How to Disable Directory Browsing On Apache Running on an Ubuntu 18.04 Virtual Server or Dedicated Server

Apache web server running on your Ubuntu 18.04 VPS can display a web page or list an index of files when a user requests a directory. Some web attacks occur due to information leakage. If hackers are able to see a list of files running your web application, this would speed up their reconnaissance process.

Therefore, directory listing or browsing should be disabled as soon as you finish installing your Apache web server on Ubuntu 18.04. Apache is the cornerstone of your website and web applications. When it comes to some default security, you will need to fine tune it to harden it against malicious attacks.

In this guide, we are going to show you how you can disable directory browsing on your Apache Server running on Ubuntu 18.04 VPS machine.

Prerequisites

  • A VPS server running Ubuntu 18.04 operating system
  • A non-root user with sudo privileges
  • Apache web server

Special note: HostAdvice's hosting reviews allow you to consult with thousands of users before purchasing a hosting plan. If you are looking to purchase a Ubuntu VPS plan, consult the VPS hosting reviews or Linux Hosting reviews.

Step 1: Check the default directory listing behaviour

When you install Apache for the first time, it will display the default web page as shown below:

Since we want to check the default directory listing behaviour, we are going to create a directory on the root of the website. The default virtual host is located on the directory /var/www/html.

So we are going to create one directory using the command below:

$ sudo mkdir /var/www/html/config

Next we create two files using a nano editor as shown below:

$ sudo nano  /var/www/html/config/dbinfo.txt

Then enter the text below:

dbname=’test’

We create the next file using the command below:

$ sudo nano  /var/www/html/config/config.txt

Then, enter the text below:

dbpassword=’123456’

Remember to press CTRL+X and Y to save the files.

Next we are going to request the directory on a browser using the public IP address of our Ubuntu 18.04 server.

So assuming your IP address is 111.111.111.111, type the following on your browser:

http:// 111.111.111.111/config

Output

As you can see above, the information we are displaying to our web visitors is quite dangerous. A malicious hacker would just need to click any of these files to get the information. Even if you write the file in a server side scripting language like PHP, still, this would give any attacker valuable information before they take the next step to get the file contents.

Step 2: Disabling the Apache directory browsing on Ubuntu 18.04 server

We are going to edit the Apache’s main configuration file. First, back up the file by typing the command below:

$ sudo cp  /etc/apache2/apache2.conf /etc/apache2/apache2.conf.bk

Then, edit Apache main configuration file using nano text editor using the command below:

$ sudo nano /etc/apache2/apache2.conf

Next locate the text below on the file:

<Directory /var/www/>
 	Options Indexes FollowSymLinks
 	AllowOverride None
 	Require all granted
</Directory>

We need to change the Options directive from Options Indexes FollowSymLinks to Options -Indexes +FollowSymLinks

<Directory /var/www/>
 	Options -Indexes +FollowSymLinks
 	AllowOverride None
 	Require all granted
</Directory>

Please note adding a “-” sign disables an option while a “+” sign enables the option.

Once you are done, press CTRL+X and Y to save the changes.

Step 3: Restart Apache

Finally we restart Apache for the changes to take effect by typing the command below:

$ sudo service apache2 restart

Step 4: Confirming the changes

If you try to visit the address http:// 111.111.111.111/config on your browser, you will now get a forbidden error message, “You don’t have permission to access /config/ on this server.

Conclusion

Those are the basic steps of disabling directory browsing on Apache web server running on Ubuntu 18.04 VPS. This is not an exhaustive way of securing your web server. However, it’s going to make your Apache web server more secure by hiding relevant information on your website’s configuration directories that attackers can use to compromise your server.

 

Check out the top 3 Dedicated server hosting services:

Was this article helpful?