Apache Logo

Back in the early days of DDOS attacks this would have been a highly dangerous tool. Thankfully it is very easy to block a basic attack like this, so i don’t see the risk of explaining how to use this method. Apache has a tool built into it that will allow you to send a predefined number of requests to a website in order to see if it can handle the load. Here is what you need to do to benchmark a website using Apache.

Apache has a fantastic benchmark tool that you can use to check the performance of your website. If you are expecting a flood of traffic for some particular reason, it would be good to know if your server is capable of handling such a flood. This tool will give you a good idea on whether the server is going to be able to handle the load of traffic.

The format of the command is very simple. You can run it on any server that is using apache. Since most web servers that run apache, will be using some flavor of Linux, i will give you the linux command line method of performing this. The application is called ApacheBench. It may already be installed, but if it isn’t it should be easy to install it.

Once you have it installed you can run a quick test to see how your server handles it. The format of the request is very simple. The first number is the total number of requests you want to send and the second is the amount of requests you want to send at the same time (concurrently). The concurrent value is the most important as this is the one that is most likely to crash the server if it receives too many requests at once. You can play around with the values as you please.

The following command will send a total of 1000 requests to a single URL by grouping them in sets of 100 requests at a time. Make sure to include the “/” at the end of the website path.

If i run the above command against this website I get the following results.

 

PHP Logo

There are various reasons that you might want to force a website to use SSL. In general, if you have an SSL cert setup for your website, you should probably force all users to https even if the page doesn’t contain sensitive data. In an ideal world, you would do this on the server side of things. Write some rules with the conf file that will force all traffic over https. If you are in a position where you can’t use the server then it is also easy to force SSL with PHP. It is also very easy to do it with pretty much any programming language, but for this example I will use PHP.

And there you have it. It is that simple. If you are using something like Cloudflare it can get a little tricky sometimes depending on how you have cloudflare configured to handle the SSL. For a standard site, this will be a simple way to force the use of SSL.

It is also worth mentioning that you must have an SSL cert configured on your server in order to make this work. If you do not have a site that supports HTTPS then you cannot make this work.

Email

When you have obtained a list of emails from a location that required little to no validation on whether it was a real email, you will be stuck trying to determine if the email address is real or not. You don’t want to risk sending out an email to these users without checking as a regular high bounce rate is a quick way to get your email server blacklisted. There is a 2 step method that you can use to validate if an email address is valid or not. This assumes that you have first filtered out values that are missing an @ symbol and a domain. This guide will show you how to check if an email is valid. For example, how can you tell if john@somesite.com is real or fake?

Step 1

The first thing you will need to do is check if the domain name is valid and has an active mail server/ MX record associated with it. Sometimes an email may have been valid at one stage, but the website has now been shut down. Sending an email to this address wont do anything. By checking to see if the domain name is real you will be able to filter out people who provide stupid domain names that never existed and also filter out emails from valid websites that are not capable of receiving emails.

For the example I am going to use PHP to write the script for this. Many other languages have similar methods that do the same thing, so this should be fairly easy to do with other programming languages. PHP has a function called “getmxrr()”. This function will obtain the MX record for a domain. For those who do not know what this is, a MX record is used in the DNS settings to point to the IP of a domains email server. If one is missing then the domain is not capable of receiving an email and is therefore invalid.

Just because a domain has an MX record, does not mean that the email address is valid. In fact, this makes sending bad emails to this server even more likely to cause you to get blacklisted.

Step 2

This is the most difficult to test while also being the most important. If someone provides an email like asdasd@gmail.com, step 1 will return this as being a valid email address. gmail.com is a valid email domain, but asdasd is likely a non existent user. This step will allow you to determine whether this is a valid inbox or not. Keep in mind that this step requires you to directly contact the email server to essentially ask if the inbox exists. I would suggest you run this from a test machine so you do not run the risk of blacklisting the IP. This many requests in a short period might be considered suspicious.

If you have worked with mail servers in the past, you may be familiar with HELO. This can be used to easily check if a mailbox exists or not. If you send the command and get a positive response you know that this inbox exists. If not you know its fake. I have combined step 1 with step 2 to generate a complete script below that will allow you to check if an email is valid and filter out bad mailboxes.

 

PHP Logo

This setting is up there as one of the most dangerous settings you can have enabled on a web server. It will allow someone to potentially inject a tiny piece of code into your system that could in turn completely compromise your entire server. If you have some bad programming practices in place it could even mean someone could compromise your system without even having to inject code. If you are unsure whether you need this to be enabled the answer is likely NO! Disable it immediately.

What Does Allow URL Include Do?

When you are writing PHP scripts, it is possible to include another script by means of the include or require actions. A super simple example of this would be a crude web page.

This is a fairly common way to use the include and require commands. When you have allow url include enabled it allows you to use a URL as the string inside of the require or include commands. This will make PHP include a remote file directly into the executing script. If you have a script that does something incredibly stupid such as using a dynamic variable from user input as the value for an include, you are opening the door to a world of pain. Even if you are careful, this can still be crazy dangerous, simply because it is not something that any scanning tools would consider dangerous.

Lets just say someone hacks your WordPress website. They pick some random script in the WordPress core and add an include that will include a remote script that some hacker has placed on another location. On your server, it will be a tiny piece of code that doesn’t look scary at all. The script being included is where the damage is done.

