In the LoadModules section of the config, make sure mod_rewrite is enabled. On Red Hat or CentOS (or most others) it is by default:

In your LoadModules section, make sure that mod_rewrite is enabled. On Red Hat and CentOS, it is by default:

# grep mod_rewrite /etc/httpd/conf/httpd.conf
LoadModule rewrite_module modules/mod_rewrite.so

RewriteEngine on
RewriteCond %{REQUEST_URI} ^/[^\.]+[^/]$
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1/ [R=301,L]

Voíla. Bounce Apache, and visit. Make sure you’re cool enough not to type “www.”

/cs

But, I’ve found that the Plesk CP for Plesk 9 doesn’t run on Apache, it runs on Lighttpd. To disable weak ciphers on a Plesk/Red Hat box, edit /etc/sw-cp-server/applications.d/plesk.conf and add this line:

ssl.cipher-list = “TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH”

I don’t know if you can add it just anywhere, but you ought to be able to. Personally, I put it between the “include_shell” and “index-file.names” lines in the conf, line 11. After all that, issue “service psa restart” and you’re good to go.

You can test the setup using this command:

# openssl s_client -connect localhost:8443 -ssl2

Run that from the box itself, either as root or as a regular user. It gave me a “Connection reset by peer” error on SSLv2 connection. This is expected, and means that SSLv2 has been successfully disabled. Go run that scan again.

Also, keep in mind the recent “Plesk broke openssl” (or vice-versa) fiasco.

/cs

• addy@DELETE_THISdomain.com
• mayemail @ mydomain com
• Please contact us for contact information

To me, these seem very creative (except for the last one which was really kind of a joke).

I have found and implemented a solution on my server that seems to work very well for eluding this issue. It’s a little piece of javascript I like to call menc.js.

Here is a look at the code for the foolwrite function:

function foolwrite(a,b,c,d){
var mail;
var linkname;
var link;

mail=a+”@”+b+”.”+c;
linkname=’Contact’
if(d == 0){
document.write(mail);
} else {
link=’<a href=”mailto:’+mail+’”>’+linkname+’</a>’;
document.write(link);
}
}

As you can see, the function takes three arguments, which are the address, the domain, and the tld. From there, it builds a mailto link from the three pieces, and returns the link. You can also change the linkname variable to something custom, such as “webmaster” or ‘<img src=”path/to/file.jpg”>’ or something like that. The cool thing is that the source doesn’t have a scrapable address anymore.

To implement this function, you can either embed it directly, or call it from an external file, as I did, in the same way that you would use any regular javascript. In your code, simply place this line in the place where you would normally put your mailto: link:

foolwrite(“email”,”domain”,”tld”);

Don’t forget to enclose it in <script> tags.

And there you have it! This will prevent any screen-scraping-caused-spam that you may be receiving from your sites, and still allow customers to click and send you mail. This means you don’t have to have any forms that can easily be compromised!

/cs