Re: anonymising Tomcat
David Smith wrote: > Essentially you're looking for this in web.xml: 404 /some/error/page.jsp There's also a version for dealing with exceptions: java.io.IOException /some/error/page.jsp Just make sure you use this at the top of you web.xml file to insure you get spec 2.4 processing: http://java.sun.com/xml/ns/j2ee"; xmlns:xsi="http://www.w3c.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"; version="2.4"> We use only JSPs, and all our apps currently conform to 2.2, the oldest spec which provides everything we need. Some of our customers run ageing web app servers like WebLogic 6.1 and old Tomcats; might they baulk at a 2.4 web.xml? Since every JSP nominates an error page, presumably that catches exceptions, and we only need to handle nonexistent-page errors? I'll re-read the 2.2 spec... Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.8/71 - Release Date: 12/Aug/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: anonymising Tomcat
Yes, that's how it works. I Think taht possibility already existed at least back to 4.0... The order in which the different repositories are searched for classes (and property files) is defined in CATALINA_BASE/conf/catalina.properties. The file included in the usual distribution has classes directory before lib directory in it. Paul Singleton wrote: Rainer Jung wrote: Take a look at ./org/apache/catalina/util/ServerInfo.properties in CATALINA_HOME/server/lib/catalina.jar. It contains: server.info=Apache Tomcat/5.5.10 server.number=5.5.10.0 You can put different values in there and deploy the new properties file in CATALINA_HOME/server/classes/org/apache/catalina/util/ServerInfo.properties Do you mean that I can leave catalina.jar where it is, make a skeleton of folders in server/classes with just my new ServerInfo.properties, and the properties in server/classes/... will override those in the jar? Or must I unpack catalina.jar into server/classes and then delete it from server/lib before altering the properties? Are all references to Tomcat's description and version number derived from these properties, and is this new in 5.5.10 (we use 5.5.9 in production)? cheers Paul Singleton - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: anonymising Tomcat
Rainer Jung wrote: Take a look at ./org/apache/catalina/util/ServerInfo.properties in CATALINA_HOME/server/lib/catalina.jar. It contains: server.info=Apache Tomcat/5.5.10 server.number=5.5.10.0 You can put different values in there and deploy the new properties file in CATALINA_HOME/server/classes/org/apache/catalina/util/ServerInfo.properties Do you mean that I can leave catalina.jar where it is, make a skeleton of folders in server/classes with just my new ServerInfo.properties, and the properties in server/classes/... will override those in the jar? Or must I unpack catalina.jar into server/classes and then delete it from server/lib before altering the properties? Are all references to Tomcat's description and version number derived from these properties, and is this new in 5.5.10 (we use 5.5.9 in production)? cheers Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.2/65 - Release Date: 7/Aug/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: anonymising Tomcat
Take a look at ./org/apache/catalina/util/ServerInfo.properties in CATALINA_HOME/server/lib/catalina.jar. It contains: server.info=Apache Tomcat/5.5.10 server.number=5.5.10.0 You can put different values in there and deploy the new properties file in CATALINA_HOME/server/classes/org/apache/catalina/util/ServerInfo.properties As far as I know, there are no negative side effects. Have fun Rainer > Is it possible to configure Tomcat (5.5.9) so that a > moderately able hacker couldn't figure out what is > serving up our web apps? > > Paul Singleton > > > -- > No virus found in this outgoing message. > Checked by AVG Anti-Virus. > Version: 7.0.338 / Virus Database: 267.10.0/63 - Release Date: 3/Aug/2005 > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: anonymising Tomcat
Servlet spec 2.4 describes what you're looking for in section SRV 9.9.2 with more info in SRV.13.4 on how to configure it. Essentially you're looking for this in web.xml: 404 /some/error/page.jsp There's also a version for dealing with exceptions: java.io.IOException /some/error/page.jsp Just make sure you use this at the top of you web.xml file to insure you get spec 2.4 processing: http://java.sun.com/xml/ns/j2ee"; xmlns:xsi="http://www.w3c.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"; version="2.4"> --David Paul Singleton wrote: > Peter Crowther wrote: > >>> From: Paul Singleton [mailto:[EMAIL PROTECTED] >> > >>> Is it possible to configure Tomcat (5.5.9) so that a >>> moderately able hacker couldn't figure out what is >>> serving up our web apps? >> > >> It's possible to add the 'server' attribute to the connector definition >> for the HTTP connector; server="BogoMAX v0.1 testing" should anonymise >> the single most obvious piece of information, but pick your own string >> so that when the hacker searches Google for the string they don't find >> this post. See >> http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/http.html for >> details. >> >> It's possible that a more able hacker could also gain information from >> the usual range of specially-crafted