If you have ever run a blog, forum, or any other interactive site on the internet, then you probably already know about the great spam problem that there is. Not only do spammers bug us over e-mail, but also on interactive forms - where they post false topics, comments or replies, where the sole intent is to spread a website, or get google to rank a website higher in it’s search engine.

Stopping automatic registrations is easy enough. You can use CAPTCHA to make sure a remote user is a human. Also, confirming that an e-mail address is valid will pretty much ensure that you only have humans registering on your site.

But what about that person who is sitting at their computer, registering on your site, and submitted spam in an input area? Not only is it hard to detect when a person is spamming or not even if you are manually policing your site, imagine how a server would try to determine this.

The only sure-fire way I have found of keeping manual spammers out of your forum is a 3 step process.

1. Use CAPTCHA to ensure remote user is human
2. Confirm E-mail Address before allowing posting of comments/topics
3. Refuse to post links of users under a certain amount of posts

This way, spammers would need to invest quite a lot of time on a forum if they wish to spam it. The general idea is that if a spammer needs to spend too much time working at a location, they will move on to another site. Some administrators also think that adding a NOFOLLOW tag to links of all users who do not have a certain amount of posts helps as well. However, this still allows the posting of nefarious links.

An alternative to the “no link rule” is using a service to check all posted links, and see if they match the links that spammers have been reported as using. This system is used by wordpress in Akismet very successfully. However, in this case you need to rely on a 3rd party system to filter spam messages. Other blogs rely on plugins to perform these same tasks.

Does anyone have other methods they like to use to defuse spammers?

My preferred server platform is linux. I have not yet been able to move to a linux-based system for my daily work, and trust me I’ve tried a number of times to move to a Fedora or Ubuntu desktop. Windows is still best for productivity and day-to-day tasks, as well as compatibility with other office workers. However that brings up the question of how to access resources on a linux system, securely, and easily enough to not take too much time out of your workflow.

I have previously used the free WinSCP to do this. However, much like the FTP clients of yore, you need to transfer the file to your local PC, do the actual editing on your workstation (I prefer PSPad by the way), and then transfer the file back to the server.

Windows fixed this particular issue by adding in Mapped drives, which can connect to an FTP source. This is all great, and it works fine, but it is not a secure way to transfer files which may or may not include sensitive information in them.

Recently a few programs have come out that connect to an SSH server via SFTP and map a drive on your system. The two that I have found and are viable are called Webdrive and SftpDrive. Both products offer a secure connection to your SSH server, including a mapped drive letter. Below is a short review of each product:

SftpDrive

SftpDrive is a program that does one thing and it does one thing well - it connects you to your server via SFTP. In my testing the speed was very fast, it seemed faster than my WinSCP connection even. It does not do caching, which in my mind is a good thing because it can cause problems with different versions of files moving between your system and the server source.

Their support is top notch - contacting them resulted in an immediate email back. They also have some great forums for user interaction, and the owner frequents there as well.

Price: $39 - unlimited upgrades to future versions

Webdrive

The other alternative is Webdrive. This software has a few more bells and whistles - notably:

• Ability to map WebDAV and FTP in addition to SFTP servers
• Caches remote directories locally

If you have the need to map a WebDAV or FTP connection, you can manage this right inside of this program. In this regards, this software will be a ‘one stop shop’ for mapping drives on your system.

It also can cache files on your local system. This has both advantages and disadvantages. The advantage, especially on a slower connection / link, is that when you edit a file on the drive you will actually be editing a file on your local PC, speeding up this process. The disadvantage with this, is that your server files may not be updated right away, adding a delay to when you edit a file and actually having it live on the server. This could add confusion when dealing with a configuration issue or other problem and adds a layer of complexity.

Price: $59.95 /w 1 year of upgrades, $79.95 /w 2 years of upgrades

Final Verdict
It was a close race but Sftpdrive comes out on top for my needs. Unless your organization has a need to keep mapped drives all under the same software, or you are working with a very slow connection, Sftpdrive will work fine for your needs. Also edging it closer to the win is the cheaper price, and the ability to receive upgrades to the software in the future without paying an additional fee. Using this software will increase the overall security of your day-to-day system administration tasks while reducing your time involved.

I would strongly recommend downloading a trial version of each software package and see which one fits your needs!

• WebDrive - A 20-day demo version
• SftpDrive - Get a trial 45-day key and download software

Note 1:
If you need an automated backup solution, I strongly recommend SyncBackSE. Using this backup software + Sftpdrive, you can have an automated, safe backup to an offsite location. Not only will your transfers be secure, but SyncBackSE will encrypt the contents of your backup on the remote location. This is great if you are using a server or other remote service to store your backups - although most services are reputable I wouldn’t want anyone to have access to my financial or other personal information.

