tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arend P. van der Veen" <apvanderv...@acm.org>
Subject Re: Server Identity
Date Sat, 15 Sep 2007 16:01:48 GMT
Markus Schönhaber wrote:
> Arend P. van der Veen schrieb:
> 
>> Does anybody know if it is possible to hide the identity of a tomcat web 
>> server?  When I do a Nessus scan I get the following:
>>
>> Server: Apache-Coyote/1.1
>>
>> I have already looked at the Tomcat configuration documentation and 
>> search google to find the answer but did not have any luck.
>>
>> Is it possible to mask this so that hackers do not know what type of web 
>> server I am running?
> 
> Chuck already pointed you to the relevant part of the docs.
> 
> Nevertheless: changing the value of the Connector's server attribute
> alone won't help you much. For example, if you don't prevent the
> standard error pages from being used. Those contain much more detailed
> and much more easily accessible information about Tomcat than the Server
> HTTP-header does.
> 
> BTW: I wouldn't consider hiding the server type a really relevant
> increase of security. If there is a security flaw in Tomcat, an attacker
> will probably simply try to use an exploit for this flaw - regardless
> what the server claims to be. If it's an exploitable Tomcat, it will
> work. If it isn't, he'll try something else.
> 
> Regards
>   mks
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
Hi,

Thanks for your feedback.  I am already overriding all of the error 
pages and java exception page.  I did not realize that server tag in the 
HTTP connector was referring to this.  I guess I should have tried that 
first.  I will give it a shot.

Thanks,
Arend


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message