北美网备份站
标题: 关于mod_security [打印本页]
作者: 蜻蜓点水 时间: 2017-1-21 21:32
标题: 关于mod_security
前一段发生403在保存前台,DIY时候,都是mod_security
4 Y& @; B; M, L9 f! z- ?# T. n2 b9 o
后台保存站点广告,如果含有一定词汇,也会出现。5 X- _; a% R, g, O; E2 m
$ i3 ^8 J* g6 s* w m. |6 I看到这里有,黏贴学习:" n" m9 V; d' z; j9 w- B$ E$ I
" l' r$ ?4 P& L2 ]* a, W: _https://www.tipsandtricks-hq.com/apache-mod-security-update-how-to-fix-error-406-or-not-acceptable-issue-259
! Z( G9 G/ I, W8 ~8 V1 c- V# }* G) D1 I9 V5 h7 I5 I3 Y
- Apache Mod Security update, How to Fix ‘Error 406’ or ‘Not Acceptable’ issue
' b, S% e) w4 F3 N - last updated: october 28, 2016+ C0 k! o; O6 s. N* w$ d
- Few weeks ago I started having “Not Acceptable! Error 406” on one of my WordPress sites when trying to save a post or a page. I kept getting the following message when trying to save a post.
( C6 Q6 r H' K( q; a' U - 6 s, M& A7 Z J0 C; R" g" N
- Not Acceptable( C7 r: p j9 D5 a t
- An appropriate representation of the requested resource /wp-admin/post.php could not be found on this server
/ g2 l6 x$ \' ?. ~% V- ~9 ]4 D7 y; c - / x8 E0 u. ~7 B; X2 C! B% o
- I tried many fixes and nothing seemed to have helped getting rid of the issue. So I decided to reinstall WordPress (How to Uninstall and Reinstall WordPress). Even the reinstall didn’t help! Later I found out that the “Not acceptable! Error 406” occurs due to Mod Security updates on the server. So if you are having a similar problem then you can try one of the following methods to fix it.
0 x' ?1 Z0 d0 c/ {: }! Z" ^8 q - : g. ]: ]0 Y8 W4 q# S6 `9 v
- Solution 1 for Fixing 406 Error
' s: q2 g8 D# z* l: o9 W$ U
X3 Z% P' G! L0 Y [- Backup your .htaccess file if you have one in the ‘wp-admin’ directory. Then make a ‘.htaccess’ file with the following content and upload it to ‘wp-admin’ directory.
& V" U& u" i U0 }4 Y& ^$ V. U3 W9 @
3 m8 ~1 {. \/ Y( { T# A- <IfModule mod_security.c>( R+ }# y$ A1 \
- SecFilterEngine Off
7 U0 I8 E" ~+ _# ? - SecFilterScanPOST Off
/ r! Q( j; n# Y* D- T3 t8 A( b5 ^ - </IfModule>; f# j7 c2 \3 U0 t M
- You can use any text editor such as Notepad to create this file.
5 l4 G7 B; {8 @ R
. U* q" j( } d X+ U- You will need to upload this .htaccedss file to your server. So if you don’t know how to upload a file to your server then check this tutorial on FTP.9 I1 w# `( W% n" l- _. Y
- $ Q1 V% R6 l0 d/ j# S) y. D5 g
- Solution 2 for Fixing 406 Error
" E5 V% z9 P0 h - / \1 H( [" Q7 ]# p1 N9 ?5 b \
- This is the solution that worked for me for my WordPress site.; K" l. G& G) B* X2 t) S* s% O0 K
- ' f! @$ M2 R* ` O
- Backup your .htaccess file if you have one in the public_html directory.
+ H2 D- {% g$ [# Q4 H$ G* E# C - ! \) T/ s: ]6 c/ b$ ~+ q
- Open the .htaccess file with any text editor and observe the lines between the “# BEGIN WordPress” and “# END WordPress” tags. Make sure the lines look somewhat like the following. If not then update the file with the following content and upload it to the ‘public_html’ directory.
) v$ S3 X% ^ S" g- H' s# L3 a
$ O# j- P! v( ^6 ^& q! l- Y' r- # BEGIN WordPress* f7 |7 N) o3 p) ?
- <IfModule mod_rewrite.c>
; }7 `) x o9 I/ \2 t - RewriteEngine On4 ]+ t. ]$ l; \ P4 q
- RewriteBase /
: g+ p, w/ b* @% X - RewriteCond %{REQUEST_FILENAME} !-f; ^8 B1 a/ H5 a
- RewriteCond %{REQUEST_FILENAME} !-d
6 K( ^% I% ?+ U, U - RewriteRule . /index.php [L]
" |2 q; J/ [5 {' { - </IfModule>5 H a2 G' W. S, E6 n* z
- # END WordPress) P Q8 L2 O7 L+ B; |1 E; ?
- Hopefully one of these solutions help fix your “Not Acceptable” error.
