Looks good to me, you could even let go of the attack logs if you don't want them and just filter them out of the normal log.
Questions: would this also work with error logs? would this also work with a one-log-for-every-virtualhost setup? should I put the SetEnvIf lines in a general place, or per virtual host? The <Location /> might interfere with other security-related lines? I'll give it a try if I have some time. Jelmer > #CustomLog /var/log/httpd/access_log combined #<====== line to disable > # > # CodeRed and Nimda in seperate logfile > # > SetEnvIf Request_URI "^/default.ida(.*)$" code_red_attacks attacks > SetEnvIf Request_URI "root\.exe(.*)$" nimda_attacks attacks > SetEnvIf Request_URI "cmd\.exe(.*)$" nimda_attacks attacks > > CustomLog /var/log/httpd/codered.log common env=code_red_attacks > CustomLog /var/log/httpd/nimda.log common env=nimda_attacks > CustomLog /var/log/httpd/access_log common env=!attacks > > <Location /> > Order Allow,Deny > Allow from all > Deny from env=ATTACK > ErrorDocument 403 " > </Location> _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
