Apache web server running on your Ubuntu 18.04 VPS can display a web page or list an index of files when a user requests a directory. Some web attacks occur due to information leakage. If hackers are able to see a list of files running your web application, this would speed up their reconnaissance process.
Therefore, directory listing or browsing should be disabled as soon as you finish installing your Apache web server on Ubuntu 18.04. Apache is the cornerstone of your website and web applications. When it comes to some default security, you will need to fine tune it to harden it against malicious attacks.
In this guide, we are going to show you how you can disable directory browsing on your Apache Server running on Ubuntu 18.04 VPS machine.
- A VPS server running Ubuntu 18.04 operating system
- A non-root user with sudo privileges
- Apache web server
Special note: HostAdvice's hosting reviews allow you to consult with thousands of users before purchasing a hosting plan. If you are looking to purchase a Ubuntu VPS plan, consult the VPS hosting reviews or Linux Hosting reviews.
Step 1: Check the default directory listing behaviour
When you install Apache for the first time, it will display the default web page as shown below:
Since we want to check the default directory listing behaviour, we are going to create a directory on the root of the website. The default virtual host is located on the directory /var/www/html.
So we are going to create one directory using the command below:
$ sudo mkdir /var/www/html/config
Next we create two files using a nano editor as shown below:
$ sudo nano /var/www/html/config/dbinfo.txt
Then enter the text below:
We create the next file using the command below:
$ sudo nano /var/www/html/config/config.txt
Then, enter the text below:
Remember to press CTRL+X and Y to save the files.
Next we are going to request the directory on a browser using the public IP address of our Ubuntu 18.04 server.
So assuming your IP address is 220.127.116.11, type the following on your browser:
As you can see above, the information we are displaying to our web visitors is quite dangerous. A malicious hacker would just need to click any of these files to get the information. Even if you write the file in a server side scripting language like PHP, still, this would give any attacker valuable information before they take the next step to get the file contents.
Step 2: Disabling the Apache directory browsing on Ubuntu 18.04 server
We are going to edit the Apache’s main configuration file. First, back up the file by typing the command below:
$ sudo cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf.bk
Then, edit Apache main configuration file using nano text editor using the command below:
$ sudo nano /etc/apache2/apache2.conf
Next locate the text below on the file:
<Directory /var/www/> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory>
We need to change the Options directive from Options Indexes FollowSymLinks to Options -Indexes +FollowSymLinks
<Directory /var/www/> Options -Indexes +FollowSymLinks AllowOverride None Require all granted </Directory>
Please note adding a “-” sign disables an option while a “+” sign enables the option.
Once you are done, press CTRL+X and Y to save the changes.
Step 3: Restart Apache
Finally we restart Apache for the changes to take effect by typing the command below:
$ sudo service apache2 restart
Step 4: Confirming the changes
If you try to visit the address http:// 18.104.22.168/config on your browser, you will now get a forbidden error message, “You don’t have permission to access /config/ on this server.
Those are the basic steps of disabling directory browsing on Apache web server running on Ubuntu 18.04 VPS. This is not an exhaustive way of securing your web server. However, it’s going to make your Apache web server more secure by hiding relevant information on your website’s configuration directories that attackers can use to compromise your server.