9

I have Ubuntu 16.04 x64 with LAMP. (Apache2.4)

I consider directory browsing very bad. I just discovered this wonderful solution:

a2dismod autoindex

But it gives this vague but very scary warning:

root@www:~# a2dismod autoindex WARNING: The following essential module will be disabled. This might result in unexpected behavior and should NOT be done unless you know exactly what you are doing! autoindex

To continue type in the phrase 'Yes, do as I say!' or retry by passing '-f':

Can someone explain what it is talking about? It sounds all good to me.

Improve this question
2
  • I guess it's a support thing and they do it to be able to tell users "We said to only do it if you know what you are doing" when they complain that their server is "broken" after doing this without knowing what it implicates. In reality, if you indeed know what you are doing, go forward, nothing bad will happen that you shouldn't expect.
    – Sven
    Commented May 30, 2016 at 4:32
  • 1
    I agree that directory browsing is really bad and I find it really strange that this is still a default in Apache (or Ubuntu) in 2016. I guess some people cannot let go...
    – Alexis Wilke
    Commented Oct 16, 2016 at 0:56

2 Answers 2

Reset to default
4

I think that whoever wrote the a2dismod script thought that was a good idea.

The list of modules considered essential by Apache2 (at least in version 2.2):

my @essential_module_list = (qw/access_compat alias auth_basic authn_file/,
    qw/authz_host authz_user autoindex deflate dir env filter logio/,
    qw/mime negotiation setenvif unixd version watchdog/);

PCI compliance considers autoindex, all the auth*, and the version modules as unsecure (benefiting hackers greatly¹, really) and in most cases they ask you to remove them.

You may use the -f to avoid the message (especially if you are scripting the installation):

a2dismod -f autoindex

Then you won't get the warning.

¹ Obfuscation is not security. However, it makes some (a very few?) hackers life harder to determine what software you are running. Note that one hacker writes a script to determine the version of Apache2, what module it is running, share said script with all his friends, now the obfuscation is totally useless...

Improve this answer
3
  • 2
    a2dismod -f autoindex worked perfectly in the script. Thanks! And I have always disabled autoindex without any noticeable side effects.
    – Maris B.
    Commented Jul 3, 2018 at 7:19
  • I feel like I'm missing something, but near as I can tell, the version module doesn't tell people what version of Apache you're running. It lets you adjust directives in your configurations according to things like <IfVersion>.
    – mlissner
    Commented Oct 24, 2020 at 17:27
  • 1
    @mlissner Indeed. The version can be hidden with ServerSignature Off. I'm pretty sure, though, that they ask you to remove the version module anyway. They should not be able to detect it without a successful penetration test, though...
    – Alexis Wilke
    Commented Oct 24, 2020 at 17:36
0

Disable the autoindex module entirely. This would affect all the sites hosted on the server, which could be both good and bad.

Improve this answer
1
  • 1
    Any arguments about why it would be good or bad?
    – Alexis Wilke
    Commented Oct 16, 2016 at 0:55

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .