What I usually do is forbid access to the root directory in the conf.d/security file (that's the standard way in Ubuntu, in other OS you could put that in httpd.conf)
<Directory />
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
Therefore, Apache will only allow access to subdirectories configured in VirtualHosts. For instance, you could have:
/var/www/example1.domain.com/your_files
/var/www/example2.domain.com/your_files
And have VirtualHosts like those:
ServerName example1.domain.com
ErrorLog /var/log/apache2/example1.domain.com_error.log
CustomLog /var/log/apache2/example1.domain.com_access.log Combined
DocumentRoot /var/www/example1.domain.com/
(...)
<Directory />
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
ServerName example2.domain.com
ErrorLog /var/log/apache2/example2.domain.com_error.log
CustomLog /var/log/apache2/example2.domain.com_access.log Combined
DocumentRoot /var/www/example2.domain.com/
(...)
<Directory />
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
However, mrjink noted that this configuration will use the first VirtualHost will server all requests that somehow reach the server (by ip or unknown hostname). Therefore, an additional Dummy VirtualHost is needed, which name should be something like "000-dummy-virtualhost" to ensure that it is the first VirtualHost to serve these requests.
With that conf, petitions to your server or your IP won't be served, but petitions to example1.domain.com or example2.domain.com will be.
Regards,