Notes 2:
The faster your UPLOAD speed to the internet, the better performance you will see on your mapped SFTP drive. Currently the ISP which has the best upload speeds for the value in my area (Philadelphia) is Verizon Fios. Their lowest package offers 5mbit download, and 2mbit upload. This compares to Comcast which only offers a 384kbps upload on their basic package.

There appears to be an exploit in the wild which is automating the Cacti Command execution and SQL Injection Vulnerability [see Secunia alert 23528]. Via this exploit, any server running an older version of Cacti from before December 28th.

Of course it’s always best to keep your software up to date. Other tricks to keep your system secure:

• Do not use default directories. Instead of /cacti/, use /somethingcacti/. This will foil any scripts which find based on server IP and default location (scripts can still find via a search engine search).
• Run apache using mod_security - this will try to catch SQL injection and remote command execution
• Mount your temporary directory (usually /tmp) with NOEXEC flag. This will prevent any script kiddies who are able to exploit a vulnerability from running other programs from the /tmp directory that PHP usually dumps things to.

Let me know if you have any other tips like these!

Here is something that I did not know - DNS servers use TCP port 53 to do zone transfers (axfrs). Make sure to open that port up in your firewall if you are allowing zone transfers from your DNS server. Knowing that could have saved me a lot of time

So for future reference:
Incoming open ports:
TCP/53
UDP/53

Outgoing open ports:
TCP/53
UDP/53
TCP/1024-65535
UDP/1024-65535

If you are a system administrator of a linux system, you may find the following log entries familiar:
Sep 15 02:00:30 sol sshd[16364]: Failed password for invalid user test from ::ffff: 61.167.x.x port 53382 ssh2
Sep 15 02:00:30 sol sshd[16365]: Failed password for invalid user test from ::ffff: 61.167.x.x port 53394 ssh2
Sep 15 02:00:30 sol sshd[16366]: Failed password for invalid user test from ::ffff:61.167.x.x port 53396 ssh2
Sep 15 02:00:28 sol sshd[16366]: Invalid user test from ::ffff: 61.167.x.x
Sep 15 02:00:28 sol sshd[16370]: Invalid user test from ::ffff:61.167.x.x

Many, many times over. These are caused by an brute force attack from the remote host. Most likely this is another compromised machine, checking your machine for easy to guess username and password combinations. It could be someone manually trying to run a password cracking program on your ssh server too. In either case, the remote system really has no business touching your machine. This situation needs an automated solution to block this IP from even getting to your machine. Doing this real-time is essential as well.

Enter the Free APF + BFD scripts from R-fx Networks. These programs work in conjunction with one another to monitor for brute password attempts on your system, then ban the attacking host.

First install the APF (Advanced Policy Firewall) script [Download]

Then install the BFD (Brude Force Detection) script [Download]

When it finds a host that has tried and failed to log in too many times, or has tried too many users who don’t exist on your system, it blocks them in your firewall and e-mails you a message:

The remote system 61.167.x.x was found to have exceeded acceptable login
failures on somehost.com; there was 63 events to the service sshd. As such the
attacking host has been banned from further accessing this system. For the integrity
of your host you should investigate this event as soon as possible.

Sep 15 02:00:27 sol sshd[16364]: Invalid user test from ::ffff:61.167.x.x
Sep 15 02:00:27 sol sshd[16365]: Invalid user test from ::ffff: 61.167.x.x
Sep 15 02:00:28 sol sshd[16366]: Invalid user test from ::ffff: 61.167.x.x
Sep 15 02:00:28 sol sshd[16370]: Invalid user test from ::ffff:61.167.x.x
Sep 15 02:00:30 sol sshd[16364]: Failed password for invalid user test from ::ffff: 61.167.x.x port 53382 ssh2
Sep 15 02:00:30 sol sshd[16365]: Failed password for invalid user test from ::ffff: 61.167.x.x port 53394 ssh2
Sep 15 02:00:30 sol sshd[16366]: Failed password for invalid user test from ::ffff:61.167.x.x port 53396 ssh2
Sep 15 02:00:31 sol sshd[16370]: Failed password for invalid user test from ::ffff:61.167.x.x port 53412 ssh2
Sep 15 02:00:31 sol sshd[16372]: Invalid user test from ::ffff:61.167.x.x
Sep 15 02:00:32 sol sshd[16373]: Invalid user test from ::ffff: 61.167.x.x

In my experience it works great and is a very easy to install!