|IP call displays top home directory|
We're running Apache 2.2 on Debian Squeeze. We recently moved to a new server. The old server was running Apache 1.3 on Debian Sarge.
We run a number of sites on Apache, all using the names-based vhost files under /etc/apache2/sites-enabled. All our users or domains have this basic structure:
/home/domain_name/public_html/index.html (or index.php depending on the site).
Each of the various domain names is responding accordingly.
We also put in Maildir, log directories, work directories and script config files under /home/domain_name (but above public_html).
We discovered this problem by accident, if someone decided to call our server by the IP number, i.e., [#*$!.#*$!.#*$!.#*$!...] instead of any particular domain, then the entire directory structure under /home would be displayed, allowing anyone access to all the domains such as /home/domain_name and below. All the files above the public_html would be open to display.
A second related problem is that even if the directories are prevented from being displayed, if someone happens to know (or guesses) a sub directory of /home they could simply append any subdirectory name to our IP address and view those files.
Obviously this is a great security risk on both counts.
One person suggested we change everything to be under /var/www. Not only would it be very much less convenient, but the person couldn't explain why there would be any difference between the /home or the /var/www setups. Beyond that, all our sites are based on the /home setup and to change it would create huge issues. As a side note, our original server was under Redhat which used the /home arrangement.
Under Apache 1.3 this was not an issue as IP calls defaulted to our main web site, which was listed first in the httpd.conf file.
Obviously we don't want the /home directory to show. I would prefer either a blank page, an error page or a designated .html file. And a fix would need to prevent the second problem if someone guesses a directory name.
So our temporary (and inelegant) fix was to place a .htaccess file under /home (but above all the domain name directories, with:
|<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$"> |
I found this on the web somewhere. The result when calling the IP number is a 500 Internal Server Error. It prevents the directory from being exposed, but obviously isn't the right way to do this.
I'd appreciate any help on this. Thank you.
I'm in almost the exact same boat you are right now -- Apache 1.3 (just-died Red Hat) to Apache 2.2 (brand-new Debian). [webmasterworld.com...] Thank you for posting your question because we were exposed in the exact same way. YIKES!
My husband figured out two ways to the same end: hiding /home on the machine's IP.
1.) Go to /etc/apache2/sites-enabled and remove the (symlinked) "000-default" (This leaves "default" in sites-available untouched.)
- OR -
2.) Login via command line as root and use the "a2dissite" utility. https://help.ubuntu.com/8.04/serverguide/C/httpd.html
He used the latter and now a direct call to the machine's IP results in the generic 404 Not Found. Attempting several IP/knowndir destinations also yielded 404s.
I truly hope you're having more success overall than we are. We've been at this for days and still every hour brings with it a new error we've never seen, a new config we never had, another snafu we've no clue how to fix, another thread with more questions than answers. Good luck!
On one server, I just whacked a blank index.html file in the approriate folder and in several other folders.
On another server I set a redirect from bare IP to the most important hostname on that server.
I appreciate your help, but the fix didn't completely work for me. Here's what I did. I temporarily renamed the file /home/.htaccess which contains the code I listed above, and which results in the 500 error.
So now the entire directory is visible again with all the /home/domain-user/public_html directories.
Then I went to /etc/apache2/sites-enabled and deleted the symlink to 000-default (but still leaves the default vhost file in the sites-available directory). I don't know if 000-default serves any other purpose in sites-enabled. (of course it provides boiler plate code, but that doesn't mean it needs to be enabled).
So now I have no /home/.htaccess file and no 000-default that is enabled.
I go back and check again, and the directory is still visible. Ouch!
But then I realize, I hadn't restarted Apache. So I do a /etc/init.d/apache2 restart. That goes OK.
I check the browser again. Now here's where it gets interesting. Apparently the default behavior has not been stopped, but the browser shows the next-in-line alpha domain. In this case the next domain in line starts with "b" - so what is displayed when the IP number is called is domain b-example.com. If I remove that, then c-example.com would be displayed and so on.
I suppose I could live with the b-example.com being displayed, and it does close the security hole. But I would prefer a better solution.
This might do it and is so simple.
I took a dummy index file with only a few words and put it at /home/index.html
At first it didn't work. But for some reason, I had to re-enable the 000-default symlink. The /home/.htaccess is still gone.
I then restarted Apache. Of course browsers don't like to change a page even if it's been changed and the cache is empty). But a few blunt force reloads and eventually it reloaded.
This seems simple and does the job.
Just curious, for the other method, where would you put the redirect (and what would be the code)