Allow URL include is one of those things that has very few uses. When its needed its powerful, but 99% of the time, you could easily work around the need for it. It is highly recommended you disable this directive on your web server.

How To Disable Allow URL Include

You can disable this directive from within the php.ini file on your web server. Open this file and search for a line that contains “allow_url_include". Create or edit this line to read as follows. Make sure there is not a hash character (#) in front of this line or it will not apply. 

 

PHP Logo

When it comes to dangerous PHP functions, allow_url_fopen is one that can be incredibly dangerous, but it is also something that is very useful and in most cases will need to remain enabled if you have written some advanced scripts. A common use for this setting would be with a REST based API. For example, if you want to get an item information from a REST URL, you could use something like the following.

Normally the file_get_contents function is used to get files from the local file system. When allow_url_fopen is enabled, you can use a URL with this function in order to get a remote file as if it were stored on the local web server.

Why Is it Dangerous?

The general answer is, it isn’t all that dangerous. Like any function, it can be dangerous if the code is written carelessly, but in general it shouldnt be a problem. The following example will show how this could become dangerous if used carelessly. Lets say you have a form field that accepts a file path. You then read the contents of this file when the form is submitted. What happens if a URL is entered instead of a file path. This will mean that the URL will be queries and this could open some dangerous doors.

If you do not need this function then I would suggest you disable it immediately. Otherwise, it isn’t too much of a risk to keep it open, just be very very careful how and where it is used. Always validate data when passing the values to powerful functions.

 

PHP Logo

The register_globals is a setting that should always be disabled. The method has been deprecated for some time and as of PHP 5.4 it no longer even exists. If you are running an older version of PHP it should be disabled if you are not using it. The big question here is, how can you tell if you are using it? What does register_globals do?

The register_globals is a directive that will make PHP convert all global variables into actual variables. For example, if you have a html form with a field called “firstname”, when you click submit this will become a global variable. You will be able to acess this variable using $_POST[“firstname”]. IF you have register_globals enabled, PHP will automatically create a variable called $firstname and populate it with the value from the POST. This means you do not need to actually use the global variables, since it’s already been added to a variable.

This is a pretty messy way to write code, so I don’t really see any scenario where anyone will need to use this. It is very simple to work around and its good practice not use it On the security side of things, it could be possible for someone to inject code into your script by adding code to an input field on a form. PHP will then add this code to a variable and could cause all sorts of chaos.

How To Disable Register Globals

The official documentation for this states the following This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

If you are using PHP 5.4.0 or above, then you can ignore this. Your system does not have the option to even enable this, you can be happy that you are safe. http://php.net/manual/en/security.globals.php

If you are using an older version of PHP you can disable the setting by adding or editing the following line in your php.ini file.

 

 

PHP Logo

When looking to buckle down your webserver, expose_php is often something that people suggest you disable. What does expose PHP do and why should it even be disabled? Well it doesn’t really do much, and on its own it really doesn’t do any harm to your server, but it does expose information that a hacker could take advantage of. When expose_php is enabled your server will generate a header called “X-Powered-By”. This header will reveal information about the version of PHP that you are running on your server.

As you can guess, it’s not a setting that gives a hacker access to your system, but if they know what version of PHP you are using, it may be possible for someone to find a vulnerability in your system and gain access. There is no real reason to let the public know this information, so it is best to leave this disabled.

How To Disable Expose PHP

It is very easy to disable this setting. Open up your php.ini file using some text editor. Search the file for “expose_php”, if it exists edit it and if not , add the following line to your ini file.

Save the ini file and restart apache. The setting will now be disabled.

I have read a lot of blog posts about how people are making $100s every day from the amazing ads provided from Propeller Ads. So I decided to give it a go and see what all of the hype about it was. I had intended to write a Propeller Ads review to see how they compared to Adsense, but I think i need to provide a warning as this turned out to be a really harmful experience for the website that I placed them on. Never use propeller ads on your website, it could potentially get your site removed from Google!

As you can see from the featured image in this post, the site that I placed the ads on got this warning and suffered a serious hit in traffic. This was caused by the ads being provided, they were incredibly deceptive ads trying to trick people into clicking them. Thankfully my site didn’t offer any downloads so there was no real danger to users, but this was enough to make me pull it immediately. Here are the ads that were being displayed.

propeller spam ads

propeller spam ads

This was really frustrating as it is not advertising and really hurt the reputation of a site that I tried so hard not to turn into a money site. Plastering adverts everywhere is not what people want to see. Regardless of my opinion, the important thing to take from this is that Google did not like them either. 2 days after putting the ads on the site, I got a report from Google and my site started getting the big red message you can see from the featured image on this post. I logged into my webmaster account to find this message.

Google warning

Google warning

I was lucky that I discovered this quickly and was able to remove all of the ads from the website. I submitted an appeal to Google and within 24 hours the warning was removed and the site went back to normal.

All articles you read about Propeller Ads being good are complete lies and are likely articles that people were paid to write. The bottom line is if you use this ad network you will get removed from Google. If this doesn’t matter then go ahead, but the $0.05 CPM doesn’t make them worth the time.