Peter Crowther wrote:
From: Paul Singleton [mailto:[EMAIL PROTECTED]
Is it possible to configure Tomcat (5.5.9) so that a moderately able hacker couldn't figure out what is serving up our web apps?
It's possible to add the 'server' attribute to the connector definition for the HTTP connector; server="BogoMAX v0.1 testing" should anonymise the single most obvious piece of information, but pick your own string so that when the hacker searches Google for the string they don't find this post. See http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/http.html for details. It's possible that a more able hacker could also gain information from the usual range of specially-crafted invalid TCP packets [so use a decent firewall in front of the app server that detects and drops these], from traffic analysis of the way in which the app server returns data in the case of buffered and unbuffered pages, and likely from other techniques that I've not considered.
OK, thanks for this. My standalone 5.5.9 setup sends (according to LiveHTTPHeaders) Server: Apache-Coyote/1.1 (?) but there's another giveaway: request a non-existent page and you get HTTP Status 404 - /myapp/nonexistent type Status report message /myapp/nonexistent description The requested resource (/myapp/nonexistent) is not available. Apache Tomcat/5.5.9 so I'm searching the docs for a clue about auppressing this (nothing in Server Configuration Reference so far). But I'm worried that there might be other telltales, e.g. buried in the code which responds to bad HTTP requests or whatever? I'm not paranoid, but some of our customers are :-) and we have to be prepared to be reasonably diligent about these things. So I was hoping that someone, somewhere had already delved into this? Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.1/64 - Release Date: 4/Aug/2005 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
