Gallery notes

From Noah.org
Jump to: navigation, search


I use Gallery2 for managing pictures on my web site. It's a target for hacker bots. I've seen a lot of scripts trying dictionary attacks against Gallery2.

I am the only one that uses my gallery. I make a few changes to make it more secure.

Make non-essential pages disappear

This gets rid of password recovery. I don't need this and I don't need to leave any potential holes open.

Edit gallery2/.htaccess and add a rule after the #END Url Rewrite section:

# END Url Rewrite section

# This disables password recovery.
RewriteEngine On
RewriteCond %{QUERY_STRING} .*UserRecoverPassword.*$
RewriteRule ^.*$ - [R=404]

Always require the Captcha

Login to your gallery2 as admin user and select "Site Admin". On the left menu you should see "Captcha". Select this and set each of the following options as "High": Login, Guest Comments, Password Items. That will mean that you will always have to enter the Captcha image to login.

Disable Member modules

On the left menu select "Modules". Disable the following modules: "New User Registration", "Members List and Profiles". You don't need those for a single user installation.

Delete Comment Spam from Gallery2

A default install of Gallery2 can attract a lot of comment spam. There are scripts out there that do nothing but find someone's Gallery2 installation and then pump a bunch of spam link into comments.

First you have to identify the g_id of the comment. Then you have to delete matching records from g2_Entity, g2_ChildEntity, and g2_Comment. Could also delete the offending user from g2_User.

I discovered that almost all spam has URLs in them. I just delete those. The following will get rid of most spam. This basically removes any comment with an URL in it. There is an off chance that you might have legitimate comments with URLs. Those will get eliminated too. Too bad! You might want to backup your gallery2 database before you do this.

CREATE TEMPORARY TABLE tmp_g_id
SELECT g_id FROM g2_Comment
WHERE g_subject LIKE '%http%' OR g_comment LIKE '%http%';

DELETE g2_Entity FROM g2_Entity
INNER JOIN tmp_g_id ON g2_Entity.g_id = tmp_g_id.g_id;

DELETE g2_ChildEntity FROM g2_ChildEntity
INNER JOIN tmp_g_id ON g2_ChildEntity.g_id = tmp_g_id.g_id;

DELETE g2_Comment FROM g2_Comment
INNER JOIN tmp_g_id ON g2_Comment.g_id = tmp_g_id.g_id;

DROP TEMPORARY TABLE tmp_g_id;

Backup and Restore Gallery2

Backup with gzip compression.

mysqldump -u root gallery2 | gzip --rsyncable --best > gallery2.sql.gz

Restore from a gzip compressed dump file.

zcat gallery2.sql.gz | mysql -u root gallery2