askapache

Thanks beernews.. nice.

I’ve been working on a completely improved version on/off for about a month with the specific goal of finally ending all the little errors that can crop up when dealing with .htaccess.

To that effect I am succeeding marvelously, first I’ve converted the plugin to a class (4+5 compat), I’ve replaced my error_handling with WordPress’s WP_Error class, and the coolest change is the new tests I’ve added.

To make a long story short, I downloaded each major release of the apache httpd source code starting at version 1.3.0 and finishing with version 2.2.10, I then compiled each version and built a HTTPD from source for all 64 versions.

Then I went through each version and determined the compatible modules for that version, and I’m pretty confident that I was also able to find each and every directive allowed by the compatible modules for that version (including core directives).

Basically I can now test a server using a variety of methods and determine almost 100% accurately what version of Apache (down to the API) is running, what modules (and versions) are enabled, and each and every directive that is allowed or disallowed for that version.

So this is so awesome because now we can enable all sorts of additional security features.

Other big changes are:

• Completely hands-off updates, so that updating the plugin keeps all your settings.
• making each SID module have its own configuration and options (like protecting individual files, individual request, and custom exploit strings).
• Advanced ErrorDocument usage and handling (like tracking repeat offenders and suggesting they be blocked, emailing admin with custom info, etc..)
• Multi User/Group password Control

And this time I am developing the plugin using a plethora of wordpress installations and configurations, to make sure that it will work regardless of a custom siteurl, blogid, etc..

Release will come before 2009.. I have some vacations to take and business to finish first.

<?php

add_action( 'admin_menu', 'aa_pro_setup_options' );

function aa_pro_setup_options(){
  $page=add_options_page( 'AskApache Pro', 'askapache-pro', 'AA Pro', 'askapache-pro', 8, basename(__FILE__), 'aa_pro_main' );
  add_action( 'admin_head-'. $page, 'aa_pro_admin_header' );
}

function aa_pro_admin_header(){
  echo '<p>Only ran when on the plugin page!</p>';
}

?>

This works perfectly for the askapache plugins.. took me awhile to find how to do it though.. enjoy!

I’ve released an updated version: 4.6.5 which will hopefully work 100% for ya!

Maybe I’ll just become the worlds greatest spammer.. it’d take all of about an hour to accomplish that.. much easier than writing this plugin.

SPAMMER CHALLENGE: *come at me with your best* (but if you hack my server and get me in hot-water with my host I’m coming after you… spam/exploits only, no DOS or heavy net-use.)

Guess what! I’ve made alot more improvements (this refactoring will never end) to the plugin.. Many are based on improvements to the WordPress Core Files, which I am constantly examining and learning from..

If you’ve seen the version 4.6 debugging options, you probably won’t believe the 4.7 debugging options. I spent the most time implementing even MORE debugging options so that in the future you can find problems much easier… even if you don’t know a thing about syslog, php error logging, etc.. Of course all that was done to try and figure out what was causing all of you posters problems.. and I think I am getting close to a 100% mysterious error free plugin! Which is the main goal and a huge step on the way to the ultimate goal of this plugin.

I am still working on the user/group management code, so that probably won’t be in the upcoming 4.7 release. But one thing I will tell you is the new version will have the best .htaccess anti-spam code for WP (maybe anything) ever seen on the net. (without using mod_security).. It’s not incredibly complex or lengthy, the rules are just very specific and very tight. I’m good at finding security vulnerabilities, this is the same thing only backwards.

I’ve been logging the entire HTTP request for every comment/trackback/pingback made to my blog for about 6 months (it took forever to find out how to log the entire request like this… I’m saying even the entire POST body.. just like having wireshark installed on the server!)

Then I would manually go through them about once a week (using a lot of linux shell scripting) and detail the subtle differences between spam and a real comment, and try different things.

So my blog kills thousands of would-be-spam connections every day to my blog (i actively try to recruit new spammers to study their technique), literally shuts down the TCP connection and wastes 0 bandwidth or CPU that a programming language like PHP used by akismet would waste (basically loading the whole wordpress program for each spam receieved)..

So I’m hesitant to publish this info, but then again, these spammers are so stupid that I’m not sure they can even read. What do you think?

Look for the update to come out sometime this month..

I always just start with the tightest security, and then slowly ease up until it works.

So I like to start out at 400, then the server usually won’t work so I go to 600, etc..

Mostly .htaccess files are chmod 644 and .htpasswd files can be 640, but every OS is different. And folder I like 750.

just remove the text inbetween # BEGIN AskApache and # END Askapache in the 2 files it modifies.. .htaccess and possibly /wp-admin/.htaccess

BTW, I should probably mention that most of the modules installed in the plugin currently were mostly just cut-and-pasted from my personal .htaccess files. I’ve been recording and researching various spam using honeypots for the last couple of weeks specifically to find anti-spam and also anti-automated web exploit requests.

And I’ve added support for HTTP Digest password authentication like that used by the OpenID systems. Theres a lot planned and a lot to do cuz this really does help the net.