Thread: [mod-security-users] Restriction to / dir
Brought to you by:
victorhora,
zimmerletw
From: Tkachenko A. [AlexAT] <al...@tk...> - 2003-12-25 10:27:55
|
Peace be with you, Is it possible to set restriction to the / dir ? How? And how to set both / and without / sections (like SecFilter /boot, SecFilter /boot/) in this case? Thank you!.. ----- Regards, Alex A. Tkachenko |
From: Ivan R. <iv...@we...> - 2003-12-30 00:12:02
|
Tkachenko Alexei [AlexAT] wrote: > > Is it possible to set restriction to the / dir ? > How? What kind of restriction? Do you mean the root (/) of the file system, or the root of the web server? Both are possible. You don't need mod_security, mod_access (built-in) already supports that with Allow and Deny directives. > And how to set both / and without / sections (like SecFilter /boot, > SecFilter /boot/) in this case? If I understand what you're asking then this should probably do it: SecFilter "/boot/?" -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
From: Tkachenko A. <al...@tk...> - 2003-12-30 10:22:46
|
Peace be with you, >> What kind of restriction? Do you mean the root (/) of the >> file system, or the root of the web server? Yes, I meant the root of file system. With /boot I can block access to the /boot dir but I'm not sure how can I block the upper (root) dir. >> Both are possible. You don't need mod_security, mod_access >> (built-in) already supports that with Allow and Deny >> directives. seems not possible. how can I block root system dir with deny directive? >> If I understand what you're asking then this should probably >> do it: >> >> SecFilter "/boot/?" Yes, something like this but I need solution for upper - root dir. Is it just SecFilter "/" ? ----- Regards, Alex A. Tkachenko |
From: Ivan R. <iv...@we...> - 2004-01-05 23:11:53
|
>>> What kind of restriction? Do you mean the root (/) of the >>> file system, or the root of the web server? > > > Yes, I meant the root of file system. > With /boot I can block access to the /boot dir but I'm not sure > how can I block the upper (root) dir. > > >>> Both are possible. You don't need mod_security, mod_access >>> (built-in) already supports that with Allow and Deny >>> directives. > > > seems not possible. > how can I block root system dir with deny directive? Like this: # First you block everything <Directory /> Order Deny,Allow Deny from all </Directory> # Then allow what you want <Directory /home/www> Order Deny,Allow Allow from all </Directory> The code above will tell the web server not to serve files that are not in the /home/www subdirectory (/, /boot, whatever). If you want a solution to prevent someone from exploiting a vulnerable script and trick it into serving a file from the root of the file system: the only real protection is to chroot the web server or your scripts (if we are talking CGI, use the safe mode for PHP). ModSecurity can scan parameters for suspicious strings but it's not foolproof. It needs something distinctive to act upon. For example, protecting "/boot" is easy. But the root "/" - not simple. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |