Re: Hide 501 error message
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 climbingrose, climbingrose wrote: I'm configuring Tomcat 6.0.10 behind Apache 2.0 using mod_jk 1.2.3. Everything is working beautifully but I want to hide 501 error when malicious user try to access the server. I assume you always want to hide these messages, since it's difficult to determine whether a user is malicious or not. # telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. alsfjalsfjsdf htmlheadtitleApache Tomcat/6.0.10 - Error report/titlestyle!--H1 [snip] I don't want to show the message because it contains Tomcat information as well as revealing the technology I'm using on my website. Any ideas? Apache httpd is capable of sending an error document based upon any response code, and it can override that sent by Tomcat. For instance, you can have Apache httpd intercept 501 from Tomcat and display a page that contains no server information at all. Don't forget that your HTTP headers might leak information, too. Check the ServerTokens Apache httpd directive to make sure you aren't announcing your server version from Apache httpd. I'm sure you can turn off this version disclosure within Tomcat, too, but I can't remember how to do it. Check the archives, 'cause I'm sure this has been asked in the past. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGkmDR9CaO5/Lv0PARAm1nAJ4005uxITWo45E8WkYNUFOP/2TvJgCeN9To bgiqRYZtKcLyIef/hJRmZNg= =a7uu -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Hide 501 error message
From: Christopher Schultz [mailto:[EMAIL PROTECTED] Subject: Re: Hide 501 error message I'm sure you can turn off this version disclosure within Tomcat, too, but I can't remember how to do it. Check the archives, 'cause I'm sure this has been asked in the past. From the doc for the server attribute of the HTTP connector: The Server header for the http response. Unless your [sic] paranoid, you won't need this feature. http://tomcat.apache.org/tomcat-6.0-doc/config/http.html Of course, Just because you're paranoid doesn't mean they're not out to get you. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Hide 501 error message
I tried to configure Apache with ErrorDocument 501 error.html howewer, it doesn't seem to take affect. That error message still appears when I try to connect via telnet and enter some characters. So I suspect that Tomcat doesn't return 501 error code but return normal html signaling the error. That's why Apache doesn't know about the error and render the appropriate error page. Any idea? Christopher Schultz-2 wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 climbingrose, climbingrose wrote: I'm configuring Tomcat 6.0.10 behind Apache 2.0 using mod_jk 1.2.3. Everything is working beautifully but I want to hide 501 error when malicious user try to access the server. I assume you always want to hide these messages, since it's difficult to determine whether a user is malicious or not. # telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. alsfjalsfjsdf htmlheadtitleApache Tomcat/6.0.10 - Error report/titlestyle!--H1 [snip] I don't want to show the message because it contains Tomcat information as well as revealing the technology I'm using on my website. Any ideas? Apache httpd is capable of sending an error document based upon any response code, and it can override that sent by Tomcat. For instance, you can have Apache httpd intercept 501 from Tomcat and display a page that contains no server information at all. Don't forget that your HTTP headers might leak information, too. Check the ServerTokens Apache httpd directive to make sure you aren't announcing your server version from Apache httpd. I'm sure you can turn off this version disclosure within Tomcat, too, but I can't remember how to do it. Check the archives, 'cause I'm sure this has been asked in the past. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGkmDR9CaO5/Lv0PARAm1nAJ4005uxITWo45E8WkYNUFOP/2TvJgCeN9To bgiqRYZtKcLyIef/hJRmZNg= =a7uu -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Hide-501-error-message-tf4047399.html#a11514195 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]