Whispers & Screams
And Other Things

Decisions Decisions

Making decisions in life is hard. Its a worry. Its a moment in time where all the comforting possibilities are whittled right down to just a few. Its tempting to think of those as limited to success or failure. Maybe even partial success but its more complicated than that.screen-shot-2014-07-28-at-10-38-59-am-e1406558423571

Ive taken the decision to start businesses, leave businesses, go back to University and even more significant and terrifying decisions in my personal life. To be fair, I think Ive done a good job so far. So far so good.

But how do you know if a decision is the right one? Is there a way to be sure that whatever you pick is the best choice? That it will surpass anything and everything that might have been?

Sorry but Nope.

You can’t know. You’ll never know for sure. You can't examine all of your possible futures and thats just tough.

But, you do know one thing and thats the thing that really matters. No matter how things play out, you will gain from the experience.

That something could be financial, educational, or it could just be a lesson learned. Perhaps a particularly tough one. Its irrelevant, because what you can say for sure is that the results you end up with will never amount to zero.

That decision could end up being just another decision you made in a long string of them. It could also be huge. But the point is you can’t try to quantify it before it has played out. Don’t try to put all the weight of the world in the decision.

A decision is just a single moment in your career. In the scheme of things it really doesn’t matter as long as you’re moving forward. Stop worrying about the things that don’t matter! Trying to figure out whether this is the moment that you “made it” will keep you from moving forward. And it will make it much harder to decide between everything you have going on. Which option will get me my “moment”? Why will it get me “there”?

What’s important is that you decided to do anything at all in the first place.

And what’s likely is that whatever “moment” you’re looking for hasn’t happened yet.

Spend all your time in the in-between space, the time between starting and stopping.

And remember that whatever decision you make, it will get you somewhere.

So go on. Jump. What's the worst that can happen?

Decisions aren’t ever right or wrong.

Your career hasn’t made it or not made it.

The magic is in the jump.

Continue reading
1919 Hits
0 Comments

Set up BIND as a DNS Server on Ubuntu

Introduction

 



DNS is important. The Domain Name Service is perhaps the most overlooked component of routine Internet services. When it becomes compromised or fails, the consequences can be far reaching and even catastrophic. To control DNS is to potentially control everything since modifying DNS services can redirect any user anywhere. It doesnt take a rocket scientist to understand the dramatic consequences of redirecting paypal.com to hackedpaypal.com and have all users innocently punching in their login details for collection in a nasty database somewhere.

DNS is also convenient. Setting your browser to use the bbc.co.uk website wouldnt be quite so easy if you had to refer to it as 212.58.246.104. Using fully qualified domain names (FQDNs), instead of IP addresses, to specify network addresses eases the configuration of services and applications, and increases the maintainability of configuration files.

As I am currently setting up some of my own internal nameservers, I decide to create a guide for my blog. In this post, I will go over how to set up an internal DNS server, using the BIND name server software (BIND9), that can be used by your own private network in the home or business to resolve host names and IP addresses. This provides a central way to manage your own hostnames and IP addresses, which is indispensable when your environment expands to more than a few hosts.

DNS Hosts


We will be setting up the new DNS servers in our office in London serving the technofatty domain. With this assumption, we decide that it makes sense to use a naming scheme that uses "ldn1.technofatty.com" to refer to our private subnet or zone. Therefore, host1's private Fully-Qualified Domain Name (FQDN) will be "pc1.ldn1.technofatty.com". Refer to the following table the relevant details:
Host Role Private FQDN Private IP Address
host1 User PC 1 pc1.ldn1.technofatty.com 192.168.1.101
host2 DVR 1 dvr1.ldn1.technofatty.com 192.168.1.102

Note: Your own setup will be different, but the example names and IP addresses given will be used to demonstrate how to configure a DNS server to provide a functioning internal DNS. You should be able to adapt this setup to your own environment fairly simply by replacing the host names and private IP addresses with your own. It is not necessary to use the region name of the site in your naming scheme, but we use it here to denote that these hosts belong to a particular sites private network. If you have multiple sites, you can set up an internal DNS within each respective site.
 

