logs and liars

I recently switched arts & ego to be hosted on OpenBSD’s httpd from Apache 2.

One of the interesting consequences of switching is that traffic to arts & ego has apparently collapsed. I was regularly getting hundreds of visitors a day, now I’m getting somewhere in the tens on a good day.

mutilated text

But, actually, this isn’t the traffic collapsing, this is a consequence of filtering out criminal activity. It’s much easier to do that in httpd than Apache, although I’m sure it’s not difficult in the latter, just not so obvious. In httpd, I just specify “no log” for a particular kind of file.

For example, there are no php pages here, it’s a static site, yet the logs are full of attempts to access php. Why php? Where were the links to the imaginary pages coming from? Well, there were no links, at least none from here. The supposéd links are actually criminals intent on stealing control of this site using weaknesses in the php language, or programs that are written in it, so they’re calling up imaginary pages in the hope of finding something real and broken. The criminals’ failed attempts at crime were cluttering things up, which is why I told httpd not to log them. Bingo, the logged traffic dropped by 90%!

It’s clear criminals attempt to this site via php, so it follows that php is relatively easy to hack. This, I already know. For example, the published exploit that forced my hand to move this site from Apache to httpd included a known PHP zero–day, one of many unpatched holes. As necessary as it is to keep software like php fully patched, a webmeister cannot patch against unpatched holes. Furthermore, even if php is perfectly patched, the language appears poorly designed, so that simply writing bad php code opens a site up for other hacks (to be fair, there’s always a trade–off between security and performance in programming languages; a perfectly secure language is usually too slow to use).

Now, this loss of traffic is nasty for the ego; all those ‘fans’ vanishing into the liars’ mist. But it’s really very good indeed: I get a far more accurate picture of the number of people who genuinely come here (hardly any), and I get to ignore many of the criminals. I still have to be concerned about them, of course, but that’s a separate matter: the liars no longer lie to me about the arts & ego visitor numbers.

Now I have a less inaccurate picture, I can finally start to do things to promote the site to see if they have any impact on the numbers.

mutilated text

There are other consequences of the situation.

  • I was already aware that php had a leaky reputation, but I hadn’t realised that it was so awful that the majority of attempts to steal a site from its owners, or at least this site from me, where made via php.
  • I was considering adding a couple of services, mostly for my own use, but I will not do so now because they use php. Next cloud is out (it’s too unstable anyway).
  • I am now clear that the move to OpenBSD’s httpd from Apache was absolutely the right move. I didn’t expect these log consequences at all, but I’m very happy about them, despite the apparent ego squash (bye bye all those criminal fans :-( … ). I was keeping the old server and site ready in case I decided to switch back: I’ve now deleted them.

I should mention the criminals aren’t just attempting to steal arts & ego by hacking the nonexistent php pages. I will add more filtering to remove those other liars’ efforts from the logs, too.

For example, the arts & ego vault contains static versions of old incarnations of the site. Back in 2000 or so, cyberspace, one of the predecessor sites to arts & ego, used asp. Now, because a copy of that site is in the vault, I supposédly have some ‘asp’ files online. In fact, they’re all plain old HTML, as are all the other pages here, but they’ve got the asp extension because that’s what the predecessor used.

The odd thing is that the great majority of asp hack attempts use Chinese script. Now, there is some Chinese on arts & ego, some poems I wrote from a visit to Beijing have Chinese numbering, but they’re openly shtml pages, in a completely different part of the site, and only the subtitles — numbers — are written in Mandarin. I’m pretty sure that’s a bizarre coincidence, and am pretty confused as to why criminals think it’s worth their while attempt to hack turn of the century asp code on a modern non–asp static site. I think I’ll formally change the asp section of the vault to use html file extensions, then use any attempt to hack them as another hint for the firewall.

The main benefit of the log clean up is that it encourages me to start to think about how to promote arts & ego. I’m not willing to buy advertising, I don’t have such a low opinion of my own work that I need to pay propaganda merchants to con strangers about it. Of course, since the big search engines make their money out of advertising, and are regularly fined for abusing their position, I clearly cannot depend on them to direct interested people here. I expect there are other ways to promote the place. It helps that I have no particular urgency to work things out.