Oliver Nassar

I can be reached at onassar@gmail.com.

For my open source work, check out github.com/onassar


Securing my indexes on my Slicehost VPS

View more posts

Ran into a bug where my directory indexes were being shown when a client was requesting my server by IP. So for example, if you went to http://1.2.3.4/domain.com you would see all the directories and files and could traverse through them.

The weird thing was that I already had Options -Indexes which should've prevented this in my apache config file. The issue was with a separate config file being loaded.

The IP level vhost located at /etc/apache2/sites-enabled/000-default contained the directive Options Indexes. Switching that to Options -Indexes solved my problem quite nicely.

No more malicious indexing of my content!

Update

Instead of just switching the indexes off, I opted to redirect all requests to the IP to a certain domain. The reason? Individual files could still be accessed if the attacker/client knew the path to it (which could be guessed fairly accurately).

So, throwing the following in the config file mentioned above worked like a charm:

RewriteEngine On
RewriteRule ^(.*) http://www.domain.com/ [R=301,L]