关于mod_security

发表于 2017-1-21 21:32

马上注册，结交更多好友，享用更多功能，让你轻松玩转社区。

您需要登录才可以下载或查看，没有帐号？注册

x

前一段发生403在保存前台，DIY时候，都是mod_security

后台保存站点广告，如果含有一定词汇，也会出现。

看到这里有，黏贴学习：

https://www.tipsandtricks-hq.com/apache-mod-security-update-how-to-fix-error-406-or-not-acceptable-issue-259

Apache Mod Security update, How to Fix ‘Error 406’ or ‘Not Acceptable’ issue: ~# L3 z# ~% ^! M
last updated: october 28, 2016
8 T! g' o2 U0 S; m1 R
Few weeks ago I started having “Not Acceptable! Error 406” on one of my WordPress sites when trying to save a post or a page. I kept getting the following message when trying to save a post.
1 g4 J2 g" X. P) s+ t l
( Z( V% C) A+ M# _" ^7 `
Not Acceptable
; j" i( t/ \3 p) ?
An appropriate representation of the requested resource /wp-admin/post.php could not be found on this server
" S' G8 E/ s# r$ n
( E, G6 W2 X7 [& r; G
I tried many fixes and nothing seemed to have helped getting rid of the issue. So I decided to reinstall WordPress (How to Uninstall and Reinstall WordPress). Even the reinstall didn’t help! Later I found out that the “Not acceptable! Error 406” occurs due to Mod Security updates on the server. So if you are having a similar problem then you can try one of the following methods to fix it.
2 I# J3 f/ g% k0 P5 ?
5 @' H7 k2 K. a7 [8 f% r, m
Solution 1 for Fixing 406 Error
" f/ _* _+ I2 _% v' M2 ]
$ A& z) B! y' D6 ~4 I
Backup your .htaccess file if you have one in the ‘wp-admin’ directory. Then make a ‘.htaccess’ file with the following content and upload it to ‘wp-admin’ directory.
3 A- z* ~% M: f L: k
# w0 D0 X% J! \3 T7 D, U
<IfModule mod_security.c>
$ m7 |, U" k( j
SecFilterEngine Off
. S: ^9 P2 K# s* [
SecFilterScanPOST Off0 s! O! W/ d; `( O% u" l
</IfModule>
& o' I V- ~& Y) y: a7 k1 Q1 q
You can use any text editor such as Notepad to create this file., u" Y% o8 @7 }4 b. F7 @6 x
$ M5 R8 q& n" w, ?
You will need to upload this .htaccedss file to your server. So if you don’t know how to upload a file to your server then check this tutorial on FTP.7 j M+ `4 ~; d& w
7 ^+ A; {7 T$ |' T
Solution 2 for Fixing 406 Error5 ]4 T( X2 O9 ?: E
! q' T1 w/ c' q/ b( X" F+ `
This is the solution that worked for me for my WordPress site.
( n- }# `( N9 d
* U6 Z: Z" U; y' j
Backup your .htaccess file if you have one in the public_html directory.2 p, v! D* c) I# e# `( N
. Y4 m: l, ], ^0 K% B _; d
Open the .htaccess file with any text editor and observe the lines between the “# BEGIN WordPress” and “# END WordPress” tags. Make sure the lines look somewhat like the following. If not then update the file with the following content and upload it to the ‘public_html’ directory.
" c" N6 H1 b- K/ h
; A* B" F+ W, f
# BEGIN WordPress
9 n L2 g: I5 @, d4 ~1 E" e+ T3 W
<IfModule mod_rewrite.c>
0 h$ M+ E6 J1 h- |0 ]
RewriteEngine On
0 c' w1 o# j5 n8 K
RewriteBase /$ w- t7 t, h( E+ I* b4 P
RewriteCond %{REQUEST_FILENAME} !-f1 X( k$ ~ u" q
RewriteCond %{REQUEST_FILENAME} !-d2 T' X; t7 t+ w; D8 O! t
RewriteRule . /index.php [L]* d+ z+ [6 _7 \( N
</IfModule>$ D! m5 G" d/ X. l
# END WordPress
, @5 {% p- I! ?( g) P9 o
Hopefully one of these solutions help fix your “Not Acceptable” error.
, l( @, E# O3 H
( M% [! d" s& @& k& i5 ~( u
Good luck!

复制代码

转载请保留当前帖子的链接：https://www.beimeilife.com/thread-41419-1-1.html 谢谢

发表于 2017-1-21 21:33

http://www.bkjia.com/dedecms/362281.html

最近论坛里很多朋友求救，说出现了这个问题，最近我也被这个问题困扰着。多谢Funkey朋友的办法，问题终于解决。

问题说明：

后台设置页面无法保存，出现如下500错误页面：

forbidden
You don't have permission to access /dede/sys_info.php on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Apache Server at www.******.com Port 80

问题一般出现在国外主机空间上【目前发现此问题的空间商有：Host1Plus，BlueHost，JustHost，Backy LLC】，dedecms 5.5 和 5.6 都会出现错误，可见是空间的问题，不是织梦的问题。

原因：
经过多方核实，可以确定，大多数的国外主机在配置 Apache 的时候启用了 mod_security ，也就是开启了安全检查，如果提交的信息中包含 select , % , bin 等关键字，Apache 就会禁止，并给出 403，404，500 等错误。

解决方法：
由于这个设置属于服务器级别的配置，如果是VPS用户，需要关闭 mod_security2 的检查（mod_security2.c）；而如果是虚拟空间用户的话需要联系客服协助修改。

操作办法：
（虚拟空间用户）如果是CP面板，选择 Submit ticket——Paid hosting support，告诉客服自己使用 DEDE_CMS，请求将 mod_security 设置为 disabled 即可正常使用。
英语不好的朋友，可以直接复制以下语句：
引用
I wanna use DEDE_CMS,So please change mod_security2.c settings to disable.

