Making the guestbook more secure

Tips to make the Guestbook more secure

Configuration script
  • DON'T USE THE DEFAULT USERNAME & PASSWORD!
    After you have logged in for the first time change the username and password to something else.

  • Open the script in a text editor and find the line that reads my $salt="AsGb2E18"; and change it to something else. This is used to encrypt the password for the script.
    Just use 8 letters and numbers.ie. my $salt="G52E3aT8";
    If the script is already installed and running you may have to delete the session.dat file and let the script create a new one as your password will no longer work after the salt has been changed.

  • This is a no brainer but it should be said. Don't ever keep backup copies of the script and data files in your HTML folder. Anything in a HTML folder can be read by anyone.


Guestbook
  • If you run more than one guestbook you can share the banlist. Just enter the path to the banlist.txt file in each script. Remember that you will have to change both the entries in the guestbook (asgbv3.pl) and the configuration script (asconfig.pl)

  • Spammers are lazy, if they have to work they are not interested. If you make more than the Name and message fields required they might get tired of hitting the back button and typing more stuff in. If they do they will usually put something like sdfgtrsdfhdjf which will get caught by the filter anyways.

  • Use the banning feature, this will force the spammers to give up or make them try again with a different IP address. Again...spammers are lazy

  • Review your banlogs and keep your filter file updated. If a spammer does manage to get through be sure to add what the filter could have caught to the filter file. Reviewing other peoples spammed guestbooks and the banlog can help you to fine tune your filter file.

  • Keep the settings for MAX WORD LENGTH, MAX REPEATS and MAX LINKS low.(15,4 and 1 are good)

  • MIN WORDS should be set at atleast 2 and MIN MESSAGE LENGTH to atleast 25.

  • USE the URL scanning feature. Spammers are getting wise to this script and are trying to post innocent messages like "nice website" and leaving a link to a porn site.
    WARNING: Be sure to use a separate filter file for scanning URL's that contains only the worst words. The filter checks for words not context. even MSN.com will fail the scan if "viagra" is in the filter file.

  • Unless you really have to DON'T allow images. 'nuff said.






All content and images COPYRIGHT © 2005 by Aubrey Millard