Replace an example using an attack from ancient history with something

author Rich Bowen <rbowen@apache.org>

Tue, 28 Apr 2026 13:19:04 +0000 (13:19 +0000)

committer Rich Bowen <rbowen@apache.org>

Tue, 28 Apr 2026 13:19:04 +0000 (13:19 +0000)
author Rich Bowen <rbowen@apache.org>
Tue, 28 Apr 2026 13:19:04 +0000 (13:19 +0000)
committer Rich Bowen <rbowen@apache.org>
Tue, 28 Apr 2026 13:19:04 +0000 (13:19 +0000)
diff --git a/docs/manual/misc/security_tips.xml b/docs/manual/misc/security_tips.xml

index 65e31d5005ee57fccbce0889a287dc7267ff3573..6e47dc318326574da76b86f090c346faae8b7314 100644 (file)
--- a/docs/manual/misc/security_tips.xml
+++ b/docs/manual/misc/security_tips.xml
@@ -404,45 +404,40 @@ UserDir disabled root
  
      <title>Watching Your Logs</title>
  
-    <p>To keep up-to-date with what is actually going on against your server
-    you have to check the <a href="../logs.html">Log Files</a>.  Even though
-    the log files only reports what has already happened, they will give you
-    some understanding of what attacks is thrown against the server and
-    allow you to check if the necessary level of security is present.</p>
+    <p>To keep up to date with what is actually going on against your
+    server, check the <a href="../logs.html">Log Files</a> regularly.
+    Log files only report what has already happened, but they help you
+    understand what attacks are being attempted and whether your security
+    configuration is effective.</p>
  
      <p>A couple of examples:</p>
  
-    <example>
-      grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log <br />
-      grep "client denied" error_log | tail -n 10
-    </example>
-
-    <p>The first example will list the number of attacks trying to exploit the
-    <a href="http://online.securityfocus.com/bid/4876/info/">Apache Tomcat
-    Source.JSP Malformed Request Information Disclosure Vulnerability</a>,
-    the second example will list the ten last denied clients, for example:</p>
-
-    <example>
-      [Thu Jul 11 17:18:39 2002] [error] [client foo.example.com] client denied
-      by server configuration: /usr/local/apache/htdocs/.htpasswd
-    </example>
+    <highlight language="sh">
+grep -c "\.\.\/" access_log
+grep "client denied" error_log | tail -n 10
+    </highlight>
  
-    <p>As you can see, the log files only report what already has happened, so
-    if the client had been able to access the <code>.htpasswd</code> file you
-    would have seen something similar to:</p>
+    <p>The first example counts requests that contain path traversal
+    sequences — a common sign of probing for vulnerabilities. The second
+    lists the ten most recent denied clients, for example:</p>
  
      <example>
-      foo.example.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1"
+      [Mon Apr 14 09:42:03.817295 2026] [authz_core:error] [pid 1234:tid 5678]
+      [client 192.168.1.100:54312] AH01630: client denied by server configuration:
+      /usr/local/apache2/htdocs/.env
      </example>
  
-    <p>in your <a href="../logs.html#accesslog">Access Log</a>. This means
-    you probably commented out the following in your server configuration
-    file:</p>
+    <p>As you can see, the log files only report what already has happened.
+    If the client had been able to access the <code>.env</code> file, you
+    would instead see a <code>200</code> response in your
+    <a href="../logs.html#accesslog">Access Log</a> — which means your
+    server configuration needs tightening. Make sure you deny access to
+    sensitive files:</p>
  
      <highlight language="config">
-&lt;Files ".ht*"&gt;
+&lt;FilesMatch "^\.(?!well-known)"&gt;
      Require all denied
-&lt;/Files&gt;
+&lt;/FilesMatch&gt;
      </highlight>
  
    </section>
author	Rich Bowen <rbowen@apache.org>
	Tue, 28 Apr 2026 13:19:04 +0000 (13:19 +0000)
committer	Rich Bowen <rbowen@apache.org>
	Tue, 28 Apr 2026 13:19:04 +0000 (13:19 +0000)