Le 8 mai 2015 11:40, "Mark Struberg" <[email protected]> a écrit : > > > you make tomee easily identifiable compared to tomcat (= any java server of > > the web more or less). This way it is super easy to know that you can > > exploit a cxf issue for instance, thing you don’t know with default header. > > Folks, lets weight the upsides and downsides > > * upside: we show up in stats > > * downside: easier to get hacked? WHY? > All the scripts I do know are really blunt brute force. They f***g don’t care about ANY headers. Of course they probably _sort_ their attacks, but still they will use ALL vectors they have. > Brute force attacks are almost never executed from the origin but always hidden and executed by a zombie mob of hacked clients. So the origin doesn’t care if some old grandmas Win98 PC needs a few seconds longer to hack your server. >
Origin? What is the link? Scanners on aws are more and more clever. I cant be sure yet they use resp headers but i wouldnt take the risk in particular while default profile is used in tomee - dev one. > So basically it makes no sense to hide the fact that a server is running TomEE. > Note also it breaks some monitoring tools like wz broke atmosphere changing server info (mea culpa but nobody said anything :() > > LieGrue, > strub > > > > > Am 08.05.2015 um 00:34 schrieb Romain Manni-Bucau <[email protected] >: > > > > 2015-05-08 0:32 GMT+02:00 Andy <[email protected]>: > > > >> Yes yes whatever, you win (not that this was ever intended to be a > >> competition, you just seem to enjoy making it into one every single > >> time)... I am going to bed. Complete waste of my time. You still imply that > >> I have unsecured something? > >> > >> > > you make tomee easily identifiable compared to tomcat (= any java server of > > the web more or less). This way it is super easy to know that you can > > exploit a cxf issue for instance, thing you don't know with default header. > > > > > >> On 08/05/2015 00:26, Romain Manni-Bucau wrote: > >> > >>> not what I said. > >>> > >>> I said: > >>> 1) over exposing a variable you shouldnt activate is useless > >>> 2) we shouldnt set Apache TomEE to server variable by default > >>> > >>> Happy to replace these defaults by a server.xml.sample or anothing you > >>> judge appropriated while we stay aligned on tomcat default secured > >>> settings > >>> (also note that Apache Coyote is secured cause most of servers have it > >>> otherwise it would be as Apache TomEE) > >>> > >>> > >>> > >>> > >>> Romain Manni-Bucau > >>> @rmannibucau <https://twitter.com/rmannibucau> | Blog > >>> <http://rmannibucau.wordpress.com> | Github < > >>> https://github.com/rmannibucau> | > >>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber > >>> <http://www.tomitribe.com> > >>> > >>> 2015-05-08 0:24 GMT+02:00 Andy <[email protected]>: > >>> > >>> Hmm, so why do you want to treat the system administrator like one? > >>>> > >>>> On 08/05/2015 00:21, Romain Manni-Bucau wrote: > >>>> > >>>> Sure security is all about children... > >>>>> > >>>>> > >>>>> Romain Manni-Bucau > >>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog > >>>>> <http://rmannibucau.wordpress.com> | Github < > >>>>> https://github.com/rmannibucau> | > >>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber > >>>>> <http://www.tomitribe.com> > >>>>> > >>>>> 2015-05-08 0:19 GMT+02:00 Andy <[email protected]>: > >>>>> > >>>>> I was just thinking 'Kindergarten', how strange... > >>>>> > >>>>>> On 08/05/2015 00:17, Romain Manni-Bucau wrote: > >>>>>> > >>>>>> hmm this answer doesnt make sense for me, I surely miss something but > >>>>>> > >>>>>>> read > >>>>>>> it like "hey there is this property you can switch on true but if you > >>>>>>> google you'll see you shouldn't" > >>>>>>> > >>>>>>> > >>>>>>> Romain