Help: Basic Security Precautions

Hello,
I couldn't find any resources advising me the basic security precautions to take for a web hosting account.

For example, my new host by default lists all the files in a directory. I've heard that's not recommended. (By the way, what's the best way to prevent this?).

Just to be clear, I am looking for basic security precautions that should/can be taken on the hosting server.

My hosting uses cPanel and while I have a computer background, a little bit of detail when it comes to unix would be appreciated.
Or just point me to the right resources.

Thanks.

Well, there's always the theory of "security through obscurity" -- but it doesn't stand alone.

Throwing an index.html into that dir with any sort of trite phrase would suffice though I have to say, if no precautions are taken by your provider, I would have to seriously consider alternatives.

Of course, another thing to concern yourself about are the standard cgi files which are often left in default builds of Apache. (Default cgi's can be a 'bad thing' and should be removed.) Then there's file permissions; you need to give the web server perms to read, but not write, cordon off any writable files to a specific directory... this goes for the executables as well.

The thing of it is, supposedly this is what you pay a hosting company for; to ensure that files cannot be abused. In other words, they should have set things up in such a way that certain areas may be written to and certain areas are used to house executables. If you just bought space on someone else's box, standard security practices are the primary responsibility of a sysad assigned to it.
I doubt, in this instance, you have the capability to cook your own httpd.conf files or implement your own modules. Do you even have ssh access to the server? Or just FTP?

Cheers.

To turn off directory indexing add the following line to the .htaccess file in your root (public_html) folder:

Options -Indexes

Just save the .htaccess file once you've added that line and indexing is now disabled.

I am not a huge fan of .htaccess files as the file is parsed an each and every request; not only that, parent dir .htaccess files are parsed as well.
If I had an option, I would add config values to the httpd.conf, however it is unlikely in this case that the individual has access to that.

Cheers.

This is not a good sign. Cpanel is a nice overlay for a server and appeals to alot of customers but it can not be mistaken for the end all or be all to server management/security. Cpanel does give the host and/or reseller the option to add a temporary placeholder (index.html) in the public_html folder of each account created to prevent the display of it's contents. However it is better the host set the directory indexing option off within the httpd.conf to make the rule systemic.