[WEB SECURITY] apache issue

Ryan Barnett rcbarnett at gmail.com
Tue Jun 7 12:11:01 EDT 2005


Anita,
A few questions for you:
1) Did you verify that you have the mod_access module enabled?  Either
execute "# /usr/local/bin/httpd -l" and search for the module or grep
for "LoadModule" directives in your httpd.conf file if you are using
DSOs.

2) Are you using VirtualHosts?  If so, you will need to apply access
control directives to each virtualhost container.

3) If you want to use a default "deny" rule directive (meaning
allowing access to only a few individuals), you should switch your
Order directive to this -
Order allow,deny

This directive ordering configures Apache so that if there is no
specific "allow" or "deny" match, then the client will be denied.

Hope this helps.

-- 
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC


On 6/7/05, Anita Salerno <anita.salerno at talk21.com> wrote:
> 
> 
> 
> Hello,
> I'm using Apache/2.0.52. I've copied the configuration file of the previous
> apache's 
> 
> version, as I do when upgrading to a new version of Apache (I configure only
> the new 
> 
> httpd.conf manually), and now the problem is that none of the security
> measures work, I'm 
> 
> bypassing all of them (.htaccess and ip list specification).
> When I'm desprate, I've configured the access file as follow:
> Order Deny,Allow
> Deny from all
> 
> and I still have access to the web site.
> 
> Any idea ?
> 
>  
> 
> ________________________________
> Yahoo! Messenger NEW - crystal clear PC to PC calling worldwide with
> voicemail 
> 
>

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list