Our Goal


By the end of this tutorial, we will have a primary DNS server, ns1, as well as a secondary DNS server,ns2, which will operate as a backup.

Here is a table with example names and IP addresses:
Host Role Private FQDN Private IP Address
ns1 Pri DNS Server ns1.ldn1.technofatty.com 192.168.1.1
ns2 Sec DNS Server ns2.ldn1.technofatty.com 192.168.1.2

Let's get started by installing our Primary DNS server, ns1.
 

Install BIND on Primary Server


On both DNS servers, ns1 and ns2, carry out apt-get update
sudo apt-get update

Next install BIND:
sudo apt-get install bind9 bind9utils bind9-doc

IPv4 Mode


Next we need to set BIND to IPv4 mode. On both servers, edit the bind9 startup options file:
sudo nano /etc/default/bind9

Add "-4" to the OPTIONS variable. It should look like the following:
OPTIONS="-4 -u bind"

Save and exit.

OK onwards to configure the primary DNS server.
 

Configure Primary DNS Server


BIND's configuration consists of multiple files, which are included from the main configuration file, named.conf. These filenames begin with "named" because that is the name of the process that BIND runs. We will start with configuring the options file. The default contents of this file are shown below:

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

Configure Options File


As you can see from the above, the first file that is included is named.conf.options. On ns1, open the named.conf.options file for editing:
sudo nano /etc/bind/named.conf.options

Above the existing options block, create a new ACL block called "trusted". This is where we will define list of clients that we will allow recursive DNS queries from (i.e. your servers that are in the same datacenter as ns1). Using our example private IP addresses, we will add ns1, ns2, host1, and host2 to our list of trusted clients:
acl "trusted" {
192.168.1.1; # ns1 - can be set to localhost
192.168.1.2; # ns2
192.168.1.101; # pc1
192.168.2.102; # dvr1
};

Having set up the list of trusted DNS clients, we now need to edit the options block. Currently, the start of the block looks like the following:
options {
directory "/var/cache/bind";
...
}

Below the directory directive, add the highlighted configuration lines (and substitute in the proper ns1 IP address) so it looks something like this:
options {
directory "/var/cache/bind";

recursion yes; # enables resursive queries
allow-recursion { trusted; }; # allows recursive queries from "trusted" clients
listen-on { 192.168.1.1; }; # ns1 private IP address - listen on private network only
allow-transfer { none; }; # disable zone transfers by default

forwarders {
8.8.8.8;
8.8.4.4;
};
...
};

Now save and exit named.conf.options. The above configuration specifies that only your own servers (the "trusted" ones) will be able to query your DNS server.

Next, we will configure the local file, to specify our DNS zones.

Configure Local File


On ns1, open the named.conf.local file using nano:
sudo nano /etc/bind/named.conf.local

Apart from some commented lines, the default file will be empty. This is where, we specify our forward and reverse zones.

Add the forward zone with the following lines (substituting the zone name as appropriate):
zone "ldn1.technofatty.com" {
type master;
file "/etc/bind/zones/db.ldn1.technofatty.com"; # zone file path
allow-transfer { 192.168.1.2; }; # ns2 address - secondary
};

Assuming that our private subnet is 192.168.1.0/24, add the reverse zone by with the following lines (note that our reverse zone name starts with "168.192" which is the octet reversal of "192.168"):
zone "168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.168.192"; # 192.168.1.0/24 subnet
allow-transfer { 192.168.1.2; }; # ns2 address - secondary
};

If your servers span more than one subnet but are on the same site, dont forget to specify an additional zone and zone file for each seperate subnet.

Once finished adding all of your required zones, save and exit the named.conf.local file.

Now that our zones are specified in BIND, we need to create the corresponding forward and reverse zone files.

Create Forward Zone File


The forward zone file is where we define DNS records for forward DNS lookups. That is, when the DNS receives a name query, "host1.nyc2.example.com" for example, it will look in the forward zone file to resolve host1's corresponding private IP address.

