The default Apache installation in Debian permits users to publish content under the $HOME/public_html. This content can be retrieved remotely using an URL such as: http://your_apache_server/~user.

If you do not want to permit this you must change the /etc/apache/http.conf configuration file commenting out (in Apache 1.3) the following module:

LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so

If you are using Apache 2.0 you must remove the file /etc/apache2/mods-enabled/userdir.load or restrict the default configuration by modifying /etc/apache2/mods-enabled/userdir.conf.

However, if the module was linked statically (you can list the modules that are compiled in running apache -l) you must add the following to the Apache configuration file:

Userdir disabled

An attacker might still do user enumeration, since the answer of the web server will be a 403 Permission Denied and not a 404 Not available. You can avoid this if you use the Rewrite module.

Apache logfiles, since 1.3.22-1, are owned by user 'root' and group 'adm' with permissions 640. These permissions are changed after rotation. An intruder that accessed the system through the web server would not be able (without privilege escalation) to remove old log file entries.

Apache files are located under /var/www. Just after installation the default file provides some information on the system (mainly that it's a Debian system running Apache). The default webpages are owned by user root and group root by default, while the Apache process runs as user www-data and group www-data. This should make attackers that compromise the system through the web server harder to deface the site. You should, of course, substitute the default web pages (which might provide information you do not want to show to outsiders) with your own.