Markus Schönhaber wrote:
Arend P. van der Veen schrieb:
Does anybody know if it is possible to hide the identity of a tomcat web
server? When I do a Nessus scan I get the following:
Server: Apache-Coyote/1.1
I have already looked at the Tomcat configuration documentation and
search google to find the answer but did not have any luck.
Is it possible to mask this so that hackers do not know what type of web
server I am running?
Chuck already pointed you to the relevant part of the docs.
Nevertheless: changing the value of the Connector's server attribute
alone won't help you much. For example, if you don't prevent the
standard error pages from being used. Those contain much more detailed
and much more easily accessible information about Tomcat than the Server
HTTP-header does.
BTW: I wouldn't consider hiding the server type a really relevant
increase of security. If there is a security flaw in Tomcat, an attacker
will probably simply try to use an exploit for this flaw - regardless
what the server claims to be. If it's an exploitable Tomcat, it will
work. If it isn't, he'll try something else.
Regards
mks
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Hi,
Thanks for your feedback. I am already overriding all of the error
pages and java exception page. I did not realize that server tag in the
HTTP connector was referring to this. I guess I should have tried that
first. I will give it a shot.
Thanks,
Arend
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