Let's create the directory where our zone files will reside. According to our named.conf.local configuration, that location should be /etc/bind/zones:
sudo mkdir /etc/bind/zones

It is simplest to base our forward zone file on the sample db.local zone file which is installed by default. Copy it to the proper location with the following commands:
cd /etc/bind/zones
sudo cp ../db.local ./db.ldn1.technofatty.com

Now let's edit our forward zone file:
sudo nano /etc/bind/zones/db.ldn1.technofatty.com

Initially, it will look something like the following:
$TTL    604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost. ; delete this line
@ IN A 127.0.0.1 ; delete this line
@ IN AAAA ::1 ; delete this line

First, you will want to edit the SOA record. Replace the first "localhost" with ns1's FQDN, then replace "root.localhost" with "admin.ldn1.technofatty.com". Also, every time you edit a zone file, you should increment the serial value before you restart the named process--we will increment it to "3". It should look something like this:
@       IN      SOA     ns1.ldn1.technofatty.com. admin.ldn1.technofatty.com. (
3 ; Serial

Now delete the three records at the end of the file (after the SOA record). If you're not sure which lines to delete, they are marked with a "delete this line" comment above.

At the end of the file, add your nameserver records with the following lines (replace the names with your own). Note that the second column specifies that these are "NS" records:
; name servers - NS records
IN NS ns1.ldn1.technofatty.com.
IN NS ns2.ldn1.technofatty.com.

Then add the A records for your hosts that belong in this zone. This includes any server whose name we want to end with ".ldn1.technofatty.com" (substitute the names and private IP addresses). Using our example names and private IP addresses, we will add A records for ns1, ns2, pc1, and dvr1 like so:
; name servers - A records
ns1.ldn1.technofatty.com. IN A 192.168.1.1
ns2.ldn1.technofatty.com. IN A 192.168.1.2

; 192.168.1.0/24 - A records
pc1.ldn1.technofatty.com. IN A 192.168.1.101
dvr1.ldn1.technofatty.com. IN A 192.168.1.102

Save and exit the db.ldn1.technofatty.com file.

Our final example forward zone file looks like the following:
$TTL    604800
@ IN SOA ns1.ldn1.technofatty.com. admin.ldn1.technofatty.com. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; name servers - NS records
IN NS ns1.ldn1.technofatty.com.
IN NS ns2.ldn1.technofatty.com.

; name servers - A records
ns1.ldn1.technofatty.com. IN A 192.168.1.1
ns2.ldn1.technofatty.com. IN A 192.168.1.2

; 192.168.1.0/24 - A records
pc1.ldn1.technofatty.com. IN A 192.168.1.101
dvr1.ldn1.technofatty.com. IN A 192.168.1.102

Next we move on to the reverse zone file(s).

Create Reverse Zone File(s)


Reverse zone file are where we define DNS PTR (pointer) records for reverse DNS lookups. That is, when the DNS receives a query by IP address, "192.168.1.101" for example, it will look in the reverse zone file(s) to resolve the corresponding FQDN, "pc1.ldn1.technofatty.com" in this case.

On ns1, for each reverse zone specified in the named.conf.local file, create a reverse zone file. We will base our reverse zone file(s) on the sample db.127 zone file. Copy it to the proper location with the following commands (substituting the destination filename so it matches your reverse zone definition):
cd /etc/bind/zones
sudo cp ../db.127 ./
db.168.192

Edit the reverse zone file that corresponds to the reverse zone(s) defined in named.conf.local:
sudo nano /etc/bind/zones/db.168.192

Initially, it will look something like the following:
$TTL    604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost. ; delete this line
1.0.0 IN PTR localhost. ; delete this line

In the same manner as the forward zone file, you will want to edit the SOA record and increment the serial value. It should look something like this:
@       IN      SOA     ns1.ldn1.technofatty.com. admin.ldn1.technofatty.com. (
3 ; Serial

Now delete the two records at the end of the file (after the SOA record). If you're not sure which lines to delete, they are marked with a "delete this line" comment above.

At the end of the file, add your nameserver records with the following lines (replace the names with your own). Note that the second column specifies that these are "NS" records:
; name servers - NS records
IN NS ns1.ldn1.technofatty.com.
IN NS ns2.ldn1.technofatty.com.