. h9 A! W' V: Y) k5 U
/ s7 q; X% I" V; x8 z* I- Good luck!
" ]& e2 |3 P1 B- Q
作者: 蜻蜓点水 时间: 2017-1-21 21:33
http://www.bkjia.com/dedecms/362281.html
6 w D4 M. @; Z# b& u) P2 E5 _( _2 |0 B: D4 J2 R, h
最近论坛里很多朋友求救,说出现了这个问题,最近我也被这个问题困扰着。多谢Funkey朋友的办法,问题终于解决。 ; g$ X/ P5 I* z2 A; ~ B
( Y7 \/ c& z5 }* { H# R, y问题说明:
$ p2 |3 d* N Z5 X5 g7 ]' G o6 d2 B8 y4 h! W$ U
后台设置页面无法保存,出现如下500错误页面:
( s @- e: W% s
* |9 n* h: ^8 a8 Vforbidden + V! t( Y% |$ t
You don't have permission to access /dede/sys_info.php on this server.
0 o" W" g7 u, C" W
$ ?4 h- o0 a+ S8 u$ M2 }! n: ?- U4 W2 yAdditionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
" y- A8 X3 ?7 ]1 Q0 H
A: k' Z& C" T6 m5 HApache Server at www.******.com Port 80
: v4 G, h* w' `
' J, ^* X1 c$ Q- P% h8 a问题一般出现在国外主机空间上【目前发现此问题的空间商有:Host1Plus,BlueHost,JustHost,Backy LLC】,dedecms 5.5 和 5.6 都会出现错误,可见是空间的问题,不是织梦的问题。
' ^* H' e, p0 S* Z! x. Z# ]+ A% @% X
原因: + S8 h6 s N2 T" [9 S! H! u
经过多方核实,可以确定,大多数的国外主机在配置 Apache 的时候启用了 mod_security ,也就是开启了安全检查,如果提交的信息中包含 select , % , bin 等关键字,Apache 就会禁止,并给出 403,404,500 等错误。 ; g+ Z* G% w7 l2 {6 Y& q2 Z. W
/ Q! o- N0 y4 ]& ]; [' s. b解决方法:
, L* q5 c6 j/ f# U& D7 j( I/ u由于这个设置属于服务器级别的配置,如果是VPS用户,需要关闭 mod_security2 的检查(mod_security2.c);而如果是虚拟空间用户的话需要联系客服协助修改。
% M E: w5 R- b
. a, z. m8 {1 T! A操作办法:
, ^5 E' U# s7 c(虚拟空间用户)如果是CP面板,选择 Submit ticket——Paid hosting support,告诉客服自己使用 DEDE_CMS,请求将 mod_security 设置为 disabled 即可正常使用。 - g A' v* w) v5 ?7 a
英语不好的朋友,可以直接复制以下语句:
9 m" W9 ~- p& U6 P' L引用 * i0 J3 T5 R! j, I
I wanna use DEDE_CMS,So please change mod_security2.c settings to disable.
. i6 r/ ]$ F! X! [7 d
( Y! X- P( F6 O, b
原文地址:http://www.bkjia.com/dedecms/362281.html
0 `" x+ F3 k/ t, ]5 o* N
作者: admin 时间: 2017-1-22 11:46
XSS 防御设置 $_config['security']['urlxssdefend'] = true; // 自身 URL XSS 防御
: K( T; J8 O! m( I) G& H# g/ H) m3 F* A
CC 攻击防御当你的站点发现被CC攻击时,你也可以在config中打开CC攻击防御,该防御有1/2/4/8四种防御方式,你除了可以配这四种外,还允许组合防御。例如:可以配成24,当配成24代表同时使用2跟4的两种防御攻击
$_config['security']['attackevasive'] = 0; // CC 攻击防御 1|2|4|8
) |; G/ ?! \0 g! n/ c
9 S6 h) a7 c. e+ xSQL 安全性防御6 M; O! |1 x% \$ F
- $_config['security']['querysafe']['status'] = 1; // 是否开启SQL安全检测,可自动预防SQL注入攻击
! v5 |0 {* B- S) U { - $_config['security']['querysafe']['dfunction']['0'] = 'load_file';; K" d$ c4 l, t6 q/ `: H/ h
- $_config['security']['querysafe']['dfunction']['1'] = 'hex';
& D6 c- K! N' @# ?$ r - $_config['security']['querysafe']['dfunction']['2'] = 'substring';
- e6 X! |, v9 h9 y- b - $_config['security']['querysafe']['dfunction']['3'] = 'if';
/ s" i: X( G4 G0 d; h - $_config['security']['querysafe']['dfunction']['4'] = 'ord';2 k4 P2 P3 ]4 u$ a' a+ \
- $_config['security']['querysafe']['dfunction']['5'] = 'char';* K3 s8 K: L1 D+ F Y
