---
id: b3c3459b-e5f5-485b-9fe5-8f0cf52a0946
---

# Unauthorized Directory Access in Apache HTTPD.
---

This incident type refers to an unauthorized access to directories in Apache HTTPD, which is a widely used web server software. It means that someone was able to access files or directories that they were not supposed to, without having proper authorization. This type of incident can potentially lead to sensitive data being exposed or even stolen, and can compromise the security of the server and the applications running on it.

### Parameters
```shell
export DOCUMENT_ROOT_DIRECTORY="PLACEHOLDER"

export INDEX_FILE="PLACEHOLDER"

export HTTPD_CONFIG_FILE="PLACEHOLDER"

export PATH_TO_HTTPD_CONF="PLACEHOLDER"
```

## Debug

### Check Apache httpd server status
```shell
systemctl status httpd
```

### Check Apache httpd server logs
```shell
tail -f /var/log/httpd/error_log
```

### Check Apache httpd server configuration
```shell
httpd -t
```

### Check Apache httpd server virtual hosts configuration
```shell
httpd -S
```

### Check Apache httpd server document root directory permissions
```shell
ls -ld ${DOCUMENT_ROOT_DIRECTORY}
```

### Check Apache httpd server directory index file permissions
```shell
ls -l ${DOCUMENT_ROOT_DIRECTORY}/${INDEX_FILE}
```

### Check Apache httpd server directory listing configuration
```shell
grep "Options" ${HTTPD_CONFIG_FILE}
```

### Check Apache httpd server .htaccess file configuration
```shell
grep -i "deny from all" ${DOCUMENT_ROOT_DIRECTORY}/.htaccess
```

## Repair

### Review and update the Apache HTTPD configuration files to ensure that all directories are properly secured and access is restricted to authorized users only. Use the "deny from all" directive to block access to unauthorized users.
```shell


#!/bin/bash



# Set variables

HTTPD_CONF=${PATH_TO_HTTPD_CONF}



# Back up the original configuration file

cp $HTTPD_CONF $HTTPD_CONF.bak



# Update the configuration file to deny access to all directories by default

sed -i 's/Options Indexes FollowSymLinks/Options -Indexes/g' $HTTPD_CONF

sed -i 's/AllowOverride None/AllowOverride All/g' $HTTPD_CONF



# Add "deny from all" directive to all directories

find /var/www/html -type d -exec echo "deny from all" >> {}/.htaccess \;



# Restart Apache HTTPD

systemctl restart httpd


```

This incident type refers to an unauthorized access to directories in Apache HTTPD, which is a widely used web server software. It means that someone was able to access files or directories that they were not supposed to, without having proper authorization. This type of incident can potentially lead to sensitive data being exposed or even stolen, and can compromise the security of the server and the applications running on it.


This incident type refers to frequent mismatches between the virtual hosts configured on an Apache server. This can cause issues with routing traffic to the intended web application or website, resulting in downtime or other problems. It is important to address these mismatches promptly to ensure the proper functioning of the server and any associated applications.


Virtual Host Mismatches on Apache Server.

The Slowloris Attack is a type of Denial of Service (DoS) attack that exploits a vulnerability in the Apache web server. It works by sending HTTP requests to the server and keeping those connections open for as long as possible, thereby using up all the available resources of the server and rendering it unresponsive to legitimate requests. As a result, the server becomes slow or unresponsive, causing downtime for the affected website or service. This type of attack can be detected and mitigated by implementing specific security measures and tools.


Slowloris Attack Detected on Apache server.

This incident type refers to the detection of SQL injection attempts in Apache web server logs. SQL injection is a type of cyber attack that exploits vulnerabilities in web applications allowing attackers to execute malicious SQL statements. In this incident, attackers are attempting to inject SQL code into the URI (Uniform Resource Identifier) of an Apache web server, potentially compromising the server's security and exposing sensitive information.


Apache SQL Injection Attempts in URI Incident

This incident type refers to a security vulnerability in the SSL/TLS configuration of the Apache HTTP Server, which can leave the server and its users vulnerable to attacks. The SSL/TLS configuration is responsible for encrypting the communication between the server and its clients, and if it is not configured properly, it can be exploited by hackers to intercept or modify sensitive data. This type of incident requires immediate attention from software engineers to ensure that the SSL/TLS configuration is properly configured to prevent any potential security threats.


Inadequate SSL/TLS Configuration for Apache HTTP Server.

This incident type refers to a situation where the number of child processes created by an Apache server reaches a high threshold, causing performance issues and potentially leading to server crashes. This can occur due to factors such as high traffic volume or misconfigured server settings. The incident requires investigation and mitigation to restore normal server functioning and prevent future occurrences.


High Number of Apache Child Processes Incident

```shell
export DOCUMENT_ROOT_DIRECTORY="PLACEHOLDER"

export INDEX_FILE="PLACEHOLDER"

export HTTPD_CONFIG_FILE="PLACEHOLDER"

export PATH_TO_HTTPD_CONF="PLACEHOLDER"
```


### Check Apache httpd server status

```shell
systemctl status httpd
```

### Check Apache httpd server logs

```shell
tail -f /var/log/httpd/error_log
```

### Check Apache httpd server configuration

```shell
httpd -t
```

### Check Apache httpd server virtual hosts configuration

```shell
httpd -S
```

### Check Apache httpd server document root directory permissions

```shell
ls -ld ${DOCUMENT_ROOT_DIRECTORY}
```

### Check Apache httpd server directory index file permissions

```shell
ls -l ${DOCUMENT_ROOT_DIRECTORY}/${INDEX_FILE}
```

### Check Apache httpd server directory listing configuration

```shell
grep "Options" ${HTTPD_CONFIG_FILE}
```

### Check Apache httpd server .htaccess file configuration

```shell
grep -i "deny from all" ${DOCUMENT_ROOT_DIRECTORY}/.htaccess
```


### Review and update the Apache HTTPD configuration files to ensure that all directories are properly secured and access is restricted to authorized users only. Use the "deny from all" directive to block access to unauthorized users.

```shell


#!/bin/bash



# Set variables

HTTPD_CONF=${PATH_TO_HTTPD_CONF}



# Back up the original configuration file

cp $HTTPD_CONF $HTTPD_CONF.bak



# Update the configuration file to deny access to all directories by default

sed -i 's/Options Indexes FollowSymLinks/Options -Indexes/g' $HTTPD_CONF

sed -i 's/AllowOverride None/AllowOverride All/g' $HTTPD_CONF



# Add "deny from all" directive to all directories

find /var/www/html -type d -exec echo "deny from all" >> {}/.htaccess \;



# Restart Apache HTTPD

systemctl restart httpd


```


Unauthorized Directory Access in Apache HTTPD.

Overview

Parameters

Debug

Check Apache httpd server status

Check Apache httpd server logs

Check Apache httpd server configuration

Check Apache httpd server virtual hosts configuration

Check Apache httpd server document root directory permissions

Check Apache httpd server directory index file permissions

Check Apache httpd server directory listing configuration

Check Apache httpd server .htaccess file configuration

Repair

Review and update the Apache HTTPD configuration files to ensure that all directories are properly secured and access is restricted to authorized users only. Use the "deny from all" directive to block access to unauthorized users.

Learn more

Related Runbooks

Virtual Host Mismatches on Apache Server.

Slowloris Attack Detected on Apache server.

Apache SQL Injection Attempts in URI Incident

Inadequate SSL/TLS Configuration for Apache HTTP Server.

Support