Apache: Blocking “Dangerous” Files

Posted on 2018-03-27 by mike

There are all sorts of “dangerous” files that can appear within a web server’s document root; some are merely potentially dangerous but some can be genuinely dangerous. For example, if someone uses an editor to change a .php file, it is possible that a backup file for that script will be created within the document root called something.php~, and because this isn’t a genuine php file, it won’t be interpreted by php so the source code of your php script could be visible publicly :-

This is not something you want to see!

To protect against a whole set of similar attacks, blocking access to certain file “patterns” is a sensible precaution. The following can be added to a .htaccess file or to the main Apache configuration file (preferred) :-

<FilesMatch "(^\.htaccess|\.sql$|\.svn$|\.git$|\.DS_Store|.*~$|\.old$|\.bak$)" >
  Order allow,deny
  Deny from all
</FilesMatch>

The contents of the “FilesMatch” directive is effectively a list of regular expressions alternatives (grouped by enclosing in “(” and “)” and separated with “|” = standard syntax). For the benefit of documentation the individual clauses are :-

  1. “\.htaccess” (files containing the string “.htaccess”) – blocks access to Apache options file.
  2. “\.sql$” (files ending in “.sql”) – blocks access to SQL files.
  3. “\.git$” (files ending in “.git”) – blocks access to git repositories which are contained within directories named “.git”.
  4. “\.svn$” (files ending in “.svn”) – blocks access to svn repositories as above.
  5. “\.DS_Store” (files containing the string “.DS_Store”) – blocks access to OSX “droppings” left in directories.
  6. “.*~$” (files ending in “~”) – blocks access to emacs style editor backups.
  7. “.*old$” (files ending in “old”) – blocks access to a typical backup file.
  8. “.*bak$” (files ending in “bak”) – blocks access to vim style editor backups.

The configuration can be added to any Apache configuration file in the global context (rather than specific to a particular virtual server), but suggested places are :-

  1. For Ubuntu/Debian-derived distributions: /etc/apache2/apache2.conf (at the end of the file).
  2. For SLES-based servers, /etc/apache2/conf.d/local.conf

Once the change has been made, check the configuration with apachectl configtest. Providing that returns no errors, restart Apache gracefully with apachectl graceful.

This entry was posted in Technical and tagged , . Bookmark the permalink.