I have coded a quick primer on CHMOD and usage for SmartFTP
As it uses image files I wanted to post it here, but the quality of the images was lacking. I have instead posted it here.
www.mp3q.net/smartFTP/
Enjoy, a more detailed one can be written if you want me to cover more than just the CHMOD command.
Steve
Hi Steve,
Thanks for the very informative articles.
In one of the articles you mention "robots.txt" to reduce bandwidth usage. Could you elaborate on that?
Thanks, fos....
Robots.txt is what controls the bots that search engines use to crawl your site. These are also known as spiders. There are good bots and bad bots. The good ones will follow robots.txt and adhere to it, the bad ones ignore it. What you want to know is what is causing the most bandwidth usage? Is it a script? Is it a forum?
In general setting up robots.txt will help you with most issues dealing with high bandwidth loads.
Forums should use a robots.txt and disallow the /user folder so user profiles are not attempted, and also /images so the images stored on a site are ignored if there are many of them, and if they are large.
Creating a basic robots.txt file is a relatively simple process. Open notepad do the following. Every robots.txt file contains two fields : a “User-agent” line and a “Disallow” line. The User-Agent line tells the robot or spider that you are instructing, and the “Disallow” line provides the list of items that cannot be indexed.
Here are two examples. The first allows robots to index everything while the other prohibits robots from indexing anything:
User-agent: *
Disallow:
Or
User-agent: *
Disallow: /
Now this can be set to allow one robot to search one part of the site and skip another, just replace the * with the robots name.
Check out slashdot’s robot.txt file for a great example. http://slashdot.org/robots.txt
The following example disallows certain directories and all files contained within those directories.
User-agent: *
Disallow: /images/
Disallow: /banners/
Disallow: /Forms/
Disallow: /Dictionary/
Disallow: /_borders/
Disallow: /_movies/
Disallow: /_overlay/
Disallow: /_private/
Disallow: /_themes/
Please note that you must use robots.txt in your top level of your website. Meaning public_html/ or www/
If you want to use it several levels down, make a new robots.txt and place it in the sub-level and direct traffic from there.
If you want me to get more in-depth let me know and fire away with any questions.
HTH
Steve
re: robots.txt
That was a great explanation, thanks!!!!
Very Welcome
Steve, can you perhaps provide some links for good hosts that you know of? I have had to change servers so much in the last two years I am exhasting myself. I keep getting hosts that either don't know what they are doing, or insist that there is nothing wrong.
My current Server GISOL's mysql server goes down all the time, and half the time stuff I upload don't show up for HOURS. They insist that it's my imagination, but its not. I was trying to install the new 3.0 beta to help test it out and stuff like I did with 2.0 and I can't even get it to install on this server at all.
Current Version: 3.4.2
PHP 4
Mods: Challenges, Recommendations, Storyend, Display Word, Beta Reader, Bad Reviewer
The best provider that I've found is SurpassHosting.com. At first, they sucked a little, but in the past year and a half, they have gotten SO much better and I've been with a ton of providers in my 6 years of web design. They're prices are really low and offer a lot of bandwidth.
if they ask for a referrer put kismetology.net 🙂
http://www.trackbunnies.org
http://blog.trackbunnies.org/
http://karah-leighhancock.avonrepresentative.com/
I reccomend dreamhost, but I suggest that you take a look at http://findmyhost.com/
Yes find my host might help but that is one of the pages I talked about on my site. Most of the reccomended hosts, and the ones no matter what you search for will appear because they paid, and not because of rating etc.
Keep that in mind. As for a host, Im a little impartial as I am a host myself, so I cant really reccomend one over another because *snicker* I compete with them. However dreamhost is known for decent uptime and service, within reason, and last I checked aplus was good, also depending on what you need.
HTH
Steve
The best provider that I've found is SurpassHosting.com. At first, they sucked a little, but in the past year and a half, they have gotten SO much better and I've been with a ton of providers in my 6 years of web design. They're prices are really low and offer a lot of bandwidth.
if they ask for a referrer put kismetology.net 🙂
🙂
http://webhostingtalk.com/showthread.php?t=476308&highlight=Surpass
While I do not trust most at WHT some of the oldermembers know their stuff, and the users who are just customers, and not sellers, or owners of hosting businesses, have nothing to hide when they talk about a company, even I when I got into an arguement over stupid things was hit badly on WHT a long time ago.
You have a good deal with them, and that is awesome, so I wanted to show other thoughts both good and bad, the reason for quoting you isnt a jab, it is a reference.
Steve
So..... Someone thought it cute and thought to use some php commands, and exploit a known PHP error called global.
What is global? It’s known as php_register_globals or register_globals is really technical to explain but most hosting providers set this to OFF by default. If your host left it on then you need to make sure your script is protected against such violations of the php scripting language.
What I am about to outline are some methods and steps you can use as a webmaster or webmistress of an efiction website. These will help you from being flagged by Google searches and protect you from giving a would-be attacker information they can use to exploit all of your hard work.
