I just installed the latest mod security on CentOs, and I noticed the generic attacks conf file blocks the use of awstats. I'd rather not disable this conf, because it's the one I actually care about the most (being a forum based site). Is there any way to make an exception for awstats.pl? It gives me a: 501 Method Not Implemented. GET to /awstats/awstats.pl not supported. I'm not too concerned with it because I have an IP ban and also password protection on this directory, and it's located on a different IP/domain. I'm pretty much up to date on everything. Also, can I place directives like SecFilterSelective directly in httpd.conf? I care a lot about security, as my server gets hit a lot, but I don't want measures that will create too many false positives or obstruct my users. Which are the most important rule sets to include with mod_security? ...and while I'm at it, any good ways of preventing DDOS attacks? For instance limiting max bandwidth and connections per ip (baring images etc). I can't find any up to date and well documented/supported modules that allow this. I'm also afraid of blocking aol users etc. I've been dos attacked a couple times recently. I would also like something for bandwidth because I'm using almost 50gb a day and don't want to pay through the nose for overages at the end of the month.