So we clearly got spammed in the past day or two; lots of the usual automation posts (hackers have programs that crawl webpages trying to create things like this)...
This makes me worried about our web security. Personal information is stored on our site. I hope credit card info is not (should not be: what company handles our credit card info?).
Anyway, might be time to have chaos "nerd" meet up and figure out some website stuff. I'm an online security professional so this falls right in my wheelhouse, but we'll need someone who knows our code to help me out.
Need some input. Board members, please PM me more information about who we think can help with this and any spec you have (where is this site hosted, how do we handle CC data, who is still active in the club who knows our layout and etc., and also why we dont have captcha enabled...)?
Anyone who reads this: do not put anything about our site config in this chain. Anyone can read it. Please PM me or create a private chain that's not publically accessible.
Thanks guys, I'll do what I can if I can get the input I need.
I saw this and figured that I would brain dump out what we've been doing. First, it's awesome that you'd like to get involved! With my move to Texas it's just been Conrad keeping the digital lights on and I know he would love help!
From the content monitoring perspective, we have three things that we had configured to fight the bots. First, the site is configured with the Mollom content monitoring solution. This combines both server side scoring of messages, source address checking, headers, etc. with a SaaS solution to filter form POSTs. Captcha's on the site are configured through Mollom, so you most likely aren't seeing them as you've not tripped off the content network. Second, we've also configured the built in Drupal spam monitoring, although in general I haven't been very impressed with it. Finally, there is cron job running regularly that modifies iptables rules for source addresses that are generating large volumes of requests. Additionally, although they aren't specifically for spam control, the site also runs through both CloudFlare and mod_security, which doesn't hurt. Sadly, every so often the spammers manage to trip up Mollom, and there is a short period of time where we get spammed. Given the other layers of defense that we have, it doesn't happen very often, but it does happen from time to time.
Additionally, no credit card information is stored on any of our servers, all recurring payments are handled through either PayPal or Stripe through their APIs. When we moved to this site, that was a critical point for us given our backgrounds (I'm also a Security guy) that we didn't want to have to worry about it.
Last couple of questions I think you had, the site is written using Drupal, servers are at Linode, using Apache, Varnish, and Pound. If you want specifics on any of the code, modules, server configs, etc., I agree that a public forum is not the place. At this point I believe StevenLane and ConradFuhram are still thinking of doing another redesign, but as I'm no longer in Chicago I'm not 100% sure on the status, so you might want to ping the two of them to make sure we aren't duplicating any effort.
Otherwise I think it's great that you'd like to get involved as we always need people to help. Please don't hestiate to PM myself, Conrad, Steven, or el presidente Mark with any thoughts, and thanks for getting involved!
Oh... my... god. Why haven't we done this? http://thechive.com/2013/09/17/guys-rig-up-buddies-plumbing-with-beer-wh...
Thanks for getting involved Kris. And thanks to Licas for continuing to be an awesome member, from so far away. Sounds like you have your answers. I am not knowledgable in this field, but please let me know if you need anything else in support of this
check our website: Idiot Video Are you apprehensive a trade in World Wide Web security? If that's what you produce, recognize AS MUCH as you can. SQL and JavaScript are helpful, notwithstanding also act detailed design of OSes, C (or C++ C# etc) and assembled perspective helpful. Don't avoid the various internet scripting humanistic discipline and such love PHP, ASP, comesNET, etc. Keep qualified date. Whenever several great nifty technol com mistaken, dig into the past it.
Oh, the irony...
DOH!
The emperor is not as forgiving as i am
This made my day!
www.singingboysbrewing.com
LMFAO
I could probably also lend a hand. I'm a Linux System Administrator for a domain registrar and webhosting company and I've worked with PHP and HTML quite a bit assisting customers. Granted most of them use Wordpress and not Drupal, I feel like I could help if we needed any custom coding or anything of that nature.
Good looking out BB
Aw jeez.
Jay, you should get in touch with Conrad. I don't think we even need any coding, necessarily: we just need to update the Drupal modules we use, and potentially employ a different captcha technique. We should probably also update Drupal itself, but that will require updates to the custom modules Lucas wrote for things like brewhouse reservations.