Hi to all, I have maybe stupid question, but I'm a little bit confused and would like to hear your suggestions. I've installed mod_security following HowTo http://www.howtoforge.com/apache_mod_security, and the entries I choose are here: Code: <IfModule mod_security.c> # Turn the filtering engine On or Off SecFilterEngine On # Make sure that URL encoding is valid SecFilterCheckURLEncoding On # Unicode encoding check SecFilterCheckUnicodeEncoding Off # Only allow bytes from this range SecFilterForceByteRange 0 255 # Only log suspicious requests SecAuditEngine RelevantOnly # The name of the audit log file SecAuditLog /var/log/apache2/audit_log # Debug level set to a minimum SecFilterDebugLog /var/log/apache2/modsec_debug_log SecFilterDebugLevel 0 # Should mod_security inspect POST payloads SecFilterScanPOST On # Reject requests with status 403 SecFilterDefaultAction "deny,log,status:403" #To prevent more SQL injection attacks, we can add a few other rules SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" SecFilter "select.+from" SecFilter "drop[[:space:]]table" #The following directives help to prevent cross-site scripting attacks: SecFilter "<script" SecFilter "<.+>" #This one is for preventing path traversal attacks: SecFilter "../" SecFilter /bin/sh #This rule requires HTTP_USER_AGENT and HTTP_HOST headers in every request: SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" #mod_security also allows your Apache to pretend it's another web server SecServerSignature "Microsoft-IIS/5.0" SecUploadDir /tmp SecUploadKeepFiles Off # Only accept request encodings we know how to handle # we exclude GET requests from this because some (automated) # clients supply "text/html" as Content-Type SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain SecFilterSelective HTTP_Content-Type \ "!(^application/x-www-form-urlencoded$|^multipart/form-data;)" # Do not accept GET or HEAD requests with bodies SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain SecFilterSelective HTTP_Content-Length "!^$" # Require Content-Length to be provided with # every POST request SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" # Don't accept transfer encodings we know we don't handle SecFilterSelective HTTP_Transfer-Encoding "!^$" </IfModule> And now all the URL's without explicit link to some file (for example www.domain.com) end with Error 403, as this is default action I've selected. But which rule does trigger this action? I'm suspicious at : SecFilter "../"?? And if yes, what is the alternative? Thanks for your toughts!