Open directory listing on Webservers



The default installations of some kinds of web server software offer a directory listing to anyone who visits the server's front page.

Security Risks

The primary security risk is that an open directory listing may be leaking sensitive information from your system.

More general risks of an open directory listing include the following:

  • The listing typically reveals the specific version of the web server software that you are running.  This may reveal to a hacker that a particular webserver exploit may work.
  • The existence of the listing is a "flag" that the people running the machine may not be paying sufficient attention to system security.  For example, if you are running an out-of-date web server, that tells hackers that you may not be applying patches.

These things all increase the chance of your instance being compromised.

Recommended Fixes

If you no longer need to run a webserver on your instance, uninstall the web server software.  Alternatively, turn the web server off and disable it so that it won't start on reboot.  Please refer to the general system administration documentation appropriate to the operating system and distribution that you are running.

If you still need to run a webserver:

  • If possible, use NeCTAR security groups or internal firewalling to restrict access to the web service ports (80, 443, 8080 and so on) to specific IP address ranges.
  • Change the web service configuration to turn off the default directory listing.  It is hard to imagine a case where you would need to provide such a listing.


Have more questions? Submit a request


Powered by Zendesk