原文地址:http://www.bkjia.com/dedecms/362281.html

发表于 2017-1-22 11:46

XSS 防御设置 $_config['security']['urlxssdefend'] = true; // 自身 URL XSS 防御

CC 攻击防御

当你的站点发现被CC攻击时，你也可以在config中打开CC攻击防御,该防御有1/2/4/8四种防御方式，你除了可以配这四种外，还允许组合防御。例如：可以配成24,当配成24代表同时使用2跟4的两种防御攻击

$_config['security']['attackevasive'] = 0; // CC 攻击防御 1|2|4|8

SQL 安全性防御

$_config['security']['querysafe']['status'] = 1; // 是否开启SQL安全检测，可自动预防SQL注入攻击
0 H/ L! X, B7 [
$_config['security']['querysafe']['dfunction']['0'] = 'load_file';
6 q, s; d/ _2 |* ^5 G$ \
$_config['security']['querysafe']['dfunction']['1'] = 'hex';$ W2 w7 _2 M0 N' T- A. B% {
$_config['security']['querysafe']['dfunction']['2'] = 'substring';- @/ A. v# ^8 i6 w
$_config['security']['querysafe']['dfunction']['3'] = 'if';
' g9 j) Y2 X# e) {. X+ T8 n
$_config['security']['querysafe']['dfunction']['4'] = 'ord';+ n; ?( F% q* I3 n1 A/ x3 \" m! O$ Q
$_config['security']['querysafe']['dfunction']['5'] = 'char';
' V- {* q: o3 X6 G# n
$_config['security']['querysafe']['daction']['0'] = 'intooutfile';
8 t& d0 L: ^ y" ^; d$ { [
$_config['security']['querysafe']['daction']['1'] = 'intodumpfile';* ~: H1 B9 f6 H
$_config['security']['querysafe']['daction']['2'] = 'unionselect';! U9 R7 V1 G, m( o
$_config['security']['querysafe']['daction']['3'] = '(select';
4 `; a' l6 `/ E2 z6 a
$_config['security']['querysafe']['daction']['4'] = 'unionall';
3 |" J! H3 Q5 i! z
$_config['security']['querysafe']['daction']['5'] = 'uniondistinct';, V( w$ T) {8 D0 K
$_config['security']['querysafe']['dnote']['0'] = '/*';3 P+ q2 N, ?! h b8 h
$_config['security']['querysafe']['dnote']['1'] = '*/';6 d9 ~/ A6 K6 t' P
$_config['security']['querysafe']['dnote']['2'] = '#';
) R. l4 U5 w( s0 {
$_config['security']['querysafe']['dnote']['3'] = '--';9 p5 t q! G( ~( a
$_config['security']['querysafe']['dnote']['4'] = '"';
& Y, R8 P- ~1 F# Z
$_config['security']['querysafe']['dlikehex'] = 1;
! w$ ]! L% K# w `
$_config['security']['querysafe']['afullnote'] = '0';

复制代码

在上面内容是关于SQL的安全检查，在配置中只需要配置$_config['security']['querysafe']['status'] = 1;就可以，1代表开启/0代表关闭

创始人的设置

创始人的设置，当您的站点在线上运营时，建议至少设置一个创始人，创始人拥有站点管理后台的最高权限。

$_config['admincp']['founder'] = '1'; // 站点创始人：拥有站点管理后台的最高权限，每个站点可以设置 1名或多名创始人 // 可以使用uid，也可以使用用户名；多个创始人之间请使用逗号“,”分开;

安全问答

安全问答，可以在这里开启安全问答来限制管理员必须设置相应的安全问答，来增加该站点的管理帐号的安全性。建议开启

$_config['admincp']['forcesecques'] = 1;// 管理人员必须设置安全提问才能进入系统设置 0=否, 1=是[安全]

验证后台管理IP

验证后台管理IP,建议开启

$_config['admincp']['checkip'] = 1; // 后台管理操作是否验证管理员的 IP, 1=是[安全], 0=否。 //仅在管理员无法登陆后台时设置 0。

后台是否允许执行相关的MySQL操作

后台是否允许执行相关的MySQL操作,建议关闭。关闭后将无法直接在后台执行相关的SQL语句

$_config['admincp']['runquery'] = 0; // 是否允许后台运行 SQL 语句 1=是 0=否[安全]

后台恢复数据

后台恢复数据。定期备份是一个很好的习惯，在站点运营过程中，为了安全建议关闭后台恢复数据的功能，在你的站点确实需要进行数据恢复操作时再将此开关打开

$_config['admincp']['dbimport'] = 0; // 是否允许后台恢复论坛数据 1=是 0=否[安全]

http://bbs.zb7.com/discuz/dx25/safe/security/security_config.htm

关于mod_security

马上注册，结交更多好友，享用更多功能，让你轻松玩转社区。

你喜欢看

使用高级回帖 (可批量传图、插入视频等)快速回复

浏览过的版块