Made to Order Software Corporation Logo

MO Anti-pounding: Main Page

Summary

Introduction to the MO Anti-pounding module
Requirements
Installation & Uninstallation
Security with this module.
Errors generated by this module.
Copyright (c) 2010-2011 Made to Order Software Corp.

Introduction to the MO Anti-pounding module

The MO Anti-pounding module was created by Made to Order Software Corporation. It prevents your websites from beeing hammered really hard by misbehaving spiders and other such automatic systems.

The module counts the number of times a person accesses your site within a given amount of time. If the amount of time between hits is shorter than the alloted time, the number of hits grows. When the number reaches one of the limits that you setup, then the module blocks any further hits from going to Drupal. This means you do not lose all the database bandwidth that you would otherwise lose.

For instance, a spider that hits a page and right away attempts to read all the pages defined in HREF references, will be banned very quickly by this module. The result are very short & fast pages that are created by this module telling the user that he/she/it was just blocked and will have to wait a certain amount of time (defined in seconds) before they can access your site again. If that user does not wait that amount of time, the number of hits continues to increase even more. Then, at some point, the user gets banned for a long time, by default 12h whole hours.

Once the user stops hitting the site too fast, the counters drop and accessing the site becomes a breeze again. If the user waits for at least as long as the Happy delay, then the counter goes right back to zero. If they wait enough as defined by the last delay and then the normal delay for further accesses, then the ban will be dropped once they followed that procedure for the same number of hits that got them banned.

The module includes many features such as a way to add people in a white list (i.e. administrators so they don't get banned,) and a black list (i.e. known hacker spiders.) You can also change all the default messages presented to the users.

Back to Summary

Requirements

MO Anti-pounding has no direct dependencies. It only uses a few functions available in the core.

It will work under MS-Windows and with any web server that can server Drupal. It does not directly access the database (the settings make use of variables) so all database accesses will work as is.

We reference Apache since we are using that web server and know how to properly setup that software.

Back to Summary

Installation & Uninstallation

o INSTALLATION

The installation of this module is more complex than the usual Drupal module. You have to edit your settings.inc file to add an include and create a folder so cached data can be saved in it. It is also possible to have logs generated, those require you to have a folder where your web server can write to the log file.

  • Extract the tarball under sites/all/modules
  • On your server, feel free to delete the doc sub-folder (it is safe since it is just and only static HTML)
  • Edit your settings.inc and add an include instruction to include the module settings.inc file (see below)
  • In the same folder as your settings.inc file resides, create an mo_anti_pounding folder and make it writable by your web server (chown www-data:www-data mo_anti_pounding on a default Debian installation)
  • Go to admin/build/modules and select MO Anti-poundering
  • Create a log folder if you wish to save logs about people being banned, possibly temporarily
  • Go to admin/settings/mo_anti_pounding to change the default preferences (and verify that your setup is proper.)

The module uses two folders and does not access your database when testing the number of hits and banning users (which is one of the purpose of this module: avoid useless accesses to your database.)

The mo_anti_pounding folder needs to be created. You may use your FTP access or a shell access to your server to create the folder. Then change the owner (and eventually the group) to match your server so that way your server can work on the files in there. If you cannot do that (some server do not allow you to change users on files unless you gain root permission,) then change the permissions to 777.

 # in case you have a multi-site install, cd to the specific site
 # instead of the default site:

 cd .../sites/default
 mkdir mo_anti_pounding

 # The following works under Debian and Ubuntu. Your server name
 # may be something else than www-data (such as httpd or just www)
 # If you are not sure, try the following command:
 #   ps -ef | grep apache
 # The first name is the user name of your server as in:
 #   www-data  5160  3367  0 Jan31 ?  00:00:29 /usr/sbin/apache2 -k start
 # (ignore the entry that says root, that's the first instance of
 # Apache, the controller, not the actual Apache web server)

 sudo chown www-data:www-data mo_anti_pounding

If you want to get logs (strongly suggested) you need to create a folder that your web server can access in write mode. I very strongly suggest that you do not change your existing log folders which are already setup in a secure manner. If you do not have full access to your web server (i.e. you just have a hosting account) then you may use a folder under your mo_anti_pounding folder instead. In that case, consider adding another .htaccess file to completely prevent web users from accessing that folder.

The commands we use to create the log folder are as follow:

 sudo su -
 cd /var/log/apache2
 mkdir mo_anti_pounding
 chown www-data:www-data mo_anti_pounding
 chmod 755 mo_anti_pounding

Then in the MO Anti-pounding settings, we enter:

/var/log/apache2/mo_anti_pounding/mo_anti_pounding.log

Also, you probably want to add that new folder to your logrotate.d/apache2 file:

 # Rotate when file reaches 1Mb
 # Keep 30 files compressed
 /var/log/apache2/mo_anti_pounding/mo_anti_pounding* {
     missingok
     rotate 30
     size 1M
     compress
     delaycompress
 }

o UNINSTALL

To uninstall the module, you should first remove the include of the mo_anti_pounding/settings.inc from your settings.inc file. This is important to prevent the module from continuing to process requests before Drupal finishes up its boot process. This also prevents the module from generating more data in its cache.

Then, go to admin/build/modules, unselect the module and click Save. Since there is no tables created by this module, there is no need to go to the Uninstall screen.

Finally, you can delete the mo_anti_pounding folder, the changes to your .htaccess or other web server configuration, and eventually the logs.

Back to Summary

Security with this module.

Although it is not a security threat, the files created in the mo_anti_pounding folder will be publicly visible unless you add an .htaccess file in that folder (or whatever equivalent for your web server.)

The module includes a file named _htaccess you can use directly (i.e. copy to your mo_anti_pounding cache folder and rename .htaccess)

 # Install in your sites/default/mo_anti_poundering folder
 # Prevent all Apache accesses
 <FilesMatch ".*">
   Order allow,deny
 </FilesMatch>

It is also possible to add a <DirectoryMatch> directive to your main Apache configuration file if you have access to it. For a multi-site installation, it eases the setup to a single location.

Back to Summary

Errors generated by this module.

In normal operation, this module does not generate Drupal errors. Especially since it does not access the database (and we do not want it to do so.)

However, many checks are performed in the settings form to let you know whether the installation was properly done. These appear as usual Drupal errors. Some errors may appear multiple times (meaning that the tests are performed multiple times.) The same errors will also be shown in the Report Status screen.

The tests are as follow:

  • Test that there is an mo_anti_pounding folder
  • Make the sure the web server can write in mo_anti_pounding
  • Check that the settings.inc is included
  • Ensure that the settings.inc is included before the database
  • When validating, check that the log file can be written to

The read-only check is for the entire mo_anti_pounding folder. It is important since the server will have to create sub-folders to save the sessions.

The settings.inc check is done using the mo_anti_pounding_settings_setup_ok() function.

Back to Summary

Copyright (c) 2010-2011 Made to Order Software Corp.

http://www.m2osw.com/mo_anti_pounding contact@m2osw.com

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Back to Summary
Documentation generated by Doxygen on Mon Oct 10 2011 14:30:48