Hi, Using ISPConfig 3.2.8p1 in our company for self hosted services and performing outsourced pentests regularly, according to last 3 pentest ispconfig passed almost all tests, kudos to developers Thing is, there is an subject comes up in all tests, the issue is; https://anydomainonispconfig.com/manual/style/ https://anydomainonispconfig.com/manual/style/css/ https://anydomainonispconfig.com/manual/style/scripts/ https://anydomainonispconfig.com/manual/images/ https://anydomainonispconfig.com/manual/style/latex/ returns apache's page or listing directory content, screenshots as attached, is it possible to disable these pages and apache's own directory listing?
for blocking directory listings put Code: Options -Indexes +FollowSymLinks in /etc/apache2/apache2.conf as far as i'm concerned, blocking apache allowing directory listings should be done globally, and should be the default. i guess the /manual is now what's used instead of the old /docs path.. had that come up as an issue all the time when trying to get PCI compliance tested... i believe the auto-install (and the manual perfect server install) shows the apache docs gettings installed... removing / purging the apache2-docs package should clear that.
Actually, we set it in the ISPConfig vhost template incorrectly/insecurely: Code: Options +Indexes +FollowSymLinks +MultiViews +ExecCGI @till any reason not to change this? @Sheshman any other feedback from the pentests?
I'm unaware of any, except some users will likely complain as it happens after any change of defaults Indexes should indeed be off by default, in my opinion.
3 different tester company performed since we add ispconfig to the test list, non of them couldn't find any problem on ispconfig's itself, just found some old jquery versions, XSS vulenrabilities on websites runs on ispconfig, just one tester company reported old apache2 version and i've updated the ispconfig i think it's fixed. I'll disable directory listing on apache and delete apache documents,i'll let you know if there would be any reported vulenrability on confirmation tests.
don't know about on penetration tests, i know for PCI compliance, they checked for the /phpmyadin path on urls.. automatically failed PCI compliance with that.. changing to something else ( i just used /dbadmin ) and PCI compliance testing was perfectly fine with that, no difference on the actual existence of phpmyadmin itself.
Oh you are right i forgot to mention, Turkish Internet Security Ministry regularly scanning the companys open services, we got a warning letter like 1 month after we started to use ispconfig, they sent a letter regarding they've discovered phpmyadmin & broadcast 80 port on our server and they've ordered us to switch to 443 only and disable phpmyadmin, so now all of our services boradcasting on 443 only and we've disabled the phpmyadmin by ; sudo a2disconf phpmyadmin.conf sudo /etc/init.d/apache2 restart