Possible sensitive files
Description
The web server exposes files that are not directly linked from the website but may contain sensitive information. These files can include configuration files, log files, backup files, database dumps, password files, include files, or statistics data. Attackers commonly probe for these resources using automated tools and known file naming patterns to gather intelligence about the target system.
Remediation
Take the following steps to secure sensitive files:
1. Remove unnecessary files: Delete backup files, test files, configuration samples, and any other files not required for production operation.
2. Restrict access using web server configuration: Configure access controls to deny public access to sensitive directories and file types.
For Apache (.htaccess or httpd.conf):
<FilesMatch "\.(log|bak|config|sql|inc|old|tmp)$">
Require all denied
</FilesMatch>For Nginx (nginx.conf):
location ~* \.(log|bak|config|sql|inc|old|tmp)$ {
deny all;
return 404;
}For IIS (web.config):
<configuration>
<system.webServer>
<security>
<requestFiltering>
<fileExtensions>
<add fileExtension=".log" allowed="false" />
<add fileExtension=".bak" allowed="false" />
<add fileExtension=".config" allowed="false" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</configuration>3. Move sensitive files outside the web root: Store configuration files, logs, and includes in directories that are not accessible via HTTP requests.
4. Implement proper file permissions: Ensure sensitive files have restrictive file system permissions that prevent unauthorized access.
5. Regular audits: Periodically scan your web directories for unintended file exposure and remove or protect any discovered sensitive resources.