Then add PTR records for all of your servers whose IP addresses are on the subnet of the zone file that you are editing. In our example, this includes all of our hosts because they are all on the 10.128.0.0/16 subnet. Note that the first column consists of the last two octets of your servers' private IP addresses in reversed order. Be sure to substitute names and private IP addresses to match your servers:
; PTR Records
1.1 IN PTR ns1.ldn1.technofatty.com. ; 192.168.1.1
2.1 IN PTR ns2.ldn1.technofatty.com. ; 192.168.1.2
101.1 IN PTR pc1.ldn1.technofatty.com. ; 192.168.1.101
102.1 IN PTR dvr1.ldn1.technofatty.com. ; 192.168.1.102

Save and exit the reverse zone file (repeat this section if you need to add more reverse zone files).

Our final example reverse zone file looks like the following:
$TTL    604800
@ IN SOA ns1.ldn1.technofatty.com. admin.ldn1.technofatty.com. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL

; name servers - NS records
IN NS ns1.ldn1.technofatty.com.
IN NS ns2.ldn1.technofatty.com.

; PTR Records
1.1 IN PTR ns1.ldn1.technofatty.com. ; 192.168.1.1
2.1 IN PTR ns2.ldn1.technofatty.com. ; 192.168.1.2
101.1 IN PTR pc1.ldn1.technofatty.com. ; 192.168.1.101
102.1 IN PTR dvr1.ldn1.technofatty.com. ; 192.168.1.102


Check BIND Configuration Syntax


Run the following command to check the syntax of the named.conf* files:
sudo named-checkconf

If your named configuration files have no syntax errors, you will return to your shell prompt and see no error messages. If there are problems with your configuration files, review the error messages then re-try named-checkconf .

The named-checkzone command can be used to check the correctness of your zone files. Its first argument specifies a zone name, and the second argument specifies the corresponding zone file, which are both defined in named.conf.local.

For example, to check the "ldn1.technofatty.com" forward zone configuration, run the following command (change the names to match your forward zone and file):
sudo named-checkzone ldn1.technofatty.com db.ldn1.technofatty.com

And to check the "168.192.in-addr.arpa" reverse zone configuration, run the following command (change the numbers to match your reverse zone and file):
sudo named-checkzone 168.192.in-addr.arpa /etc/bind/zones/db.168.192

When all of your configuration and zone files have no errors in them, you should be ready to restart the BIND service.

Restart BIND


Restart BIND:
sudo service bind9 restart

Your primary DNS server is now setup and ready to respond to DNS queries. Let's move on to creating the secondary DNS server.
 

Configure Secondary DNS Server


In most environments, it is a good idea to set up a secondary DNS server that will respond to requests if the primary becomes unavailable. Luckily, the secondary DNS server is much easier to configure.

On ns2, edit the named.conf.options file:
sudo nano /etc/bind/named.conf.options

At the top of the file, add the ACL with the private IP addresses of all of your trusted servers:
acl "trusted" {
192.168.1.1; # ns1 - can be set to localhost
192.168.1.2; # ns2
192.168.1.101; # pc1
192.168.2.102; # dvr1
};

Below the directory directive, add the following lines:
        recursion yes;
allow-recursion { trusted; };
listen-on { 192.168.1.2; }; # ns2 private IP address
allow-transfer { none; }; # disable zone transfers by default

forwarders {
8.8.8.8;
8.8.4.4;
};

Save and exit named.conf.options. This file should look exactly like ns1's named.conf.options file except it should be configured to listen on ns2's private IP address.

Now edit the named.conf.local file:
sudo nano /etc/bind/named.conf.local

Define slave zones that correspond to the master zones on the primary DNS server. Note that the type is "slave", the file does not contain a path, and there is a masters directive which should be set to the primary DNS server's private IP. If you defined multiple reverse zones in the primary DNS server, make sure to add them all here:
zone "ldn1.technofatty.com" {
type slave;
file "db.ldn1.technofatty.com";
masters { 192.168.1.1; }; # ns1 private IP
};

zone "168.192.in-addr.arpa" {
type slave;
file "db.168.192";
masters { 192.168.1.1; }; # ns1 private IP
};

Now save and exit named.conf.local.