Manni-Bucau > >>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog > >>>>>>> <http://rmannibucau.wordpress.com> | Github < > >>>>>>> https://github.com/rmannibucau> | > >>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber > >>>>>>> <http://www.tomitribe.com> > >>>>>>> > >>>>>>> 2015-05-08 0:15 GMT+02:00 Andy <[email protected]>: > >>>>>>> > >>>>>>> This is what I said and the reason I changed it. And yes the > >>>>>>> constants > >>>>>>> > >>>>>>> have that for 'server' now, and have also had other values in the > >>>>>>>> past. > >>>>>>>> > >>>>>>>> So to be even more complete and correct myself.... changed it from > >>>>>>>> "Apache > >>>>>>>> Coyote/1.1" to "Apache TomEE", which is still better IMHO. > >>>>>>>> > >>>>>>>> @Romain: "you encourage it by making it on the front of the scene." > >>>>>>>> > >>>>>>>> That's like saying I'm encouraging someone to change the 'port', > >>>>>>>> which > >>>>>>>> is > >>>>>>>> also potentially dangerous when put into the hands of an idiot. > >>>>>>>> I like, and hope, to think that exposing a property would encourage > >>>>>>>> someone to look it up before changing it blindly. The very first > >>>>>>>> google > >>>>>>>> hit > >>>>>>>> on 'xpoweredBy' will enlighten even the most fickle reader. > >>>>>>>> > >>>>>>>> Sorry if my opinion just does not fit in on that. Another hour of my > >>>>>>>> life > >>>>>>>> wasted. > >>>>>>>> > >>>>>>>> Andy. > >>>>>>>> > >>>>>>>> > >>>>>>>> On 07/05/2015 23:58, Romain Manni-Bucau wrote: > >>>>>>>> > >>>>>>>> 2015-05-07 23:56 GMT+02:00 Andy <[email protected]>: > >>>>>>>> > >>>>>>>> Also, for completeness: > >>>>>>>>> > >>>>>>>>> xpoweredBy="*false*" activates nothing, if it were > >>>>>>>>> > >>>>>>>>>> xpoweredBy="*true*" > >>>>>>>>>> then maybe that might just 'activate' whatever it is you think is > >>>>>>>>>> being > >>>>>>>>>> activated here? > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> you encourage it by making it on the front of the scene. > >>>>>>>>>> > >>>>>>>>>> server="*Apache TomEE*" merely changes the existing value and > >>>>>>>>>> > >>>>>>>>> also > >>>>>>>>> > >>>>>>>>> 'activates' nothing. I don't see where you think this is a > >>>>>>>>> security > >>>>>>>>> > >>>>>>>>>> issue? > >>>>>>>>>> Happy to learn though, so please point me to the specific code that > >>>>>>>>>> this > >>>>>>>>>> affects? > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> it is on by default is not overrided by the app. > >>>>>>>>>> > >>>>>>>>>> Andy. > >>>>>>>>>> > >>>>>>>>> On 07/05/2015 23:21, Romain Manni-Bucau wrote: > >>>>>>>>> > >>>>>>>>>> You activated 2 different headers which is useless since we > >>>>>>>>>> change > >>>>>>>>>> > >>>>>>>>>> serverinfo by default you already get tomee here. > >>>>>>>>>> > >>>>>>>>>>> That said this is not the real issue. Doing it is a standard > >>>>>>>>>>> security > >>>>>>>>>>> issue, that is why it is off by default in tomcat so I suggest to > >>>>>>>>>>> not > >>>>>>>>>>> set > >>>>>>>>>>> it on by default > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> Romain Manni-Bucau > >>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog > >>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github < > >>>>>>>>>>> https://github.com/rmannibucau> | > >>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber > >>>>>>>>>>> <http://www.tomitribe.com> > >>>>>>>>>>> > >>>>>>>>>>> 2015-05-07 23:10 GMT+02:00 Andy <[email protected]>: > >>>>>>>>>>> > >>>>>>>>>>> Some crawlers are using that header as the evaluation. > >>>>>>>>>>> Default > >>>>>>>>>>> is > >>>>>>>>>>> Apache > >>>>>>>>>>> > >>>>>>>>>>> Tomcat 7.0.x etc and it is always on, so having Apache TomEE > >>>>>>>>>>> will > >>>>>>>>>>> > >>>>>>>>>>> give > >>>>>>>>>>>> us > >>>>>>>>>>>> better