I recently came across an Apache web server with a number of virtual hosts under /var/www.  Pointing a browser to the root, /var/www, would reveal all of the names of the virtual hosts on the server.  While not tragic, it does reveal some information that we would prefer not be visible to the general public.

If we look under:  /etc/apache2/sites-available/ 

We'll see the virtual host but in addition, we'll see 'default'.

Using an editor, open 'default' and there will be a few lines near the top:


        </Directory>

        <Directory /var/www/>

                Options Indexes FollowSymLinks MultiViews

                AllowOverride None

                Order allow,deny

                allow from all 

        </Directory>


 By changing the above to the following:


         <Directory /var/www/>

                Options -Indexes

        </Directory>


 We prevent the directory listing.