Hi everybody, I have an installation of ISPCONFIG 3.0.1.3 and one big problem. All users webusers can list all files and dirs of /var/www folder. I'm using Fastcgi in the vhost configuration, how can I secure that? The right action in this case is the user lists just the content of /var/www/clientNUMBER... Thanks in advance!
I tried to change de /var/www permission to 750, but the Apache does not read the files owned by user:group =/ Any ideas?
First, your ISPConfig version is a bit old, you have to update to ISPConfig 3.0.1.6. Then select secure mode in the server settings and change a config in every website were you want to switch to secure mode.
Till, tnks for your reply. There is a secure option in ISPCONFIG 3.0.1.3? How can I find that? Is the upgrade to 3.0.1.6 needed?
Ok Till, I will make the upgrade tonight. Do you have a link from forum that describes this upgrade to help me? Thanks again!
Till, the update has been made and now I'm running ISPCONFIG 3.0.1.6. I changed the level from Medium to High on Server Configuration > Web. Is there other option to change to secure my vhosts?
Do you have an .htaccess file in /var/www ? There should be one with "Options -Indexes" so that the directory can not be listed. If you want to enable the directory listing in subdirectories of that have an additional .htaccess file with "Options +Indexes". There are a lot of things that can be done to further secure your host. Too many to list.
Thanks for your suggestion BorderAmigos, my apache already has this set, the really problem was that users cannot be 'arrasted' in the /var/www/clients/clientexx Now (thanks Till), nobody can escape from that dir.