standing. > >>>>>>>>>>>> > >>>>>>>>>>>> Andy. > >>>>>>>>>>>> > >>>>>>>>>>>> On 07/05/2015 22:38, Romain Manni-Bucau wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> PS (sorry hit enter without wishing it): asking cause I > >>>>>>>>>>>> wouldn't > >>>>>>>>>>>> have it > >>>>>>>>>>>> > >>>>>>>>>>>> on > >>>>>>>>>>>> > >>>>>>>>>>>> by default as a user > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> Romain Manni-Bucau > >>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog > >>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github < > >>>>>>>>>>>>> https://github.com/rmannibucau> | > >>>>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber > >>>>>>>>>>>>> <http://www.tomitribe.com> > >>>>>>>>>>>>> > >>>>>>>>>>>>> 2015-05-07 22:36 GMT+02:00 Romain Manni-Bucau < > >>>>>>>>>>>>> [email protected] > >>>>>>>>>>>>> > >>>>>>>>>>>>> : > >>>>>>>>>>>>> > >>>>>>>>>>>>>> Hi > >>>>>>>>>>>>>> > >>>>>>>>>>>>> What's the goal? We already switch server info,isnt it > >>>>>>>>>>>>> enough? > >>>>>>>>>>>>> > >>>>>>>>>>>>> Romain Manni-Bucau > >>>>>>>>>>>>> > >>>>>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog > >>>>>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github > >>>>>>>>>>>>>> <https://github.com/rmannibucau> | LinkedIn > >>>>>>>>>>>>>> <https://www.linkedin.com/in/rmannibucau> | Tomitriber > >>>>>>>>>>>>>> <http://www.tomitribe.com> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> ---------- Forwarded message ---------- > >>>>>>>>>>>>>> From: <[email protected]> > >>>>>>>>>>>>>> Date: 2015-05-07 22:03 GMT+02:00 > >>>>>>>>>>>>>> Subject: tomee git commit: TomEE header > >>>>>>>>>>>>>> To: [email protected] > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Repository: tomee > >>>>>>>>>>>>>> Updated Branches: > >>>>>>>>>>>>>> refs/heads/master 2c4047e14 -> 268b57c86 > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> TomEE header > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Project: http://git-wip-us.apache.org/repos/asf/tomee/repo > >>>>>>>>>>>>>> Commit: > >>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/commit/268b57c8 > >>>>>>>>>>>>>> Tree: > >>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/tree/268b57c8 > >>>>>>>>>>>>>> Diff: > >>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/diff/268b57c8 > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Branch: refs/heads/master > >>>>>>>>>>>>>> Commit: 268b57c868c055e3788b85d6ed6a192da094e808 > >>>>>>>>>>>>>> Parents: 2c4047e > >>>>>>>>>>>>>> Author: [email protected] <[email protected]> > >>>>>>>>>>>>>> Authored: Thu May 7 22:03:35 2015 +0200 > >>>>>>>>>>>>>> Committer: [email protected] <[email protected]> > >>>>>>>>>>>>>> Committed: Thu May 7 22:03:35 2015 +0200 > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> ---------------------------------------------------------------------- > >>>>>>>>>>>>>> .../apache/tomee/RemoteTomEEEJBContainerIT.java | 2 > >>>>>>>>>>>>>> +- > >>>>>>>>>>>>>> .../java/org/apache/tomee/installer/Installer.java | 17 > >>>>>>>>>>>>>> +++++++++++++++++ > >>>>>>>>>>>>>> 2 files changed, 18 insertions(+), 1 deletion(-) > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> ---------------------------------------------------------------------- > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> ---------------------------------------------------------------------- > >>>>>>>>>>>>>> diff --git > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java > >>>>>>>>>>>>>> index 70fcf6f..17731b9 100644 > >>>>>>>>>>>>>> --- > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> a/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java > >>>>>>>>>>>>>> +++ > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> b/tomee/apache-tomee/src/test/java/org/apache/tomee/RemoteTomEEEJBContainerIT.java > >>>>>>>>>>>>>> @@ -67,7 +67,7 @@ public class RemoteTomEEEJBContainerIT { > >>>>>>>>>>>>>> " <!