First I want to tell you some of what I tell you to do requires code work, and IS NOT EASY. I will explain how to do certain things, but if you get confused, I offer two options. Email me (NO PM’s) steved3[at]mp3q[dot]net and ask for some help or I can be hired as a security consultant and help you, fee’s will vary as will services, but we can cover that if needed.
Ok first let’s run with an example. There is a exploit, and it affects any general efiction site. If I wanted to attack such a site, how would I find them? I will show you something few ppl know, I will use Google, but I will not simply type in a search term of “fiction site” or “Efiction”
I am going to search for this:
inurl:efiction
What do I get? 23,600 results. What does it display for me? Every website indexed by Google with efiction in its URL. So sites like www.somedomain.com/efiction/ are located easily and are open to me peeking at how it’s designed, and ran.
So think about our example, I know the exploit and how to use it and thanks to that search I now have a simple base of sites to start attacking and testing the flaw with.
What if, your efiction site doesn’t use a URL(web address) with efiction in it? What if it is just fiction? What if it is stories? What about archive? Perhaps fanfiction? My point here is those terms are known, and exploitable. I simply edit my original search, and those sites will appear.
Also remember that using the cache feature of Google allows for the same function, and sites are listed this way too.
Back to our example. Using the search I posted, I got nothing, no information, no access. So I'm stuck right? No not really. Lets list sites that are using efiction, but don’t use the name in their URL.
intext:powered by efiction
Once again I get a site listing, showing each site in Google’s index that has the words powered by efiction on the webpage.
I won’t get in to more detail, by now you see my point. Using common terms and ideas, someone with some time on their hands can and will search, and play.
So what do you do? What can you do?
These following options can and will help.
The fist and foremost thing is to always patch your script each release. Patch and patch again. You have to keep current, not only to fix bugs, but also security releases.
Stop using the default efiction folder name for your install. I know life is simple this way, but don’t do it. Name the folder to something else. Tag the folder name to your site, or a theme. Do not make it obvious to anyone who sees a link that it is a fiction archive, or related to efiction.
DO NOT list powered by efiction anywhere on your pages, you have permission from the script author to remove it, and it is wise that you do. Giving credit is good, and it does a good job for promotion in the community, however just using the script and telling others in chat rooms, and conversation is just as good to the community, and it lowers everyone’s risk.
Example(names I have personally seen used):
BAD folder names.
/efiction
/fiction
/archive
/stories
/fanfiction
/vault
/story
/adventure
/action
/romance
/comedy
/angst
/fluff
These are all names that if you think about it talk about fiction, or a type of fiction.
GOOD:
www.westwingelite.net/office
www.potternet.com/draco
www.buffybook.org/slayer
See my point here? All of those names are good for the URL as it plays off a theme, and they can also house the efiction information without needing to be named efiction.
While on the topic of folder names. Efiction uses lots of folders, and it is wise that in folders such as these you place a blank INDEX file inside them.
/skins
/skins/*
*Each Skin Folder under the Skins main folder. i.e. Inside the folder for each skin on your site.
/admin
/stories
/docs – if uploaded
/lib
/messages
Those are the main ones. I personally advise you do it in every folder that does not already have a index file inside it.
Speaking of folders. Using obvious names to house data files, like dbconfig.php etc is NOT good. If you must use a name for your folder, make it one that no one will guess, like zup001x4rtyhq and PLEASE DO NOT USE THAT EXAMPLE 🙂
Your config.php file. Another important thing to look at. If you know your not going to edit it, CHMOD it to 644 until you need it set to 666 then change it back, make an admin edit to the config, and reset it to 644.
Your dbconfig.php is another file to watch and guard. Store it outside your main efiction install.
/home/user/www/efiction/docs/dbconfig.php
That is the initial place for this file. Me personally I use several tricks to fool people into accessing this file. However the real one is well outside my efiction install folder.
/home/yourname/yoursite/yourfiction/
That is where your site is located
/home/yourname/
This is where you can place the db file or
/home/yourname/yoursite/
This location can work as well.
I you email me, I can give you real examples, and ideas, but I will not list them here because I do not want that info public.
You can also switch the places for you config data. Include files and information outside your script using the php include call
<? Include (“realdbconfig.php”); ?>
Making hacks to the original source code to Efiction can be done, but it takes some PHP knowledge. Knowing how to read, code, and correct PHP and SQL will help you with making hacks.
Some of these are easy to code, and others are hard.
Hard ones deal with pulling code from several files and linking them. Easy ones like the include command just link and outside file to an internal one.
I will end here; this can go on forever if I let it as there are many ways to cover this topic. If you want I can flush out sections, just let me know what you want in-depth knowledge on.
Steve
This has very good information 🙂
Below are my fanfiction archives and I working on a third:
http://spyrofanfiction.co.cc/
&
http://storiesunderthemoon.co.cc