From: Timothy Legge <tlegge@ro...> - 2006-09-13 14:03:00
I have implemented mod_security and it works great, it
allowed me to pass a security scan that otherwise
brought down apache.
However, I have one issue that I tried for hours to
The scan of our server showed that .htaccess files
were publically accessible. However, we have them
correctly denyed in httpd.conf and in fact we DO NOT
have any .htaccess files on the server.
Our Apache configuration actually overrides the
default 403 erro message and send the user (and the
scan) a pretty error page. The scan just sees a page
and believes that it is the .htaccess file it asked
I thought I could override the error with:
SecFilter "^\.ht" "log,deny"
However, it looks like my rule is either not getting
triggered or mod_security is telling apache to return
the normal "pretty" error code.
Is there a way to reject this and return the default
1) https connection
2) mod_security as loadable module
3) using the default modsecurity-hardening.conf with
the following changes:
1. Change SecFilterForceByteRange? 32 126
2. Change SecFilterDefaultAction?