Recently one of the websites I built had to go through a fairly thorough sercurity audit. Thankfully it was generally good results all round with no "THIS IS A SERIOUS ERROR" reports (which is always good).
One thing that popped up did supprise me though. Apparently there was a full directory listing appearing at: http://www.siteurl.com/icons/
I found this odd because I thought I had explicity disabled all directory listings. What was even more annoying was that there doesn't seem to be a massive amount of conclusive answers as to why this was happening.
Apparently, this is caused by the "mod_alias" extension for Apache, which is enabled by default on Ubuntu (more info at http://httpd.apache.org/docs/2.2/mod/mod_alias.html). Once I knew that, it is quite easy to turn this "feature" off:
First, log into your web server and run:
sudo nano /etc/apache2/mods-available/alias.conf
This will give you a file that looks like:
<IfModule alias_module> # # Aliases: Add here as many aliases as you need (with no limit). The format is # Alias fakename realname # # Note that if you include a trailing / on fakename then the server will # require it to be present in the URL. So "/icons" isn't aliased in this # example, only "/icons/". If the fakename is slash-terminated, then the # realname must also be slash terminated, and if the fakename omits the # trailing slash, the realname must also omit it. # # We include the /icons/ alias for FancyIndexed directory listings. If # you do not use FancyIndexing, you may comment this out. # #Alias /icons/ "/usr/share/apache2/icons/" <Directory "/usr/share/apache2/icons"> Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all </Directory> </IfModule>
All you need to do is change the line:
Options Indexes MultiViews
Options -Indexes MultiViews
Now that annoying directory listing will no longer appear.
Note: You could also comment out (or delete) these lines, it should all have the same effect except that all links to the icons directory would become invalid and may break some of the default Apache error pages.