Apache2: Unterschied zwischen den Versionen

als Webserver verwenden wir Apache2 mit PHP4, mod_security, mod_deflate und ZendOptimizer

/etc/apache2/mods-avaible/mod-security.conf

<IfModule mod_security.c>

    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # Only allow bytes from this range
    SecFilterForceByteRange 1 255

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    SecAuditLog /var/log/apache2/audit_log

    SecFilterDebugLog /var/log/apache2/modsec_debug_log
    SecFilterDebugLevel 0

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Action to take by default
    SecFilterDefaultAction "deny,log,status:406"
    # Prevent OS specific keywords
    SecFilter /etc/ password
    SecFilter /bin/ ls

    # Prevent path traversal (..) attacks
    SecFilter "\.\./"

    # Weaker XSS protection but allows common HTML tags
    SecFilter "<( |\n)*script"

    # Prevent XSS atacks (HTML/Javascript injection)
    #SecFilter "<(.|\n)+>"
</IfModule>