If mod_security is installed on a RHEL box, what would be the indication that it is running and installed correctly.

All I have is one line in my http.conf that points to modsec.conf, which is zero bytes long.

try to do something that violates the rules you laid out, like in a phpiclude

http://mycoolserver.com/index.php?page=uname -a

That should be banned and should bring you to a 406 Unacceptable page

If you have a contact form on your website, try sending a message with the word ".htaccess" (with the dot infront). It should give you error when you click Submit.

I tried both of your suggestions. I created a php file containing:

<?
include ("http://www.mydomain.com/index.php?page=uname -a");
?>

And it loaded the remote page.

Also tried submitting a form using .htacess as one of the entered lines in the text box, and it processed just fine.

When the firm I hired installed mod_security, it wasn't done right the first time. Now it looks like it may still be screwed up....

After running more tests, it looks like it was running just perhaps need more rules added. I tested it like this:

Type the following in browser:
http://www.mydomain.com/~root/NonExistent.html

... and got 403 Forbidden page. /var/log/httpd/audit_log is logging hack attempts, including the one I just tried.

Go easy on each rule does will block your server access.... and cause problems.


Keep and eye always when you insert a new rule in the audit_log

Good luck!