Run the following command to check the validity of your configuration files:
sudo named-checkconf

Once that checks out, restart bind
sudo service bind9 restart

Now you have primary and secondary DNS servers for private network name and IP address resolution. Now you must configure your servers to use your private DNS servers.
 

Configure DNS Clients


Before all of your servers in the "trusted" ACL can query your DNS servers, you must configure each of them to use ns1 and ns2 as nameservers. This process varies depending on OS, but for most Linux distributions it involves adding your name servers to the /etc/resolv.conf file.

Ubuntu Clients


On Ubuntu and Debian Linux VPS, you can edit the head file, which is prepended to resolv.conf on boot:
sudo nano /etc/resolvconf/resolv.conf.d/head

Add the following lines to the file (substitute your private domain, and ns1 and ns2 private IP addresses):
search ldn1.technofatty.com     # your private domain
nameserver 192.168.1.1 # ns1 private IP address
nameserver 192.168.1.2 # ns2 private IP address

Now run resolvconf to generate a new resolv.conf file:
sudo resolvconf -u

Your client is now configured to use your DNS servers.

CentOS Clients


On CentOS, RedHat, and Fedora Linux VPS, simply edit the resolv.conf file:
sudo nano /etc/resolv.conf

Then add the following lines to the TOP of the file (substitute your private domain, and ns1 and ns2 private IP addresses):
search ldn1.technofatty.com  # your private domain
nameserver 192.168.1.1 # ns1 private IP address
nameserver 192.168.1.2 # ns2 private IP address

Now save and exit. Your client is now configured to use your DNS servers.

Test Clients


Use nslookup to test if your clients can query your name servers. You should be able to do this on all of the clients that you have configured and are in the "trusted" ACL.

Forward Lookup


For example, we can perform a forward lookup to retrieve the IP address of pc1.ldn1.technofatty.com by running the following command:
nslookup pc1

Querying "pc1" expands to "pc1.ldn1.technofatty.com because the search option is set to your private subdomain, and DNS queries will attempt to look on that subdomain before looking for the host elsewhere. The output of the command above would look like the following:
paula@ns2:~$ nslookup pc1
Server: 192.168.1.1
Address: 192.168.1.1#53

Name: host1.nyc2.example.com
Address: 192.168.1.101

Reverse Lookup


To test the reverse lookup, query the DNS server with pc1's private IP address:
nslookup 192.168.1.101

You should see output that looks like the following:
Server:     192.168.1.1
Address: 192.168.1.1#53

101.1.168.192.in-addr.arpa name = pc1.ldn1.technofatty.com.

If all of the names and IP addresses resolve to the correct values, that means that your zone files are configured properly. If you receive unexpected values, be sure to review the zone files on your primary DNS server (e.g. db.ldn1.technofatty.com and db.168.192).

Congratulations! Your internal DNS servers are now set up properly! Now we will cover maintaining your zone records.

 

Maintaining DNS Records


Now that you have a working internal DNS, you need to maintain your DNS records so they accurately reflect your server environment.

Adding Host to DNS


Whenever you add a host to your environment (in the same datacenter), you will want to add it to DNS. Here is a list of steps that you need to take:

Primary Nameserver



    • Forward zone file: Add an "A" record for the new host, increment the value of "Serial"

    • Reverse zone file: Add a "PTR" record for the new host, increment the value of "Serial"

    • Add your new host's private IP address to the "trusted" ACL (named.conf.options)


Then reload BIND:
sudo service bind9 reload

Secondary Nameserver



    • Add your new host's private IP address to the "trusted" ACL (named.conf.options)


Then reload BIND:
sudo service bind9 reload

Configure New Host to Use Your DNS



    • Configure resolv.conf to use your DNS servers

    • Test using nslookup


Removing Host from DNS


If you remove a host from your environment or want to just take it out of DNS, just remove all the things that were added when you added the server to DNS (i.e. the reverse of the steps above).
 

