allow to display my images. Please note that with Apache, w’s and https matter. So if you have hotlink protection set for yourwebsite.com and someone accesses your site via https://yourwebsite.com or www. yourwebsite.com, they will not be able to see the images unless your allow them as a referrer. Same goes with your subdomains.

My Puppy’s Cuter than Yours

Posted by Nessa | Tags: ,, | Posted on March 18, 2007

1

Capone For anyone who hasn’t met the newest addition to the VasilĂ© family, I’d like to introduce you to Capone. He’s a purebred pitbull currently at 12 weeks, 25 lbs. His vet estimated that based on his genes he’s probably going to reach about 80-90 lbs by the time he’s a year old. Yes, that means that my puppy is going to be beast, and he’s probably going to make your puppy his bitch. I’m already working on digging a hole in my backyard to dispose of all the contingent body parts he’s probably going to bring home.

Click on the pic for the full image. You can see more pictures of my sexy-ass puppy in my Gallery.

Preventing DOS Attacks with mod_evasive

Posted by Nessa | Tags: ,, | Posted on March 18, 2007

2

I recently had to deal with a guy whos VPS was constantly being hit by the same IPs over and over until the server crapped out and refused to do anything…it was royally a pain in the ass because I literally had about 10 seconds between starting up the server and having it crash again. Needless to say that those 10 seconds were spent stopping Apache to give me enough time to do a netstat -n and block the assholes who were flooding the server. I then decided to installed mod_evasive, which is a simple Apache module that monitors the amount of connections from one IP and blocks any that reach a set limit. Here’s how you do it via SSH:


wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -xvzf mod_evasive_1.10.1.tar.gz
cd mod_evasive_1.10.1
/usr/local/apache/bin/apxs -cia mod_evasive.c

Once the module is compiled, restart Apache and add this to your httpd.conf:


<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 6
DOSSiteCount 50
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
</IfModule>

DOSHashTableSize – Size of the hash table. The greater this setting, the more memory is required – faster

DOSPageCount – Max number of requests for the same page within the ‘DOSPageInterval’ interval

DOSSiteCount – Max number of requests for a given site, uses the ‘DOSSiteInterval’ interval.

DOSPageInterval - Interval for the ‘DOSPageCount’ threshold in second intervals.

DOSSiteInterval- Interval for the ‘DOSSiteCount’ threshold in second intervals.

DOSBlockingPeriod – Blocking period in seconds if any of the thresholds are met. The user will recieve a 403 (Forbidden) when blocked, and the timer will be reset each time the site gets hit when the user is still blocked.

A good supplementary script to mod_evasive is ddos, which will send you an email whenever an IP is blocked for too many connections. It also works as a backup in case Apache gets too hammered with connections. All you have to do is:


wget http://www.inetbase.com/scripts/ddos/install.sh
perl install.sh

Now you just edit /usr/local/ddos/ddos.conf .

How to Install PHP6

Posted by Nessa | Tags: ,, | Posted on February 26, 2007

4

This was a little experiment gone somewhat wrong, when I tried to upgrade my VPS to PHP6. I swear it worked, but I should have known that nothing supports it — WordPress just crapped out a bunch of errors. On a higher note though, it seems to be hella secure as you can no longer use magic quotes or globals, otherwise Apache will fail. So if you really want to be on the bleeding edge, here’s how you install PHP6:

I didn’t really need to install a whole bunch of stuff, but depending on how your webserver is already set up you may need to install extra dependencies, but this will become obvious during the compile.

1) Make sure your autoconf version is up to date with version 2.13 or higher:

autoconf -V

2) Install ICU…you can find your version here.

wget ftp://ftp.software.ibm.com/software/globalization/icu/3.6/icu4c-3_6-src.tgz
tar -xzvf icu4c-3_6-src.tgz
cd icu*/source
mkdir /usr/local/icu
./configure --prefix=/usr/local/icu && make && make install

3) Git yur PHP! You can find the latest dev release of PHP6 at http://snaps.php.net/. Your wget and tar targets will be different, as the development version changes frequently.

wget http://snaps.php.net/php6.0-200702230530.tar.gz
tar -xvzf php6.0-200702230530.tar.gz
cd php6.0-200702230530
./buildconf

This will build the configuration and let you know if something is missing. Once this is complete, run the configure script…I’ve the mandatory stuff in there, but you’ll also want to include any PHP modules that you need. You may find it easier to copy this from a phpinfo file, minus the quotes.

./configure --with-apxs=/usr/local/apache/bin/apxs --prefix=/usr/local/ --with-icu-dir=/usr/local/icu

You’ll probably get build errors, which is usually due to 1) a particular module no longer being supported or 2) PHP cannot find that module’s files on the server. In this case you’ll want to see which module the configure command stops at, then either leave it out or make sure the module is compatible with the correct location specification in the configure command. For instance, I have Ming installed and this is the directive in my configure command:

--with-ming=../ming-0.2

Once you have a good build, you can install your PHP:

make && make install

4) Configure Apache

Usually the PHP installation with the –with-apxs switch will add the necessary entries to your httpd.conf, but if not you will need to comment out the loaders for php4/php5 and add the one for php6:

/etc/init.d/httpd restart (or whatever command you use to restart Apache)

LoadModule php5_module libexec/libphp6.so
AddModule mod_php6.c

Now…twenty bucks says that there is now something on the server that doesn’t work, which will be obvious with the Apache restart you just did. You’ll want to check your error logs for the obvious problems, then correct the issues in your php.ini and other files it mentions. The most common issue is with the magic quotes gpc and register globals.

If you have any third-party extensions like Zend. IonCube, or eAccelerator, you’ll need to re-install those as well.

There you have it…you now have PHP6 installed on your server…and now your apps don’t work! You can admire your work next time you try to load your site.

Be sure to make a pretty phpinfo() file to check the installation.

<?php phpinfo() ?>


How to Make a Sexy Tag Cloud with PHP and MySQL

Posted by Nessa | Tags: ,,,, | Posted on February 12, 2007

33

Tag CloudWell it seems that everyone has one, and I’d have to admit that a tag cloud is a good way to spice up your site a little bit. I first thought of this when setting up a friend’s site… he wasn’t using a CMS like WordPress or anything that I could find a quick tag cloud plugin for, so I figured I could probably just make my own. Well, I did and now I shall share it.

This tutorial will show you how to set up a simple tag cloud using PHP and MySQL, with a little bit of Ajax effects
Before we get started, take a quick look at the sample cloud.