You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Arend P. van der Veen" <ap...@acm.org> on 2007/09/15 15:47:56 UTC
Server Identity
Hi,
Does anybody know if it is possible to hide the identity of a tomcat web
server? When I do a Nessus scan I get the following:
Server: Apache-Coyote/1.1
I have already looked at the Tomcat configuration documentation and
search google to find the answer but did not have any luck.
Is it possible to mask this so that hackers do not know what type of web
server I am running?
Thanks iun advance,
Arend
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Server Identity
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Arend,
Arend P. van der Veen wrote:
> Thanks for your feedback. I am already overriding all of the error
> pages and java exception page. I did not realize that server tag in the
> HTTP connector was referring to this. I guess I should have tried that
> first. I will give it a shot.
Note that the server string gets set to Apache-Coyote-1.1, which is the
version of the HTTP connector, not the app server itself.
You might consider keeping "Apache-Coyote" and removing the version
number... at least that way you're likely to be counted as running
Tomcat as your web server when things like the netcraft crawler go out
to find out who is using what web servers to determine market share.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG7nuB9CaO5/Lv0PARAtbKAJ9/JmqwEoMosJ5dG8Lfh7z4bN0loQCeIe3Z
pb6x5CKQA8zU0G2hf61fLyI=
=aEdk
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Server Identity
Posted by "Arend P. van der Veen" <ap...@acm.org>.
Markus Schönhaber wrote:
> Arend P. van der Veen schrieb:
>
>> Does anybody know if it is possible to hide the identity of a tomcat web
>> server? When I do a Nessus scan I get the following:
>>
>> Server: Apache-Coyote/1.1
>>
>> I have already looked at the Tomcat configuration documentation and
>> search google to find the answer but did not have any luck.
>>
>> Is it possible to mask this so that hackers do not know what type of web
>> server I am running?
>
> Chuck already pointed you to the relevant part of the docs.
>
> Nevertheless: changing the value of the Connector's server attribute
> alone won't help you much. For example, if you don't prevent the
> standard error pages from being used. Those contain much more detailed
> and much more easily accessible information about Tomcat than the Server
> HTTP-header does.
>
> BTW: I wouldn't consider hiding the server type a really relevant
> increase of security. If there is a security flaw in Tomcat, an attacker
> will probably simply try to use an exploit for this flaw - regardless
> what the server claims to be. If it's an exploitable Tomcat, it will
> work. If it isn't, he'll try something else.
>
> Regards
> mks
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Hi,
Thanks for your feedback. I am already overriding all of the error
pages and java exception page. I did not realize that server tag in the
HTTP connector was referring to this. I guess I should have tried that
first. I will give it a shot.
Thanks,
Arend
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Server Identity
Posted by Markus Schönhaber <ma...@schoenhaber.de>.
Arend P. van der Veen schrieb:
> Does anybody know if it is possible to hide the identity of a tomcat web
> server? When I do a Nessus scan I get the following:
>
> Server: Apache-Coyote/1.1
>
> I have already looked at the Tomcat configuration documentation and
> search google to find the answer but did not have any luck.
>
> Is it possible to mask this so that hackers do not know what type of web
> server I am running?
Chuck already pointed you to the relevant part of the docs.
Nevertheless: changing the value of the Connector's server attribute
alone won't help you much. For example, if you don't prevent the
standard error pages from being used. Those contain much more detailed
and much more easily accessible information about Tomcat than the Server
HTTP-header does.
BTW: I wouldn't consider hiding the server type a really relevant
increase of security. If there is a security flaw in Tomcat, an attacker
will probably simply try to use an exploit for this flaw - regardless
what the server claims to be. If it's an exploitable Tomcat, it will
work. If it isn't, he'll try something else.
Regards
mks
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Server Identity
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Arend P. van der Veen [mailto:apvanderveen@acm.org]
> Subject: Server Identity
>
> Does anybody know if it is possible to hide the identity of a
> tomcat web server?
To quote from the Tomcat HTTP <Connector> doc:
"server - The Server header for the http response. Unless you are
paranoid, you won't need this feature."
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org