invalid TCP packets [so use a >> decent firewall in front of the app server that detects and drops >> these], from traffic analysis of the way in which the app server returns >> data in the case of buffered and unbuffered pages, and likely from other >> techniques that I've not considered. > > > OK, thanks for this. My standalone 5.5.9 setup sends (according to > LiveHTTPHeaders) > > Server: Apache-Coyote/1.1 > > (?) but there's another giveaway: request a non-existent page > and you get > > HTTP Status 404 - /myapp/nonexistent > > type Status report > > message /myapp/nonexistent > > description The requested resource (/myapp/nonexistent) is > not available. > Apache Tomcat/5.5.9 > > so I'm searching the docs for a clue about auppressing this > (nothing in Server Configuration Reference so far). > > But I'm worried that there might be other telltales, e.g. > buried in the code which responds to bad HTTP requests or > whatever? > > I'm not paranoid, but some of our customers are :-) and we > have to be prepared to be reasonably diligent about these > things. So I was hoping that someone, somewhere had already > delved into this? > > Paul Singleton > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: anonymising Tomcat
Peter Crowther wrote: From: Paul Singleton [mailto:[EMAIL PROTECTED] Is it possible to configure Tomcat (5.5.9) so that a moderately able hacker couldn't figure out what is serving up our web apps? It's possible to add the 'server' attribute to the connector definition for the HTTP connector; server="BogoMAX v0.1 testing" should anonymise the single most obvious piece of information, but pick your own string so that when the hacker searches Google for the string they don't find this post. See http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/http.html for details. It's possible that a more able hacker could also gain information from the usual range of specially-crafted invalid TCP packets [so use a decent firewall in front of the app server that detects and drops these], from traffic analysis of the way in which the app server returns data in the case of buffered and unbuffered pages, and likely from other techniques that I've not considered. OK, thanks for this. My standalone 5.5.9 setup sends (according to LiveHTTPHeaders) Server: Apache-Coyote/1.1 (?) but there's another giveaway: request a non-existent page and you get HTTP Status 404 - /myapp/nonexistent type Status report message /myapp/nonexistent description The requested resource (/myapp/nonexistent) is not available. Apache Tomcat/5.5.9 so I'm searching the docs for a clue about auppressing this (nothing in Server Configuration Reference so far). But I'm worried that there might be other telltales, e.g. buried in the code which responds to bad HTTP requests or whatever? I'm not paranoid, but some of our customers are :-) and we have to be prepared to be reasonably diligent about these things. So I was hoping that someone, somewhere had already delved into this? Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.1/64 - Release Date: 4/Aug/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: anonymising Tomcat
> From: Paul Singleton [mailto:[EMAIL PROTECTED] > Is it possible to configure Tomcat (5.5.9) so that a > moderately able hacker couldn't figure out what is > serving up our web apps? It's possible to add the 'server' attribute to the connector definition for the HTTP connector; server="BogoMAX v0.1 testing" should anonymise the single most obvious piece of information, but pick your own string so that when the hacker searches Google for the string they don't find this post. See http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/http.html for details. It's possible that a more able hacker could also gain information from the usual range of specially-crafted invalid TCP packets [so use a decent firewall in front of the app server that detects and drops these], from traffic analysis of the way in which the app server returns data in the case of buffered and unbuffered pages, and likely from other techniques that I've not considered. - Peter - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: anonymising Tomcat
"Paul Singleton" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Is it possible to configure Tomcat (5.5.9) so that a > moderately able hacker couldn't figure out what is > serving up our web apps? > As documented at http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/http.html: > Paul Singleton > > > -- > No virus found in this outgoing message. > Checked by AVG Anti-Virus. > Version: 7.0.338 / Virus Database: 267.10.0/63 - Release Date: 3/Aug/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: anonymising Tomcat
That a good question Paul. On top of that is there a way to threat/redirect requests to a different application while the requested application is being deployed ? From: Paul Singleton <[EMAIL PROTECTED]> Reply-To: "Tomcat Users List" To: Tomcat Users List Subject: anonymising Tomcat Date: Thu, 04 Aug 2005 18:30:56 +0100 Is it possible to configure Tomcat (5.5.9) so that a moderately able hacker couldn't figure out what is serving up our web apps? Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.0/63 - Release Date: 3/Aug/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]