From: Rich Bowen <rbowen@apache.org>
Date: Tue, 28 Apr 2026 13:19:04 +0000 (+0000)
Subject: Replace an example using an attack from ancient history with something
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8be6f4eabf5d75a84647c67be335e2b0396faa23;p=thirdparty%2Fapache%2Fhttpd.git

Replace an example using an attack from ancient history with something
more timely.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933420 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/misc/security_tips.xml b/docs/manual/misc/security_tips.xml
index 65e31d5005..6e47dc3183 100644
--- a/docs/manual/misc/security_tips.xml
+++ b/docs/manual/misc/security_tips.xml
@@ -404,45 +404,40 @@ UserDir disabled root
 
     <title>Watching Your Logs</title>
 
-    <p>To keep up-to-date with what is actually going on against your server
-    you have to check the <a href="../logs.html">Log Files</a>.  Even though
-    the log files only reports what has already happened, they will give you
-    some understanding of what attacks is thrown against the server and
-    allow you to check if the necessary level of security is present.</p>
+    <p>To keep up to date with what is actually going on against your
+    server, check the <a href="../logs.html">Log Files</a> regularly.
+    Log files only report what has already happened, but they help you
+    understand what attacks are being attempted and whether your security
+    configuration is effective.</p>
 
     <p>A couple of examples:</p>
 
-    <example>
-      grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log <br />
-      grep "client denied" error_log | tail -n 10
-    </example>
-
-    <p>The first example will list the number of attacks trying to exploit the
-    <a href="http://online.securityfocus.com/bid/4876/info/">Apache Tomcat
-    Source.JSP Malformed Request Information Disclosure Vulnerability</a>,
-    the second example will list the ten last denied clients, for example:</p>
-
-    <example>
-      [Thu Jul 11 17:18:39 2002] [error] [client foo.example.com] client denied
-      by server configuration: /usr/local/apache/htdocs/.htpasswd
-    </example>
+    <highlight language="sh">
+grep -c "\.\.\/" access_log
+grep "client denied" error_log | tail -n 10
+    </highlight>
 
-    <p>As you can see, the log files only report what already has happened, so
-    if the client had been able to access the <code>.htpasswd</code> file you
-    would have seen something similar to:</p>
+    <p>The first example counts requests that contain path traversal
+    sequences — a common sign of probing for vulnerabilities. The second
+    lists the ten most recent denied clients, for example:</p>
 
     <example>
-      foo.example.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1"
+      [Mon Apr 14 09:42:03.817295 2026] [authz_core:error] [pid 1234:tid 5678]
+      [client 192.168.1.100:54312] AH01630: client denied by server configuration:
+      /usr/local/apache2/htdocs/.env
     </example>
 
-    <p>in your <a href="../logs.html#accesslog">Access Log</a>. This means
-    you probably commented out the following in your server configuration
-    file:</p>
+    <p>As you can see, the log files only report what already has happened.
+    If the client had been able to access the <code>.env</code> file, you
+    would instead see a <code>200</code> response in your
+    <a href="../logs.html#accesslog">Access Log</a> — which means your
+    server configuration needs tightening. Make sure you deny access to
+    sensitive files:</p>
 
     <highlight language="config">
-&lt;Files ".ht*"&gt;
+&lt;FilesMatch "^\.(?!well-known)"&gt;
     Require all denied
-&lt;/Files&gt;
+&lt;/FilesMatch&gt;
     </highlight>
 
   </section>