There are all sorts of “dangerous” files that can appear within a web server’s document root; some are merely potentially dangerous but some can be genuinely dangerous. For example, if someone uses an editor to change a .php file, it is possible that a backup file for that script will be created within the document root called something.php~, and because this isn’t a genuine php file, it won’t be interpreted by php so the source code of your php script could be visible publicly :-
This is not something you want to see!
To protect against a whole set of similar attacks, blocking access to certain file “patterns” is a sensible precaution. The following can be added to a .htaccess file or to the main Apache configuration file (preferred) :-
<FilesMatch "(^\.htaccess|\.sql$|\.svn$|\.git$|\.DS_Store|.*~$|\.old$|\.bak$)" > Order allow,deny Deny from all </FilesMatch>
The contents of the “FilesMatch” directive is effectively a list of regular expressions alternatives (grouped by enclosing in “(” and “)” and separated with “|” = standard syntax). For the benefit of documentation the individual clauses are :-
- “\.htaccess” (files containing the string “.htaccess”) – blocks access to Apache options file.
- “\.sql$” (files ending in “.sql”) – blocks access to SQL files.
- “\.git$” (files ending in “.git”) – blocks access to git repositories which are contained within directories named “.git”.
- “\.svn$” (files ending in “.svn”) – blocks access to svn repositories as above.
- “\.DS_Store” (files containing the string “.DS_Store”) – blocks access to OSX “droppings” left in directories.
- “.*~$” (files ending in “~”) – blocks access to emacs style editor backups.
- “.*old$” (files ending in “old”) – blocks access to a typical backup file.
- “.*bak$” (files ending in “bak”) – blocks access to vim style editor backups.
The configuration can be added to any Apache configuration file in the global context (rather than specific to a particular virtual server), but suggested places are :-
- For Ubuntu/Debian-derived distributions: /etc/apache2/apache2.conf (at the end of the file).
- For SLES-based servers, /etc/apache2/conf.d/local.conf
Once the change has been made, check the configuration with apachectl configtest. Providing that returns no errors, restart Apache gracefully with apachectl graceful.