Ran into a bug where my directory indexes were being shown when a client was
requesting my server by IP. So for example, if you went to
http://1.2.3.4/domain.com
you would see all the directories and files and
could traverse through them.
The weird thing was that I already had Options -Indexes
which should've
prevented this in my apache config file. The issue was with a separate config
file being loaded.
The IP level vhost located at /etc/apache2/sites-enabled/000-default
contained
the directive Options Indexes
. Switching that to Options -Indexes
solved my
problem quite nicely.
No more malicious indexing of my content!
Update
Instead of just switching the indexes off, I opted to redirect all requests to the IP to a certain domain. The reason? Individual files could still be accessed if the attacker/client knew the path to it (which could be guessed fairly accurately).
So, throwing the following in the config file mentioned above worked like a charm:
RewriteEngine On
RewriteRule ^(.*) http://www.domain.com/ [R=301,L]