Difference between revisions of "Gallery notes"
Line 40: | Line 40: | ||
First you have to identify the g_id of the comment. Then you have to delete matching records from g2_Entity, g2_ChildEntity, and g2_Comment. Could also delete the offending user from g2_User. | First you have to identify the g_id of the comment. Then you have to delete matching records from g2_Entity, g2_ChildEntity, and g2_Comment. Could also delete the offending user from g2_User. | ||
− | The following will get rid of most spam. This basically removes any comment with an URL in it. There is an off chance that you might have legitimate comments with URLs. Those will get eliminated too. Too bad! You might want to [[#Backup and Restore Gallery2|backup]] your gallery2 database before you do this. | + | I discovered that almost all spam has URLs in them. I just delete those. The following will get rid of most spam. This basically removes any comment with an URL in it. There is an off chance that you might have legitimate comments with URLs. Those will get eliminated too. Too bad! You might want to [[#Backup and Restore Gallery2|backup]] your gallery2 database before you do this. |
<pre> | <pre> |
Latest revision as of 20:47, 6 February 2008
I use Gallery2 for managing pictures on my web site. It's a target for hacker bots.
I've seen a lot of scripts trying dictionary attacks against Gallery2.
I am the only one that uses my gallery. I make a few changes to make it more secure.
Contents
Make non-essential pages disappear
This gets rid of password recovery. I don't need this and I don't need to leave any potential holes open.
Edit gallery2/.htaccess and add a rule after the #END Url Rewrite section:
# END Url Rewrite section # This disables password recovery. RewriteEngine On RewriteCond %{QUERY_STRING} .*UserRecoverPassword.*$ RewriteRule ^.*$ - [R=404]
Always require the Captcha
Login to your gallery2 as admin user and select "Site Admin". On the left menu you should see "Captcha". Select this and set each of the following options as "High": Login, Guest Comments, Password Items. That will mean that you will always have to enter the Captcha image to login.
Disable Member modules
On the left menu select "Modules". Disable the following modules: "New User Registration", "Members List and Profiles". You don't need those for a single user installation.
Delete Comment Spam from Gallery2
A default install of Gallery2 can attract a lot of comment spam. There are scripts out there that do nothing but find someone's Gallery2 installation and then pump a bunch of spam link into comments.
First you have to identify the g_id of the comment. Then you have to delete matching records from g2_Entity, g2_ChildEntity, and g2_Comment. Could also delete the offending user from g2_User.
I discovered that almost all spam has URLs in them. I just delete those. The following will get rid of most spam. This basically removes any comment with an URL in it. There is an off chance that you might have legitimate comments with URLs. Those will get eliminated too. Too bad! You might want to backup your gallery2 database before you do this.
CREATE TEMPORARY TABLE tmp_g_id SELECT g_id FROM g2_Comment WHERE g_subject LIKE '%http%' OR g_comment LIKE '%http%'; DELETE g2_Entity FROM g2_Entity INNER JOIN tmp_g_id ON g2_Entity.g_id = tmp_g_id.g_id; DELETE g2_ChildEntity FROM g2_ChildEntity INNER JOIN tmp_g_id ON g2_ChildEntity.g_id = tmp_g_id.g_id; DELETE g2_Comment FROM g2_Comment INNER JOIN tmp_g_id ON g2_Comment.g_id = tmp_g_id.g_id; DROP TEMPORARY TABLE tmp_g_id;
Backup and Restore Gallery2
Backup with gzip compression.
mysqldump -u root gallery2 | gzip --rsyncable --best > gallery2.sql.gz
Restore from a gzip compressed dump file.
zcat gallery2.sql.gz | mysql -u root gallery2