>>> What kind of restriction? Do you mean the root (/) of the
>>> file system, or the root of the web server?
> Yes, I meant the root of file system.
> With /boot I can block access to the /boot dir but I'm not sure
> how can I block the upper (root) dir.
>>> Both are possible. You don't need mod_security, mod_access
>>> (built-in) already supports that with Allow and Deny
> seems not possible.
> how can I block root system dir with deny directive?
# First you block everything
Deny from all
# Then allow what you want
Allow from all
The code above will tell the web server not to serve
files that are not in the /home/www subdirectory (/, /boot, whatever).
If you want a solution to prevent someone from exploiting a
vulnerable script and trick it into serving a file from the
root of the file system: the only real protection is to
chroot the web server or your scripts (if we are talking CGI,
use the safe mode for PHP).
ModSecurity can scan parameters for suspicious strings but it's
not foolproof. It needs something distinctive to act upon. For
example, protecting "/boot" is easy. But the root "/" - not simple.
[ Open source IDS for Web applications ]