Apache2
Zur Navigation springen
Zur Suche springen
als Webserver verwenden wir Apache2 mit PHP4 und mod_security
/etc/apache2/mods-avaible/mod-security.conf
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# Only allow bytes from this range
SecFilterForceByteRange 1 255
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog /var/log/apache2/audit_log
SecFilterDebugLog /var/log/apache2/modsec_debug_log
SecFilterDebugLevel 0
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:406"
# Prevent OS specific keywords
SecFilter /etc/password
SecFilter /bin/ls
# Prevent path traversal (..) attacks
SecFilter "\.\./"
# Weaker XSS protection but allows common HTML tags
SecFilter "<( |\n)*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|\n)+>"
</IfModule>