How to disable/hide Apache's own web files

Discussion in 'HOWTO-Related Questions' started by Sheshman, Jan 31, 2023.

  1. Sheshman

    Sheshman Member

    Hi,

    Using ISPConfig 3.2.8p1 in our company for self hosted services and performing outsourced pentests regularly, according to last 3 pentest ispconfig passed almost all tests, kudos to developers :)

    Thing is, there is an subject comes up in all tests, the issue is;
    https://anydomainonispconfig.com/manual/style/
    https://anydomainonispconfig.com/manual/style/css/
    https://anydomainonispconfig.com/manual/style/scripts/
    https://anydomainonispconfig.com/manual/images/
    https://anydomainonispconfig.com/manual/style/latex/
    returns apache's page or listing directory content, screenshots as attached, is it possible to disable these pages and apache's own directory listing?
     

    Attached Files:

    • 002.png
      002.png
      File size:
      42.9 KB
      Views:
      27
    • 003.png
      003.png
      File size:
      23.2 KB
      Views:
      24
    • 004.png
      004.png
      File size:
      123.7 KB
      Views:
      24
  2. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    for blocking directory listings put
    Code:
    Options -Indexes +FollowSymLinks
    
    in /etc/apache2/apache2.conf

    as far as i'm concerned, blocking apache allowing directory listings should be done globally, and should be the default.

    i guess the /manual is now what's used instead of the old /docs path..
    had that come up as an issue all the time when trying to get PCI compliance tested... i believe the auto-install (and the manual perfect server install) shows the apache docs gettings installed... removing / purging the apache2-docs package should clear that.
     
    Sheshman and ahrasis like this.
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Actually, we set it in the ISPConfig vhost template incorrectly/insecurely:
    Code:
    Options +Indexes +FollowSymLinks +MultiViews +ExecCGI
    @till any reason not to change this?

    @Sheshman any other feedback from the pentests?
     
    till, onastvar and ahrasis like this.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I'm unaware of any, except some users will likely complain as it happens after any change of defaults :) Indexes should indeed be off by default, in my opinion.
     
  5. Sheshman

    Sheshman Member

    3 different tester company performed since we add ispconfig to the test list, non of them couldn't find any problem on ispconfig's itself, just found some old jquery versions, XSS vulenrabilities on websites runs on ispconfig, just one tester company reported old apache2 version and i've updated the ispconfig i think it's fixed.

    I'll disable directory listing on apache and delete apache documents,i'll let you know if there would be any reported vulenrability on confirmation tests.
     
  6. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    don't know about on penetration tests, i know for PCI compliance, they checked for the /phpmyadin path on urls..
    automatically failed PCI compliance with that.. changing to something else ( i just used /dbadmin ) and PCI compliance testing was perfectly fine with that, no difference on the actual existence of phpmyadmin itself.
     
    Sheshman likes this.
  7. Sheshman

    Sheshman Member

    Oh you are right i forgot to mention, Turkish Internet Security Ministry regularly scanning the companys open services, we got a warning letter like 1 month after we started to use ispconfig, they sent a letter regarding they've discovered phpmyadmin & broadcast 80 port on our server and they've ordered us to switch to 443 only and disable phpmyadmin, so now all of our services boradcasting on 443 only and we've disabled the phpmyadmin by ;
    sudo a2disconf phpmyadmin.conf
    sudo /etc/init.d/apache2 restart
     

Share This Page