> you make tomee easily identifiable compared to tomcat (= any java server of > the web more or less). This way it is super easy to know that you can > exploit a cxf issue for instance, thing you don’t know with default header.
Folks, lets weight the upsides and downsides * upside: we show up in stats * downside: easier to get hacked? WHY? All the scripts I do know are really blunt brute force. They f***g don’t care about ANY headers. Of course they probably _sort_ their attacks, but still they will use ALL vectors they have. Brute force attacks are almost never executed from the origin but always hidden and executed by a zombie mob of hacked clients. So the origin doesn’t care if some old grandmas Win98 PC needs a few seconds longer to hack your server. So basically it makes no sense to hide the fact that a server is running TomEE. LieGrue, strub > Am 08.05.2015 um 00:34 schrieb Romain Manni-Bucau <[email protected]>: > > 2015-05-08 0:32 GMT+02:00 Andy <[email protected]>: > >> Yes yes whatever, you win (not that this was ever intended to be a >> competition, you just seem to enjoy making it into one every single >> time)... I am going to bed. Complete waste of my time. You still imply that >> I have unsecured something? >> >> > you make tomee easily identifiable compared to tomcat (= any java server of > the web more or less). This way it is super easy to know that you can > exploit a cxf issue for instance, thing you don't know with default header. > > >> On 08/05/2015 00:26, Romain Manni-Bucau wrote: >> >>> not what I said. >>> >>> I said: >>> 1) over exposing a variable you shouldnt activate is useless >>> 2) we shouldnt set Apache TomEE to server variable by default >>> >>> Happy to replace these defaults by a server.xml.sample or anothing you >>> judge appropriated while we stay aligned on tomcat default secured >>> settings >>> (also note that Apache Coyote is secured cause most of servers have it >>> otherwise it would be as Apache TomEE) >>> >>> >>> >>> >>> Romain Manni-Bucau >>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>> <http://rmannibucau.wordpress.com> | Github < >>> https://github.com/rmannibucau> | >>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>> <http://www.tomitribe.com> >>> >>> 2015-05-08 0:24 GMT+02:00 Andy <[email protected]>: >>> >>> Hmm, so why do you want to treat the system administrator like one? >>>> >>>> On 08/05/2015 00:21, Romain Manni-Bucau wrote: >>>> >>>> Sure security is all about children... >>>>> >>>>> >>>>> Romain Manni-Bucau >>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>> <http://rmannibucau.wordpress.com> | Github < >>>>> https://github.com/rmannibucau> | >>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>> <http://www.tomitribe.com> >>>>> >>>>> 2015-05-08 0:19 GMT+02:00 Andy <[email protected]>: >>>>> >>>>> I was just thinking 'Kindergarten', how strange... >>>>> >>>>>> On 08/05/2015 00:17, Romain Manni-Bucau wrote: >>>>>> >>>>>> hmm this answer doesnt make sense for me, I surely miss something but >>>>>> >>>>>>> read >>>>>>> it like "hey there is this property you can switch on true but if you >>>>>>> google you'll see you shouldn't" >>>>>>> >>>>>>> >>>>>>> Romain Manni-Bucau >>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>> <http://rmannibucau.wordpress.com> | Github < >>>>>>> https://github.com/rmannibucau> | >>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>>>> <http://www.tomitribe.com> >>>>>>> >>>>>>> 2015-05-08 0:15 GMT+02:00 Andy <[email protected]>: >>>>>>> >>>>>>> This is what I said and the reason I changed it. And yes the >>>>>>> constants >>>>>>> >>>>>>> have that for 'server' now, and have also had other values in the >>>>>>>> past. >>>>>>>> >>>>>>>> So to be even more complete and correct myself.... changed it from >>>>>>>> "Apache >>>>>>>> Coyote/1.1" to "Apache TomEE", which is still better IMHO. >>>>>>>> >>>>>>>> @Romain: "you encourage it by making it on the front of the scene." >>>>>>>> >>>>>>>> That's like saying I'm encouraging someone to change the 'port', >>>>>>>> which >>>>>>>> is >>>>>>>> also potentially dangerous when put into the hands of an idiot. >>>>>>>> I like, and hope, to think that exposing a property would encourage >>>>>>>> someone to look it up before changing it blindly. The very first >>>>>>>> google >>>>>>>> hit >>>>>>>> on 'xpoweredBy' will enlighten even the most fickle reader. >>>>>>>> >>>>>>>> Sorry if my opinion just does not fit in on that. Another hour of my >>>>>>>> life >>>>>>>> wasted. >>>>>>>> >>>>>>>> Andy. >>>>>>>> >>>>>>>> >>>>>>>> On 07/05/2015 23:58, Romain Manni-Bucau wrote: >>>>>>>> >>>>>>>> 2015-05-07 23:56 GMT+02:00 Andy <[email protected]>: >>>>>>>> >>>>>>>> Also, for completeness: >>>>>>>>> >>>>>>>>> xpoweredBy="*false*" activates nothing, if it were >>>>>>>>> >>>>>>>>>> xpoweredBy="*true*" >>>>>>>>>> then maybe that might just 'activate' whatever it is you think is >>>>>>>>>> being >>>>>>>>>> activated here? