Jesse Lawson

buy me a coffee ☕ / jesselawson / home / tutorials / contact


Jan 27 2015 in sysadmin/
Automatically Block Banned IPs with fail2ban, iptables, and ipset →

In this tutorial, we’ll develop a script that will get all the IP addresses blocked by fail2ban on the ssh chain and then add them to an ipset that will be automatically blocked by iptables. Talk about power traffic management! One of the most frustrating parts about running a web hosting company is the exposure to spam and bad bot traffic. At DashingWP, I often have to scrub through IP logs to determine what traffic is legitimate and what traffic should be blocked outright.

Jan 27 2015 in sysadmin/
How to Build and Install Libcurl →

For many server-side projects that are designed to work with outside resources at the command line level, curl is a tool that I often have to use. This is especially true when I am writing programs in C that are designed to be used specifically with internet resources. In this tutorial, I’ll show you how to compile, build, and install libcurl on your own machine.

Jan 24 2015 in Tutorials/ Sysadmin/
How to Install CouchDB Locally and Enable CORS →

These days I’m doing all my development work on a Chromebook. Since the majority of my projects involve Apache’s CouchDB, I need a local instance up and running. In this tutorial, I’ll walk you through how to install CouchDB from a Ubuntu command line and enable CORS manually (by editing the config file).

Mar 30 2014 in Nginx/ WordPress/ sysadmin/
How to Backup WordPress on a Remote Server (and send it to Amazon S3) →

Let’s talk about backups.

When you are running your own WordPress hosting service, you need to ensure that your sites are backed up nightly. Unfortunately, the more sites you have on your server, the more processing power is required to do these backups, especially if there have been a lot of changes during the day.

The smartest way to proceed with nightly backups, then, is to offload the processing requirements to a separate, dedicated backup server, or just a secondary server that can afford to use a lot of its CPU in zipping, rsyncing, and uploading to the Amazon cloud.

Jan 25 2014 in Sysadmin/
What do malicious log entries look like? →

A good server admin will be scrubbing her logs constantly. Whether you do this automatically or by hand, there is one thing that is a sure sign of malicious behavior: the ol’ “they forgot to delete that file” trick.

Jan 9 2014 in sysadmin/
How to fix "Host key verification failed" error →

If you’ve ever rebuilt a server that you have connected to in the past, chances are you’ve received an error when trying to ssh back into it for the first time since the rebuild. If you’re getting a screen that says “WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!", the workaround is actually quite simple.

Jan 8 2014 in sysadmin/
The Problem with Anti-Spam Plugins →

Installing anti-spam plugins are only the first step to mitigating garbage traffic. If we really want to tackle the issue of spam, we need to approach it from the server’s perspective and thwart garbage requests before they’re served. Is this possible? The short answer is: it depends.

Dec 20 2013 in sysadmin/ WordPress/
WP Engine Hotfix: Preventing Spam and Bad Bot Traffic, Part II →

In [Part I][1] of this WP Engine Hotfix, I discussed some of the theory behind WP Engine’s visitor calculations and how end-users of WP Engine could benefit from taking charge of their traffic themselves. In this next part, I’ll discuss ways to log your visitor traffic, scrub that traffic for blacklisted and abusive IPs (as well as employ a nifty contact form honeypot), and completely block access to your site by these harmful bots, scrapers, harvesters, and spammers that jack up your visitor count.

It’s important to note that this tutorial is not WP Engine specific. You can employ these methods on any hosting environment in which you have access to Apache. If you’re on Nginx, I’ll cover how to block unwanted traffic in a different tutorial.

Dec 18 2013 in sysadmin/ WordPress/
WP Engine Hotfix: Preventing Spam and Bad Bot Traffic, Part I →

WP Engine counts traffic from “bad” bots (like harvesters and spam bots) the same way it tracks human visitors. While some people have gone to great lengths to talk about how this has dissatisfied them to the point of leaving WP Engine, steps can be taken to take charge of your website’s defense and disallow these bots from ever making it to your pages. In this article, I discuss how to find out who is really visiting your blog (raw metrics), how to filter out the “bad” bot traffic, and (hopefully) reduce your visits in WP Engine’s algorithm.

Nov 30 2013 in MySQL/ sysadmin/ WordPress/
How to Find and Replace a String in MySQL →

One of the problems with moving your site from one domain to another is that the images in all your posts are still served from the old setup. In order to fix this, you need to run a simple MySQL command that will search through all your posts and replace the old URL with the new one.

Oct 28 2013 in WordPress/ sysadmin/
NGINX + WPMU + Non-WordPress Subdomains →

I’ve been trying to configure a subdomain on a WPMU install that runs on Nginx that is not part of the WPMU network and have ran into nothing but problems. In this post, I discuss some of the problems I ran into while trying to setup non-WordPress sub-domains alongside a WPMU sub-domain site and how I got both WP and non-WP sub-domains working and correctly configured in Nginx (hint: I didn’t).

Jan 1 0001 in MySQL/ sysadmin/
Reset MySQL Root Password on Ubuntu →

Do you know why there are so many tutorials online about resetting the MySQL root password? Because so many people are doing it wrong. This is a down-and-dirty, super quick way to reset your root password for MySQL.

Jan 1 0001 in sysadmin/
Three Ways to Increase Security against Bad Bots and Spam →

DashingWP’s servers were under attack today from what appears to be a pretty nasty DDoS attack that originated in China, bounced off of Germany, and then hit really hard from the UK, Portugal, Minnesota (USA), New Jersey (USA), and parts of Utah (USA). In total, there were 26,491 IP addresses that were discovered to be part of the attack, and we’re not entirely sure whether or not it was a roving attack or if something targeted us specifically.

After defeating this problem, I thought about some of the things people could be doing better in order to help prevent their susceptibility to DDoS attacks and spam/bad bots in general. While we’ll never be able to fully prevent a DDoS attack from happening, we can go out of our way to strengthen our infrastructures defenses against spammy and malicious bots that lurk out there, and in doing so, lessen the likelihood of irreparable damage if and when we fall victim to a DDoS attack. In this article, I’ll share with you three preventive controls that you should be implementing in order to lessen your vulnerability and harden both your server and your sites.