0

I have an apache server (Apache/2.4.29 - Ubuntu: 18.04.3 LTS [Bionic Beaver]). I have been recently noticed that the website hosted on it is vulnerable to Directory Buster attacks. This means the attacker can read the entire structure of the website and the PHP code of the website (not sure about this).

I have searched over the web and felt that Apache 2.4.29 cannot inherently stop Directory Buster attacks. Though I have found one solution which suggests adding the REWRITE rule in the .htaccess file which seems okay only when the attacker isn't changing the headers in the attack tool (Directory Buster for instance) if he changes the headers he can simply read the website's structure.

How can I completely stop the Directory Buster attacks? (without buying an expensive IDS - if possible)

Here is what I have gathered from the web so far as the "Possible Solution" for this scenario which suggested to include the below code in the .htaccess file in the root directory on the website:

RewriteEngine On 
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_USER_AGENT} ^w3af.sourceforge.net [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} dirbuster [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} nikto [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} SF [OR] 
RewriteCond %{HTTP_USER_AGENT} sqlmap [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} fimap [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} nessus [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} whatweb [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} Openvas [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} jbrofuzz [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} libwhisker [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} webshag [NC,OR] 
RewriteCond %{HTTP:Acunetix-Product} ^WVS 
RewriteRule ^.* http://127.0.0.1/ [R=301,L] 
</IfModule>
Kaushal Shakya
  • 21
  • 7
  • Does this help https://stackoverflow.com/a/31445273/4882134 – endeavour Jun 11 '21 at 12:57
  • Hi @endeavour I will check it but these directory enumerator attacks sometimes work on the brute-forcing method. They try every possible combination of file name and extension and when they get a server response of 200 on that resource/file, the tool indexes it. It then keeps on doing this recursively till the brute force ends. So, do you think removing Indexes or disabling from Apache will stop it? Please suggest. – Kaushal Shakya Jun 11 '21 at 13:14
  • No it will not work with brute forces. It will simply stop showing directories is an index file is not present in the directory – endeavour Jun 11 '21 at 13:33
  • That tools like Directory Buster work is not a security problem unless you have hidden paths (or files) dedicated for certain users but those paths do not require a proper authentication. – Robert Jun 13 '21 at 13:48
  • @Robert He may try posting data with tools like Postman on PHP files randomly and if some file accepting $_POST[ ] data with a common name then it could be a problem. The website I am trying to protect is an Open Source package (Like WordPress or a RoundCube webmail) whose vulnerabilities are not known to me. I even don't know what portion of the code is vulnerable or implemented to execute without authentication. So, in those cases, the attacker can execute files. I mean can we set some directory like "config" to not let the user read anything at all but the application can read it? – Kaushal Shakya Jun 15 '21 at 05:42
  • Directories like config should only contain php files that have no output when opened in web browser. – Robert Jun 15 '21 at 07:26

0 Answers0