北美网备份站

标题: 关于mod_security [打印本页]
作者: 蜻蜓点水    时间: 2017-1-21 21:32
标题: 关于mod_security
前一段发生403在保存前台,DIY时候,都是mod_security3 y8 z8 r) L, B+ u) N

9 f+ Q4 l5 V% g, z4 x8 l后台保存站点广告,如果含有一定词汇,也会出现。6 T; n+ W1 |' N2 P

* z, W0 }5 R  i看到这里有,黏贴学习:5 H& n1 {' {" v% V* q

, \; t- u5 `, Uhttps://www.tipsandtricks-hq.com/apache-mod-security-update-how-to-fix-error-406-or-not-acceptable-issue-259+ L; I7 c4 ]1 ^8 v- |/ `! p% P; z

# L; K7 }  Z8 }; e
  1. Apache Mod Security update, How to Fix ‘Error 406’ or ‘Not Acceptable’ issue" `" V! J' ~0 `2 m! d$ X: S# _
  2. last updated: october 28, 20161 ~! e+ H+ ^- j% T" _
  3. Few weeks ago I started having “Not Acceptable! Error 406” on one of my WordPress sites when trying to save a post or a page. I kept getting the following message when trying to save a post.; [+ {$ @5 R& V% Z+ \& N+ a
  4. $ U. K/ n. v4 q1 I& j! d
  5. Not Acceptable
    * L: P& R2 {  C( S0 b9 x" q( [
  6. An appropriate representation of the requested resource /wp-admin/post.php could not be found on this server
    ) m/ z4 M' a3 f4 u6 p8 D6 J
  7. . r; Z+ [' O- \/ S. e" v
  8. I tried many fixes and nothing seemed to have helped getting rid of the issue. So I decided to reinstall WordPress (How to Uninstall and Reinstall WordPress). Even the reinstall didn’t help! Later I found out that the “Not acceptable! Error 406” occurs due to Mod Security updates on the server. So if you are having a similar problem then you can try one of the following methods to fix it./ s" [) Q/ I% m% g/ W
  9. " z3 z  |% Z; E' _
  10. Solution 1 for Fixing 406 Error
    0 m; _, p- f# s* _$ X
  11. % z, \# d* r$ C3 A
  12. Backup your .htaccess file if you have one in the ‘wp-admin’ directory. Then make a ‘.htaccess’ file with the following content and upload it to ‘wp-admin’ directory.
    # w& k5 h6 `) [8 g& j5 ]
  13. ! R+ c( V, N' @0 }* }' U5 L0 g% Z
  14. <IfModule mod_security.c>
    ( I: L6 g0 j  K- I
  15. SecFilterEngine Off- ^- F) {8 g. O5 e5 h2 Z& A
  16. SecFilterScanPOST Off
    3 P) }8 A& L/ d; U  G; r5 M- I, _" `0 f
  17. </IfModule>+ O8 l! P( z* N, @0 ^6 M
  18. You can use any text editor such as Notepad to create this file.0 B+ O2 S: Z1 d( G0 }8 a9 X
  19. 1 ?% i8 ?3 [, ^" C% l) ]/ @$ |* W8 r
  20. You will need to upload this .htaccedss file to your server. So if you don’t know how to upload a file to your server then check this tutorial on FTP.
    , \% w- k6 q% y7 u' V% C7 z
  21. , c5 i5 |& g* b  m. n; b
  22. Solution 2 for Fixing 406 Error# {# n) K) I' N

  23. 8 l- j* R- u. A
  24. This is the solution that worked for me for my WordPress site.: E5 C7 T7 ~4 x6 x& L
  25. 9 \' N1 Z2 Z. \; [& j* n& b" g' v
  26. Backup your .htaccess file if you have one in the public_html directory.8 U, X2 n0 F  t% N0 h& O( A$ c2 b

  27. : |  B, ^! l3 G2 Q" F5 [+ y. d) X
  28. Open the .htaccess file with any text editor and observe the lines between the “# BEGIN WordPress” and “# END WordPress” tags. Make sure the lines look somewhat like the following. If not then update the file with the following content and upload it to the ‘public_html’ directory.
    4 f0 v5 n* i  d; I4 g
  29. . w% }0 i; @% ]6 h3 V( U+ F3 B
  30. # BEGIN WordPress$ f1 i: D3 ~/ \0 N1 E
  31. <IfModule mod_rewrite.c>' |4 h, Y; e% W+ n" K6 {  V
  32. RewriteEngine On/ f4 X+ ^- f- R) ]
  33. RewriteBase /
    % A$ H% }) O& K$ f$ P
  34. RewriteCond %{REQUEST_FILENAME} !-f
    2 `% K! o5 f- G) Q! e, ]
  35. RewriteCond %{REQUEST_FILENAME} !-d+ B' q% e* ~) g) w
  36. RewriteRule . /index.php [L]
    + ~7 g7 b3 ~3 R
  37. </IfModule>
    6 p2 o) f$ [+ f4 O! G0 R1 K: L6 W8 C
  38. # END WordPress
    4 z2 F2 {  e8 S& C" ]
  39. Hopefully one of these solutions help fix your “Not Acceptable” error.
    " S/ ~$ q' M6 S$ l8 N; L" W7 P