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> you encourage it by making it on the front of the scene. >>>>>>>>>> >>>>>>>>>> server="*Apache TomEE*" merely changes the existing value and >>>>>>>>>> >>>>>>>>> also >>>>>>>>> >>>>>>>>> 'activates' nothing. I don't see where you think this is a >>>>>>>>> security >>>>>>>>> >>>>>>>>>> issue? >>>>>>>>>> Happy to learn though, so please point me to the specific code that >>>>>>>>>> this >>>>>>>>>> affects? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> it is on by default is not overrided by the app. >>>>>>>>>> >>>>>>>>>> Andy. >>>>>>>>>> >>>>>>>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote: >>>>>>>>> >>>>>>>>>> You activated 2 different headers which is useless since we >>>>>>>>>> change >>>>>>>>>> >>>>>>>>>> serverinfo by default you already get tomee here. >>>>>>>>>> >>>>>>>>>>> That said this is not the real issue. Doing it is a standard >>>>>>>>>>> security >>>>>>>>>>> issue, that is why it is off by default in tomcat so I suggest to >>>>>>>>>>> not >>>>>>>>>>> set >>>>>>>>>>> it on by default >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Romain Manni-Bucau >>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github < >>>>>>>>>>> https://github.com/rmannibucau> | >>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>>>>>>>> <http://www.tomitribe.com> >>>>>>>>>>> >>>>>>>>>>> 2015-05-07 23:10 GMT+02:00 Andy <[email protected]>: >>>>>>>>>>> >>>>>>>>>>> Some crawlers are using that header as the evaluation. >>>>>>>>>>> Default >>>>>>>>>>> is >>>>>>>>>>> Apache >>>>>>>>>>> >>>>>>>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE >>>>>>>>>>> will >>>>>>>>>>> >>>>>>>>>>> give >>>>>>>>>>>> us >>>>>>>>>>>> better standing. >>>>>>>>>>>> >>>>>>>>>>>> Andy. >>>>>>>>>>>> >>>>>>>>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote: >>>>>>>>>>>> >>>>>>>>>>>> PS (sorry hit enter without wishing it): asking cause I >>>>>>>>>>>> wouldn't >>>>>>>>>>>> have it >>>>>>>>>>>> >>>>>>>>>>>> on >>>>>>>>>>>> >>>>>>>>>>>> by default as a user >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Romain Manni-Bucau >>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github < >>>>>>>>>>>>> https://github.com/rmannibucau> | >>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>>>>>>>>>> <http://www.tomitribe.com> >>>>>>>>>>>>> >>>>>>>>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau < >>>>>>>>>>>>> [email protected] >>>>>>>>>>>>> >>>>>>>>>>>>> : >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi >>>>>>>>>>>>>> >>>>>>>>>>>>> What's the goal? We already switch server info,isnt it >>>>>>>>>>>>> enough? >>>>>>>>>>>>> >>>>>>>>>>>>> Romain Manni-Bucau >>>>>>>>>>>>> >>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github >>>>>>>>>>>>>> <https://github.com/rmannibucau> | LinkedIn >>>>>>>>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber >>>>>>>>>>>>>> <http://www.tomitribe.com> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> ---------- Forwarded message ---------- >>>>>>>>>>>>>> From: <[email protected]> >>>>>>>>>>>>>> Date: 2015-05-07 22:03 GMT+02:00 >>>>>>>>>>>>>> Subject: tomee git commit: TomEE header >>>>>>>>>>>>>> To: [email protected] >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Repository: tomee >>>>>>>>>>>>>> Updated Branches: >>>>>>>>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> TomEE header >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo >>>>>>>>>>>>>> Commit: >>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8 >>>>>>>>>>>>>> Tree: >>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8 >>>>>>>>>>>>>> Diff: >>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8 >>>>>>>>>>>>>> >>>>>>>>>>>>>> Branch: refs/heads/master >>>>>>>>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808 >>>>>>>>>>>>>> Parents: 