-- TomEE plugin for Tomcat -->\n" + > >>>>>>>>>>>>>> " <Listener > >>>>>>>>>>>>>> className=\"org.apache.tomee.catalina.ServerListener\" />\n" + > >>>>>>>>>>>>>> " <Service name=\"Catalina\">\n" + > >>>>>>>>>>>>>> - " <Connector port=\"" + http + "\" > >>>>>>>>>>>>>> protocol=\"HTTP/1.1\" > >>>>>>>>>>>>>> />\n" + > >>>>>>>>>>>>>> + " <Connector port=\"" + http + "\" > >>>>>>>>>>>>>> protocol=\"HTTP/1.1\" > >>>>>>>>>>>>>> xpoweredBy=\"false\" server=\"Apache TomEE\" />\n" + > >>>>>>>>>>>>>> " <Engine name=\"Catalina\" > >>>>>>>>>>>>>> defaultHost=\"localhost\">\n" + > >>>>>>>>>>>>>> " <Host name=\"localhost\" > >>>>>>>>>>>>>> appBase=\"webapps\"\n" > >>>>>>>>>>>>>> + > >>>>>>>>>>>>>> " unpackWARs=\"true\" > >>>>>>>>>>>>>> autoDeploy=\"true\">\n" + > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> http://git-wip-us.apache.org/repos/asf/tomee/blob/268b57c8/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> ---------------------------------------------------------------------- > >>>>>>>>>>>>>> diff --git > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java > >>>>>>>>>>>>>> index 0308c3d..60bd8f7 100644 > >>>>>>>>>>>>>> --- > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java > >>>>>>>>>>>>>> +++ > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java > >>>>>>>>>>>>>> @@ -448,6 +448,23 @@ public class Installer implements > >>>>>>>>>>>>>> InstallerInterface { > >>>>>>>>>>>>>> alerts.addError("Error while adding > >>>>>>>>>>>>>> listener to > >>>>>>>>>>>>>> server.xml > >>>>>>>>>>>>>> file", e); > >>>>>>>>>>>>>> } > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> + //Add TomEE header > >>>>>>>>>>>>>> + try { > >>>>>>>>>>>>>> + newServerXml = > >>>>>>>>>>>>>> Installers.replace(serverXmlOriginal, > >>>>>>>>>>>>>> + "<Connector port=\"8080\"", > >>>>>>>>>>>>>> + "<Connector port=\"8080\"", > >>>>>>>>>>>>>> + "/>", > >>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache > >>>>>>>>>>>>>> TomEE\" > >>>>>>>>>>>>>> />"); > >>>>>>>>>>>>>> + > >>>>>>>>>>>>>> + newServerXml = > >>>>>>>>>>>>>> Installers.replace(serverXmlOriginal, > >>>>>>>>>>>>>> + "<Connector port=\"8443\"", > >>>>>>>>>>>>>> + "<Connector port=\"8443\"", > >>>>>>>>>>>>>> + "/>", > >>>>>>>>>>>>>> + "xpoweredBy=\"false\" server=\"Apache > >>>>>>>>>>>>>> TomEE\" > >>>>>>>>>>>>>> />"); > >>>>>>>>>>>>>> + } catch (final IOException e) { > >>>>>>>>>>>>>> + alerts.addError("Error adding server attribute to > >>>>>>>>>>>>>> server.xml > >>>>>>>>>>>>>> file", e); > >>>>>>>>>>>>>> + } > >>>>>>>>>>>>>> + > >>>>>>>>>>>>>> // overwrite server.xml > >>>>>>>>>>>>>> if > >>>>>>>>>>>>>> (Installers.writeAll(paths.getServerXmlFile(), > >>>>>>>>>>>>>> newServerXml, > >>>>>>>>>>>>>> alerts)) { > >>>>>>>>>>>>>> alerts.addInfo("Add OpenEJB listener to > >>>>>>>>>>>>>> server.xml"); > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> -- > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Andy Gumbrecht > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> https://twitter.com/AndyGeeDe > >>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> -- > >>>>>>>>>>>> > >>>>>>>>>>>> Andy Gumbrecht > >>>>>>>>>>>> > >>>>>>>>>>> https://twitter.com/AndyGeeDe > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> -- > >>>>>>>>>> > >>>>>>>>>> Andy Gumbrecht > >>>>>>>>> > >>>>>>>> https://twitter.com/AndyGeeDe > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> -- > >>>>>>>> > >>>>>>> Andy Gumbrecht > >>>>>> https://twitter.com/AndyGeeDe > >>>>>> > >>>>>> > >>>>>> > >>>>>> -- > >>>> Andy Gumbrecht > >>>> https://twitter.com/AndyGeeDe > >>>> > >>>> > >>>> > >> -- > >> Andy Gumbrecht > >> https://twitter.com/AndyGeeDe > >> > >> >