  40. & F0 t' c* k. o6 S( e" X; ]8 P
  41. Good luck!
复制代码
4 X4 k% h% W2 K/ j; p7 m/ U

# F7 E/ y# f" E, z; Q" s5 ]
作者: 蜻蜓点水    时间: 2017-1-21 21:33
http://www.bkjia.com/dedecms/362281.html( e; Y9 t$ B( j* X

7 c4 C, F6 N) [3 y
最近论坛里很多朋友求救,说出现了这个问题,最近我也被这个问题困扰着。多谢Funkey朋友的办法,问题终于解决。
0 O" l+ x& |. V8 [& G) M% i. a# S7 _: d# m
问题说明: ; K- B! G1 `5 U9 x: m

! H) P3 w& g$ u6 F& e) g) @5 ]后台设置页面无法保存,出现如下500错误页面:
) q  |- h% Z! s! c. x  A* c- o7 H" Y0 z0 f
forbidden - l, D7 u5 J) |9 Q* R  b
You don't have permission to access /dede/sys_info.php on this server.
9 r6 q2 ?3 g# ?( C
3 j: j! B: r' j6 R8 d- r3 f7 b% [* ZAdditionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
+ k, R. T( d, ^8 w3 m  x4 I% v/ @0 K- H3 f" \, l0 l4 B7 B) ]
Apache Server at www.******.com Port 80   e1 P3 B" ~9 w; u8 v2 a/ t9 P

: a3 f' f- t9 l7 Q* J问题一般出现在国外主机空间上【目前发现此问题的空间商有:Host1Plus,BlueHost,JustHost,Backy LLC】,dedecms 5.5 和 5.6 都会出现错误,可见是空间的问题,不是织梦的问题。
0 E% F5 L: Y  n& e% C0 @
/ F! M0 T' X8 r/ F" v原因: 7 Z5 f% K  ?$ z* @" a
经过多方核实,可以确定,大多数的国外主机在配置 Apache 的时候启用了 mod_security ,也就是开启了安全检查,如果提交的信息中包含 select , % , bin 等关键字,Apache 就会禁止,并给出 403,404,500 等错误。
, b3 _! p$ P! S* Q) @5 D: j5 s. D
9 x0 d/ E% h7 @* K' b( o解决方法:
5 B  Q" W. @9 s3 F4 Z由于这个设置属于服务器级别的配置,如果是VPS用户,需要关闭 mod_security2 的检查(mod_security2.c);而如果是虚拟空间用户的话需要联系客服协助修改。
& o# l( i* p5 `" z
0 W8 F3 Z' i9 F' i0 D6 @% |操作办法:
1 D; t) j1 [" \  [' ^# S(虚拟空间用户)如果是CP面板,选择 Submit ticket——Paid hosting support,告诉客服自己使用 DEDE_CMS,请求将 mod_security 设置为 disabled 即可正常使用。
. W; p6 }  @$ u( K3 S4 t1 j0 K5 ?英语不好的朋友,可以直接复制以下语句: # ~7 Y% Q- b, a6 r7 R
引用
/ i# u- h# O  nI wanna use DEDE_CMS,So please change mod_security2.c settings to disable.
0 ?4 A: k1 W4 W- @1 @