Conclusion


Now you may refer to your servers' private network interfaces by name, rather than by IP address. This makes configuration of services and applications easier because you no longer have to remember the private IP addresses, and the files will be easier to read and understand. Also, now you can change your configurations to point to a new servers in a single place, your primary DNS server, instead of having to edit a variety of distributed configuration files, which eases maintenance.

Once you have your internal DNS set up, and your configuration files are using private FQDNs to specify network connections, it is critical that your DNS servers are properly maintained. If they both become unavailable, your services and applications that rely on them will cease to function properly. This is why it is recommended to set up your DNS with at least one secondary server, and to maintain working backups of all of them.
Continue reading
61 Hits
0 Comments

OSPF DR and BDR Election

Participating routers in an OSPF network have varying roles to play in ensuring that the processes which route the data around the network maintain a true and accurate picture of the network topology. The two primary roles in this structure are the Designated Router (DR) and the Backup Designated Router (BDR). Their roles, whilst primarily aimed at maintaining network function from a routing perspective, are equally focused on ensuring that network bandwidth used to accomplish this is used judiciously.

An Election


Consider a multi-access environment (such as LAN or MAN), where three or more routers are connected together. If all the routers in the OSPF network had to form adjacencies with every other OSPF router present, forming a fully meshed OSPF adjacency network, the resultant conceptualised routing mesh would be overly chatty flooding Link State Advertisements (LSAs) with each and every other OSPF router. As a direct result, router CPU load and network bandwidth would be consumed wastefully. OSPF is designed to be far more efficient in its use of these resources, and, in order to prevent this from happening, OSPF holds an election process to determine and fill roles named Designated Router (DR) and a Backup Designated Router (BDR) so that the workload of propagating routing information around the network is more effectively managed. Election for the DR and BDR is determined primarily on the Router Priority (which by default is 1) and the Router ID. If the value of the router interface priority is changed to 0, it prevents that router from becoming the DR or the BDR.

Router priority can be adjusted on Cisco routers on a per interface basis. The Router ID however is a 32-bit number that uniquely identifies the router in the Autonomous System. One algorithm for Router ID assignment is to choose the largest or smallest IP address assigned to the router. If a router's OSPF Router ID is changed, the router's OSPF software should be restarted before the new Router ID takes effect. Before restarting in order to change its Router ID, the router should flush its self-originated LSAs from the routing domain or they will persist for up to MaxAge minutes. Cisco uses a method that some other vendors choose to follow, but it is not a requirement. If you have a loopback interface, since that's the most stable interface on your router, that will be used. If there is no loopback interface, the highest IP address on the router is used. If there is more than one loopback then the highest of them is used. In many elections in OSPF, the higher RID wins. this is the logic for choosing higher over lower. It should be noted however that you can manually specify an RID that isn't even a valid ip address such as 224.1.1.1.

Drothers


The DR is the router which receives LSAs and other updates when there is a change in the inter-neighbor communications. These LSAs are sent out by the DROTHERS routers (all non-DR/BDR routers), and consequently, any further updates are propagated by the DR to the rest of the DROTHERS routers. The show ip ospf neighbor command, when executed, indicates the non-DR/BDR routers as DROTHERS. Every network segment in OSPF has a DR and a BDR.

The Process


What actually happens is that whenever there is a change in network routing status, instead of flooding each and every path with LSAs advertising new information about network topology, the update is only sent to the DR. The DR then takes on this job and floods the routers in its network segment with the update. If the DR fails or is not functioning, the BDR takes over. When this happens, the BDR replaces the existing DR as the new Designated Router, and a new BDR is elected.

Continue reading
72 Hits
0 Comments

Skye The Husky

IMG_4387 IMG_4388 IMG_4389 IMG_4393

Continue reading
1362 Hits
0 Comments

The Latest Referrer Spam - Semalt and Buttons For Website

So, you manage some websites, you're a fan of Google analytics or even just use a local server log analyser to view your site stats. If this is you then you cant fail to have noticed that your sites have been getting visits lately from referrer bots called semalt.com and buttons-for-website.com. There are a couple of good reasons why you shouldn't ignore this traffic. In fact you should block it from your site and if you're using an Apache web server, which most people are these days, then I'll show you how to do it for yourself.