- $_config['security']['querysafe']['daction']['0'] = 'intooutfile';$ z* X' Z' ]2 S8 i( u9 ^
- $_config['security']['querysafe']['daction']['1'] = 'intodumpfile';
$ W8 I4 r8 B/ u$ T - $_config['security']['querysafe']['daction']['2'] = 'unionselect';- d8 |- a0 g9 Z* p+ s! w1 u
- $_config['security']['querysafe']['daction']['3'] = '(select';: I1 y; R* K1 x$ ^( x% R6 ^# @
- $_config['security']['querysafe']['daction']['4'] = 'unionall';
) }4 W: X- J7 Z- ^# _- J2 T: e - $_config['security']['querysafe']['daction']['5'] = 'uniondistinct';
& }5 a( H% f, Y4 X0 c6 i - $_config['security']['querysafe']['dnote']['0'] = '/*';
2 O! U: U6 v7 q3 }, e5 j4 W - $_config['security']['querysafe']['dnote']['1'] = '*/';! E! P' R" e& \4 {, d$ m
- $_config['security']['querysafe']['dnote']['2'] = '#';
$ R& [, S4 E0 B2 F3 Q3 a" h - $_config['security']['querysafe']['dnote']['3'] = '--';, _* D8 ~4 F( N s" }
- $_config['security']['querysafe']['dnote']['4'] = '"';
% O0 o5 H/ g+ o( j& Z - $_config['security']['querysafe']['dlikehex'] = 1;
) k' v9 s0 m: A( p: _- H% _1 I - $_config['security']['querysafe']['afullnote'] = '0';
3 Q3 S, \* e, e7 O& \' R
3 W" X2 N2 f, p( d2 `) a3 o% K9 Z2 D0 U$ L8 E6 z; i) p
- Q, W4 o2 N$ V8 q- I' J2 @2 R, p$ g/ x- D8 Y
5 h5 A. p- W D9 X 2 P [1 G5 l) S4 d: F- S
在上面内容是关于SQL的安全检查,在配置中只需要配置$_config['security']['querysafe']['status'] = 1;就可以,1代表开启/0代表关闭
0 e2 m+ u4 ^) ^ V
创始人的设置创始人的设置,当您的站点在线上运营时,建议至少设置一个创始人,创始人拥有站点管理后台的最高权限。
$_config['admincp']['founder'] = '1'; // 站点创始人:拥有站点管理后台的最高权限,每个站点可以设置 1名或多名创始人 // 可以使用uid,也可以使用用户名;多个创始人之间请使用逗号“,”分开;
6 U% Y/ ~1 s4 ^/ Q ~: T# g" `- i2 `/ F& `6 d6 y# U8 G
安全问答安全问答,可以在这里开启安全问答来限制管理员必须设置相应的安全问答,来增加该站点的管理帐号的安全性。建议开启
$_config['admincp']['forcesecques'] = 1;// 管理人员必须设置安全提问才能进入系统设置 0=否, 1=是[安全]
! o' G/ S7 Q* X; |% m# a6 Z* k( A4 H9 J) V- @( U, f P
验证后台管理IP验证后台管理IP,建议开启
$_config['admincp']['checkip'] = 1; // 后台管理操作是否验证管理员的 IP, 1=是[安全], 0=否。 //仅在管理员无法登陆后台时设置 0。 ) ~: U! @9 O- `3 P$ O
7 v/ J7 R8 I8 Y$ |- L' i: p" [
后台是否允许执行相关的MySQL操作后台是否允许执行相关的MySQL操作,建议关闭。关闭后将无法直接在后台执行相关的SQL语句
$_config['admincp']['runquery'] = 0; // 是否允许后台运行 SQL 语句 1=是 0=否[安全] 8 V# G: G* a* d) l# m9 m
, O; ]5 h6 i) m7 i5 I4 N. j
后台恢复数据后台恢复数据。定期备份是一个很好的习惯,在站点运营过程中,为了安全建议关闭后台恢复数据的功能,在你的站点确实需要进行数据恢复操作时再将此开关打开
$_config['admincp']['dbimport'] = 0; // 是否允许后台恢复论坛数据 1=是 0=否[安全] 7 w) I. O1 I, x% q. d. Q
: Y; ?2 r" o5 O) u
. a. X+ O1 H5 q' a
+ `; L) L- X1 o0 I. t5 ~
7 ?. G" g8 o. `8 E; V/ r5 g) E+ N1 w4 p' e
http://bbs.zb7.com/discuz/dx25/safe/security/security_config.htm1 z& _4 {! s& j6 k
6 _0 u9 O7 H' p
2 o) w. f/ ^4 i5 W! y: X
+ g" o! V+ C. D2 z! m7 h S" ~
. [% J2 b- ?* R2 e a( C7 ?7 e& v
) S3 _% [ n- f; U
| 欢迎光临 北美网备份站 (http://beimeilife.duckdns.org/) |
Powered by Discuz! X3.2 |