Have disabled apache site config file 000-default.conf, but it still seems active. Why?
Just as a matter of explanation for future users.
Your 000-default.conf file is a catch-all site and should be left alone. It is good for security. It can be frustrating when a site configuration does not work and the default site is served. I get it. Still, leave it alone. Many people are unaware of why the default site exists. Here is a bit of an explanation.
When Apache receives a request, it tries to match it to a configuration it knows about. So any request for example.com will look for a example.com.conf with a proper configuration. If there is no match, the 000-default.conf site is used. If a request for bogussite.com is seen and it does not exist on the server, then the 000-default.conf file is served. This is especially useful for IP address only requests. And we all hate those!! However, if there is an error in example.com.conf it is still possible that the 000-default.conf site is served making the exact reason why and how the configuration is failing a bit confusing and very frustrating.
I gave some sample configurations from a live server here: Virtualhost config: routing and wildcard usage
Push comes to shove, these should always work. You can cut and paste them exactly then make the necessary changes or modify your existing file(s). Your option. It is easy to go cross-eyed on this so be careful. We have all done it so you will not be alone.
@HighlyIrregular makes this point in his comments which should live.
You can always check the configuration in a shell session using...
$ apachectl configtest
... which should help troubleshoot issues.
You will need to create your new/additional site(s) in your /etc/apache2/site-available/ directory using a file format similar to example.com.conf. You will also want to make sure that /etc/apache2/apache2.conf has Include sites-enabled/ or something similar as one of the last lines.
When a change to any configuration file is made, Apache has to be restarted. Apache caches configurations in memory and changes will not be seen until it is restarted. On rare occasions, a restart does not work as expected. In this case, to rule this out as an issue, you will want to reboot your server. It is very possible that valid configurations are not seen when restarted. Not sure why. However, with a reboot, Apache is forced to re-cache the configuration files. It is like getting a bigger hammer. Well worth a try sometimes.
I agree with user 'closetnoc' who replied at [2015-Aug-2 00:24:36Z] in response to the original post that wrote "The 000-default.conf site is a catch-all for any request the server does not have a configuration file for".
And, I think we can make use of such 'catch-all site' as a last resort to safeguard and to enhance the overall security.
The thing I tried to do is still allow the site '000-default.conf' to be activated, but make its configuration a little bit different that to constantly drop ALL requests WITHOUT sending response and then immediately CLOSE THE CONNECTION for all prohibited access, so that nothing is responded/revealed to the attempting requestor.
Here is my '000-default.conf' file, for your reference:
<VirtualHost *:80>
# ServerName whatsoever
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/default_error.log
CustomLog ${APACHE_LOG_DIR}/default_access.log combined
<Location />
<RequireAny>
# Example for 'Block all':
# Require ip 0.0.0.0/32
Require all denied
# Example for 'White list':
# Require ip 172.217.24.37/32
</RequireAny>
</Location>
SecRuleEngine On
SecRule RESPONSE_STATUS "403" "phase:4,id:1,drop"
</VirtualHost>
Be reminded to install the 'ModSecurity' module so that the directives 'SecRuleEngine' and 'SecRule' can be accepted. If you require additional assistance and reference on the topic of 'ModSecurity' module, suggest you search the Internet.
Hope the above helps!