The Semalt and Buttons For Website bots dont seem to be harmful to websites per-se however their effect on SEO should not be ignored. If your website is getting 50 or 100 hits per month from these things it will affect your overall clocked bounce rate since these bots is always bounce. This will make it seem as though visitors to your site are not finding the material they were looking for and, to the search engines, may decrease the perceived quality of your site and thereby effect your ranking.

It should be noted that Semalt is not your typical bot. Analysis shows that the company uses a QtWebKit browser engine to avoid detection. Consequently, Semalt bots can execute JavaScript and hold cookies, thereby enabling them to avoid common bot filtering methods (e.g., asking a bot to parse JavaScript). Because of their ability to execute JavaScript, these bots also appears in Google Analytics reports as being “human” traffic.

Recently, substantial evidence revealed that Semalt isn’t running a regular crawler. Instead, to generate bot traffic, the company appears to be using a botnet that is spread around by a malware, hidden in a utility called Soundfrost.

“Botnets sometimes compromise computers whose security defenses have been breached and control conceded to a third party. Each such compromised device, known as a “bot”, is created when a computer is penetrated by software from amalware (malicious software) distribution. The controller of a botnet is able to direct the activities of these compromised computers” – Wikipedia

Their Botnet involves hundreds or thousands of computers and too many IP addresses to be able to effectively bloc the crawler via IP Exclusion in Analytics. To see a list of IP addresses associated with Semalt go to this page. It will return a long list of (at least hundreds) of IP addresses associated with Semalt.

Blocking these sites like you would other crawlers/spiders in your robots.txt file may not be effective either since compliance with directives in the robots.txt file is voluntary and those who are running something Black Hat certainly do not care about complying with the wishes of others.

Buttons For Website seems to be very similar in function (alleged to be a spambot/botnet) except that it uses a different delivery method. In this case the Buttons For Website site simply offers a handy sharing tool for you to install on your website. However, by installing the supplied code, you are potentially creating a way for a person to hijack (zombify) the web browser of visitors to your site.

According to one article I found javascript hijacking can also be used for nefarious purposes. Even though the article is about using javascript to create a botnet through online ads the same principle should work just as well with a permanent installation like sharing buttons.

“Adding arbitrary JavaScript to ads is easy to do and in the experience of the researchers wasn’t checked very closely by the ad network. To make it more convenient to change the malicious script, rather than placing the script itself in the ad, they put in the script source.” – NetworkWorld

Semalt And Buttons For Website Blocking


Since potentially both Semalt and Buttons For Website traffic is going to be coming from a large number of IP addresses (Semalt from infected computers and Buttons For Website from visitors to infected sites) the option of blocking this traffic by IP exclusion in Analytics would not be effective. An alternative, which is what I have used successfully on all of the WordPRess sites that I manage, is to block traffic from semalt.semalt.com and buttons-for-website.com in the .htacces file of each site.

To do this you have to have access to the files in the root directory on your web host that make up your WordPress, Joomla or Drupal site and be using an Apache system (most hosting providers do). If you have never worked with the files in the root directory of your site and/or are not familiar with editing the .htaccess file ask your webmaster to do it for you. If you make a mistake when editing your .htaccess file, the result can make the site completely unavailable.

If you are comfortable with editing your .htaccess file then adding the following code to it should block both Semalt and Buttons For Website traffic to your site.

# block visitors referred from semalt.com
RewriteEngine on
RewriteCond %{HTTP_REFERER} semalt\.com [NC]
RewriteRule .* – [F]
# End semalt block
# block referer spam buttons for website
RewriteEngine On
RewriteCond %{HTTP_REFERER} buttons\-for\-website\.com
RewriteRule ^.* - [F,L]
# End buttons for website block


At Rustyice Solutions we use this method to block Semalt and Buttons For Website traffic on many WordPress, Joomla and Drupal sites that we manage and so far it has resulted in the total elimination of all traffic from these two sites from all of the managed websites. If you do not have a webmaster and are seeing traffic from these sources to your WordPress website we will be happy to help you with the problem. Contact me using the contact form on this site (Click Here) and I will be happy to help for a very small fee.

Continue reading
65 Hits
0 Comments