6 {  L4 E4 ?- m* n0 z# G  k
原文地址:http://www.bkjia.com/dedecms/362281.html
. J, t$ a1 _+ a4 ^, v- M
作者: admin    时间: 2017-1-22 11:46
XSS 防御设置 $_config['security']['urlxssdefend'] = true;        // 自身 URL XSS 防御                                
0 c: E/ m* M0 \5 p+ q8 {! M' @$ y3 a. a' f% M
CC 攻击防御
当你的站点发现被CC攻击时,你也可以在config中打开CC攻击防御,该防御有1/2/4/8四种防御方式,你除了可以配这四种外,还允许组合防御。例如:可以配成24,当配成24代表同时使用2跟4的两种防御攻击
$_config['security']['attackevasive'] = 0;                // CC 攻击防御 1|2|4|8                                
; s, K. o% v2 d' x! I, p5 a2 S' e* N4 w+ n9 b2 G: d: |
SQL 安全性防御& Z: C2 Q9 F  y) f! p5 J
  1. $_config['security']['querysafe']['status'] = 1;        // 是否开启SQL安全检测,可自动预防SQL注入攻击: A. P9 P, s" s. a
  2. $_config['security']['querysafe']['dfunction']['0'] = 'load_file';" n. D1 |8 b& V# v
  3. $_config['security']['querysafe']['dfunction']['1'] = 'hex';% O; T8 s. i) V2 a
  4. $_config['security']['querysafe']['dfunction']['2'] = 'substring';, V9 k6 r% P5 x2 j. `! h6 j0 j
  5. $_config['security']['querysafe']['dfunction']['3'] = 'if';- d9 C0 ?4 s6 J" [! v% D
  6. $_config['security']['querysafe']['dfunction']['4'] = 'ord';7 K. o  G& h# z- `3 Y6 B9 V) W9 m* g
  7. $_config['security']['querysafe']['dfunction']['5'] = 'char';
    . M( J2 ?: O' B- {5 k. G
  8. $_config['security']['querysafe']['daction']['0'] = 'intooutfile';
    0 _" {8 h3 x- v9 b) v
  9. $_config['security']['querysafe']['daction']['1'] = 'intodumpfile';+ ?6 S% A2 n7 G3 Q4 ]5 ?
  10. $_config['security']['querysafe']['daction']['2'] = 'unionselect';
    3 E0 `2 c# k$ \" M+ ~: R
  11. $_config['security']['querysafe']['daction']['3'] = '(select';6 M" R6 R4 f- b# |9 S2 l
  12. $_config['security']['querysafe']['daction']['4'] = 'unionall';
    * \/ N" o- Q+ K1 @
  13. $_config['security']['querysafe']['daction']['5'] = 'uniondistinct';; i7 [  J, P3 q& @
  14. $_config['security']['querysafe']['dnote']['0'] = '/*';& a+ Y' f, L! w
  15. $_config['security']['querysafe']['dnote']['1'] = '*/';
    / r6 O4 x: X+ F! F
  16. $_config['security']['querysafe']['dnote']['2'] = '#';
    2 Z0 I6 r" A1 ~3 A, ~' B
  17. $_config['security']['querysafe']['dnote']['3'] = '--';
    , S8 ^. l: S+ d( J" y+ i% B
  18. $_config['security']['querysafe']['dnote']['4'] = '"';% i* p/ {; [# z9 f
  19. $_config['security']['querysafe']['dlikehex'] = 1;
    % X9 p- N# x5 D9 p
  20. $_config['security']['querysafe']['afullnote'] = '0';
复制代码
0 _8 @& V6 _. c% c! r
* a$ A3 C0 ^9 t4 a( j' I0 X1 ~$ [
  k8 b$ i& z1 t3 q

1 Q4 H, H) z1 y
* W" O4 o; \5 @. O9 X! Z2 D0 V; [# f9 U) I5 E) Q8 a

0 d/ `4 H3 I) i                     
6 T& |% @( q) Z1 r3 [
在上面内容是关于SQL的安全检查,在配置中只需要配置$_config['security']['querysafe']['status']        = 1;就可以,1代表开启/0代表关闭

9 o6 w7 E! F: e% q, u* O, o创始人的设置
创始人的设置,当您的站点在线上运营时,建议至少设置一个创始人,创始人拥有站点管理后台的最高权限。
$_config['admincp']['founder'] = '1'; // 站点创始人:拥有站点管理后台的最高权限,每个站点可以设置 1名或多名创始人                                        // 可以使用uid,也可以使用用户名;多个创始人之间请使用逗号“,”分开;                                
5 _/ r1 D+ x/ R" a$ `9 O7 c, G0 r% B2 Z
安全问答
安全问答,可以在这里开启安全问答来限制管理员必须设置相应的安全问答,来增加该站点的管理帐号的安全性。建议开启
$_config['admincp']['forcesecques'] = 1;// 管理人员必须设置安全提问才能进入系统设置 0=否, 1=是[安全]                                ( t: l4 A, G: \. p
1 z/ r' w1 {1 p; r) h5 F; B3 m
验证后台管理IP
验证后台管理IP,建议开启
$_config['admincp']['checkip'] = 1;        // 后台管理操作是否验证管理员的 IP, 1=是[安全], 0=否。                                        //仅在管理员无法登陆后台时设置 0。                                
( U% B; L5 _" K$ X' K
! Q2 A9 Q- n, ]% `- J; Y后台是否允许执行相关的MySQL操作
后台是否允许执行相关的MySQL操作,建议关闭。关闭后将无法直接在后台执行相关的SQL语句
$_config['admincp']['runquery']        = 0;        // 是否允许后台运行 SQL 语句 1=是 0=否[安全]                                1 M% F0 A2 M* b3 K3 c" t
6 J; }0 u- C) g# j
后台恢复数据
后台恢复数据。定期备份是一个很好的习惯,在站点运营过程中,为了安全建议关闭后台恢复数据的功能,在你的站点确实需要进行数据恢复操作时再将此开关打开
$_config['admincp']['dbimport']        = 0;                // 是否允许后台恢复论坛数据  1=是 0=否[安全]              
- R$ {5 h# `; z6 f& N" m0 M9 G- d7 s% a8 Q
0 p; s9 Y7 ?; g, R, P
7 h. L8 A& x6 X! O# G
  o  [4 S9 j, ^" e: l* J# E
' R1 u  o2 L' ^3 `
http://bbs.zb7.com/discuz/dx25/safe/security/security_config.htm' b* k5 A( d8 [( O" e, a9 g
                    G* K0 d0 O0 z

) @7 c, i. v) [8 `( |
* j3 G: p3 i0 `9 n" L" ~9 S" i0 H& B  D+ w& L/ p( e

2 l* L9 P& F" R8 Q1 _6 r' q0 m



欢迎光临 北美网备份站 (http://beimeilife.duckdns.org/) Powered by Discuz! X3.2