> From: Paul Singleton [mailto:[EMAIL PROTECTED] > Is it possible to configure Tomcat (5.5.9) so that a > moderately able hacker couldn't figure out what is > serving up our web apps?
It's possible to add the 'server' attribute to the connector definition for the HTTP connector; server="BogoMAX v0.1 testing" should anonymise the single most obvious piece of information, but pick your own string so that when the hacker searches Google for the string they don't find this post. See http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/http.html for details. It's possible that a more able hacker could also gain information from the usual range of specially-crafted invalid TCP packets [so use a decent firewall in front of the app server that detects and drops these], from traffic analysis of the way in which the app server returns data in the case of buffered and unbuffered pages, and likely from other techniques that I've not considered. - Peter --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