2c4047e >>>>>>>>>>>>>> Author: [email protected] <[email protected]> >>>>>>>>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200 >>>>>>>>>>>>>> Committer: [email protected] <[email protected]> >>>>>>>>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> ---------------------------------------------------------------------- >>>>>>>>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 >>>>>>>>>>>>>> +- >>>>>>>>>>>>>> .../java/org/apache/tomee/installer/Installer.java | 17 >>>>>>>>>>>>>> +++++++++++++++++ >>>>>>>>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-) >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> ---------------------------------------------------------------------- >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> ---------------------------------------------------------------------- >>>>>>>>>>>>>> diff --git >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>>>>> index 70fcf6f..17731b9 100644 >>>>>>>>>>>>>> --- >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>>>>> +++ >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java >>>>>>>>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT { >>>>>>>>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" + >>>>>>>>>>>>>> " <Listener >>>>>>>>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" + >>>>>>>>>>>>>> " <Service name=\"Catalina\">\n" + >>>>>>>>>>>>>> - " <Connector port=\"" + http + "\" >>>>>>>>>>>>>> protocol=\"HTTP/1.1\" >>>>>>>>>>>>>> />\n" + >>>>>>>>>>>>>> + " <Connector port=\"" + http + "\" >>>>>>>>>>>>>> protocol=\"HTTP/1.1\" >>>>>>>>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" + >>>>>>>>>>>>>> " <Engine name=\"Catalina\" >>>>>>>>>>>>>> defaultHost=\"localhost\">\n" + >>>>>>>>>>>>>> " <Host name=\"localhost\" >>>>>>>>>>>>>> appBase=\"webapps\"\n" >>>>>>>>>>>>>> + >>>>>>>>>>>>>> " unpackWARs=\"true\" >>>>>>>>>>>>>> autoDeploy=\"true\">\n" + >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> ---------------------------------------------------------------------- >>>>>>>>>>>>>> diff --git >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>>>>>>> index 0308c3d..60bd8f7 100644 >>>>>>>>>>>>>> --- >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>>>>>>> +++ >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java >>>>>>>>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements >>>>>>>>>>>>>> InstallerInterface { >>>>>>>>>>>>>> alerts.addError("Error while adding >>>>>>>>>>>>>> listener to >>>>>>>>>>>>>> server.xml >>>>>>>>>>>>>> file", e); >>>>>>>>>>>>>> } >>>>>>>>>>>>>> >>>>>>>>>>>>>> + //Add TomEE header >>>>>>>>>>>>>> + try { >>>>>>>>>>>>>> + newServerXml = >>>>>>>>>>>>>> Installers.replace(serverXmlOriginal, >>>>>>>>>>>>>> + "<Connector port=\"8080\"", >>>>>>>>>>>>>> + "<Connector port=\"8080\"", >>>>>>>>>>>>>> + "/>", >>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache >>>>>>>>>>>>>> TomEE\" >>>>>>>>>>>>>> />"); >>>>>>>>>>>>>> + >>>>>>>>>>>>>> + newServerXml = >>>>>>>>>>>>>> Installers.replace(serverXmlOriginal, >>>>>>>>>>>>>> + "<Connector port=\"8443\"", >>>>>>>>>>>>>> + "<Connector port=\"8443\"", >>>>>>>>>>>>>> + "/>", >>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache >>>>>>>>>>>>>> TomEE\" >>>>>>>>>>>>>> />"); >>>>>>>>>>>>>> + } catch (final IOException e) { >>>>>>>>>>>>>> + alerts.addError("Error adding server attribute to >>>>>>>>>>>>>> server.xml >>>>>>>>>>>>>> file", e); >>>>>>>>>>>>>> + } >>>>>>>>>>>>>> + >>>>>>>>>>>>>> // overwrite server.xml >>>>>>>>>>>>>> if >>>>>>>>>>>>>> (Installers.writeAll(paths.getServerXmlFile(), >>>>>>>>>>>>>> newServerXml, >>>>>>>>>>>>>> alerts)) { >>>>>>>>>>>>>> alerts.addInfo("Add OpenEJB listener to >>>>>>>>>>>>>> server.xml"); >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> >>>>>>>>>>>>>> Andy Gumbrecht >>>>>>>>>>>>>> >>>>>>>>>>>>>> https://twitter.com/AndyGeeDe >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> >>>>>>>>>>>> Andy Gumbrecht >>>>>>>>>>>> >>>>>>>>>>> https://twitter.com/AndyGeeDe >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>>> Andy Gumbrecht >>>>>>>>> >>>>>>>> https://twitter.com/AndyGeeDe >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>> Andy Gumbrecht >>>>>> https://twitter.com/AndyGeeDe >>>>>> >>>>>> >>>>>> >>>>>> -- >>>> Andy Gumbrecht >>>> https://twitter.com/AndyGeeDe >>>> >>>> >>>> >> -- >> Andy Gumbrecht >> https://twitter.com/AndyGeeDe >> >>
