Apache default configuration - directory listing

Forum for questions and support relating to the 1.29.x releases only.
Locked
alexo
Posts: 6
Joined: Wed Feb 01, 2017 8:36 am
Location: Europe

Apache default configuration - directory listing

Post by alexo »

Hello,
I recently installed 1.29.0 on Debian Jessie (8.7). The default apache config file has the following:

Code: Select all

<Directory /usr/share/zoneminder/www>
  php_flag register_globals off
 Options Indexes FollowSymLinks
  <IfModule mod_dir.c>
    DirectoryIndex index.php
  </IfModule>
</Directory>
Now without login to ZM, I'm able to browse and view events folders :(
When I disable directory listing, it seems that ZM is working fine.
What feature/functionality requires the directory Indexing? Can I disable it?

How can I further secure the default install?

Thanks for your time.
bbunge
Posts: 2930
Joined: Mon Mar 26, 2012 11:40 am
Location: Pennsylvania

Re: Apache default configuration - directory listing

Post by bbunge »

Interesting... Just tried it on Debian 9 and Ubuntu 16.04 with http://ipaddress/zm/events and got the directory listing, too.

Will look into this...

bb
SteveGilvarry
Posts: 494
Joined: Sun Jun 29, 2014 1:12 pm
Location: Melbourne, AU

Re: Apache default configuration - directory listing

Post by SteveGilvarry »

Remove it.
And put server behind VPN, and cameras on separate subnet with no internet access.
Production Zoneminder 1.37.x (Living dangerously)
Random Selection of Cameras (Dahua and Hikvision)
User avatar
MJN
Posts: 251
Joined: Wed Jan 17, 2007 10:29 am
Location: Wiltshire, UK

Re: Apache default configuration - directory listing

Post by MJN »

I use Basic Authentication (inside HTTPS) to secure the whole ZM tree.
bbunge
Posts: 2930
Joined: Mon Mar 26, 2012 11:40 am
Location: Pennsylvania

Re: Apache default configuration - directory listing

Post by bbunge »

As posted in the 1.30.x area

Here is a "fix" to block the directory browsing. I must admit it is partly my fault..

For Ubuntu
Undo my "Fix to allow API to work" (back to the original configuration)

nano /etc/apache2/apache2.conf

Change All to None in two places as shown below

<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

Ctrl+o Enter to save

CTRL+x to exit

Edit zoneminder.conf

nano /etc/apache2/conf-available/zoneminder.conf

Add a - before Indexes and a + before FollowSymLinks

<Directory /usr/share/zoneminder/www>
Options -Indexes +FollowSymLinks

Make sure the following is at the bottom of the file

<Directory /usr/share/zoneminder/www/api>
AllowOverride All
</Directory>

Ctrl+o Enter to save

CTRL+x to exit

Restart Apache

service apache2 reload

http://ip-addr/zm/events should now give you a Forbidden 403 error
Locked