Error Page Version
Contents |
number from the error pages? Answer: Apache Tomcat server is for Java Servlet and JSP. When you apache custom error page call a page that doesn't exist in the tomcat server, or when
Apache Error Document
an existing page returns an error, the tomcat server will display the version number as shown below.
Remove Tomcat Version From Error Page
This might be a security risk, especially if you are running an old Tomcat server that has some known exploits. For some reason, if you can't upgrade the
Apache 404 Error
Tomcat server to the latest version, and you just want to hide the version number from the error pages, do the steps mentioned below. Go to $CATALINA_HOME/lib, and create the org/apache/catalina/util directory under here. In the following example, /home/tomcat is the $CATALINA_HOME cd /home/tomcat/lib mkdir -p org/apache/catalina/util Go to this newly created directory, and create a ServerInfo.properties file, apache custom 500 error page and add the server.info parameter as shown below. Set the value of this parameter to anything you like. cd org/apache/catalina/util $ vi ServerInfo.properties server.info=Apache Tomcat Version X Afer this restart the tomcat server. cd $CATALINA_HOME/bin ./catalina.sh stop ./catalina.sh start Now, if you go the error page, you'll not see the tomcat version number. Instead, you'll see the text you've set for the server.info parameter. After you do the above, if you want to see the Tomcat version number, you can still do it from the command line, using the version.sh script as shown below. $ $CATALINA_HOME/bin/version.sh .. Server version: Apache Tomcat/7.0.35 Server number: 7.0.35.0 .. Tweet >Add your comment If you enjoyed this article, you might also like.. 50 Linux Sysadmin Tutorials 50 Most Frequently Used Linux Commands (With Examples) Top 25 Best Linux Performance Monitoring and Debugging Tools Mommy, I found it! – 15 Practical Linux Find Command Examples Linux 101 Hacks 2nd Edition eBook Awk Introduction – 7 Awk Print Examples Advanced Sed Substitution Examples 8 Essenti
from two separate blog entries of mine involving the removal of information disclosure vulnerabilities in Apache Tomcat. Although centered around Tomcat versions 6.0 and 7.0, these apache error codes techniques can also be applied to JBoss. Introduction Information Disclosure vulnerabilities are error document htaccess issues that provide an attacker with configuration and/or version details on the web container or web applications running error document 404 inside the container. The concern these details raise is that the more information the attacker has about your web application or app server, the easier it is for the attacker http://www.thegeekstuff.com/2013/08/hide-tomcat-version-number to come up with ways to breach the service. The most common types of information disclosure vulnerabilities associated with tomcat found by security auditors and scanning utilities are those that list server type and server version information. The two most-frequently reported information disclosure vulnerabilities involve the Tomcat version being reported in the Server HTTP Response header and default error pages http://www.techstacks.com/howto/suppress-server-identity-in-tomcat.html that report server type and version details. How To Modify the Server Header You can modify your tomcat server.xml and add a "server" option and set it to whatever you want. The server option should be set for any http or ssl connectors that you have running. For example, below is a sample HTTP Connector configuration from an example server.xml file:
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about http://stackoverflow.com/questions/2266475/which-is-the-best-way-to-mask-hide-tomcat-version-from-error-pages hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags Users Badges Ask https://linux-audit.com/hiding-nginx-version-number/ Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of 4.7 million programmers, just like you, helping each other. Join them; it only takes a minute: Sign up Which is the best way to mask / hide tomcat version from error pages? up vote 7 down vote favorite 1 Could somebody please let me know which of the following error page two approaches is recommended and why : Make the necessary changes to ServerInfo.properties Define "error-page" in web.xml tomcat version share|improve this question edited Feb 15 '10 at 17:12 BalusC 683k20824782695 asked Feb 15 '10 at 14:18 user41536 234156 add a comment| 3 Answers 3 active oldest votes up vote 4 down vote I'd make the changes to ServerInfo.properties regardless - there may be other places to get the ServerInfo.properties version information than only error pages. (Maybe someone leaves error page version up the default home page, samples, etc. and these may have it.) Define error pages in your web app if you want - a quicker option may be to globally change your default error pages by specifying it in CATALINA_HOME/conf/web.xml - this will use your new specified error pages by default even if a developer forgets to specify error pages for their app. share|improve this answer answered Feb 15 '10 at 14:48 Nate 13.2k23250 add a comment| up vote 4 down vote Changing ServerInfo.properties is the most secure. If you for example have deployed a webapp on http://example.com/contextname, one could still get a 404 by http://example.com/blah or so. One could also get it programmatically by using a robot to Send a request with an unsupported method (which returns 503 error page). That said, I honestly don't see any valid reasons to hide Tomcat version from it. This information actually adds no value for "normal users". It also doesn't stop any hacker from trying everything to get it down or exploit security holes (if there were any...). They don't worry about whether the version is displayed or not. For the "normal users" I would still use a custom error page which is a bit more integrated in the style of the webapp in question so that it is less "scary" and thus improves user experience. share|improve this answer edited Feb 16 '10 at 1:17 an
your system "lean" is one very good start. Remove all clutter, like unused packages. It is part of system hardening and considered a good practice. This also applies to leaking of version numbers, which can only be harmful. Yes.. it is security through obscurity. But why would you reveal specific details about your environment to attackers? In this article we have a look at the very popular Nginx web server daemon.Nginx version numberNginx shows the version number by default in error pages and in the headers of HTTP requests. For Nginx to hide this information, just a single statement is needed. Set the server_tokens statement to off in your global configuration file.# Don't show the Nginx version number (in error pages / headers)server_tokens off;Now restart your Nginx daemon. Next step is requesting a non-existing page. It should not display the Nginx version information anymore (just "Nginx").Remove "nginx" in outputIf you want to remove this as well, you may want to compile your nginx manually. Another option is to get creative and change the nginx binary with a hex editor. The downside is that these actions take a fair amount of time.Remove headersIf you are using a reverse proxy, you can leverage this to remove some of the headers as well. For example with Varnish you can decide to delete some of the headers by unsetting them.unset resp.http.X-Powered-By;unset resp.http.Server;AutomationSecurity auditingIf you are responsible for many web servers, then we advise performing regular security audits. Vulnerability scanners can help here, like our auditing tool Lynis.Configuration managementAdditionally, apply this nginx setting in a configuration management solution like Puppet, Cfengine or Chef. Every web server deployed will automatically have a more secure configuration.FacebookTwitterGoogle+hardeningleakingnginxvarnishversionLynis EnterpriseThis blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.Or start today with the open source security scanner Lynis (GitHub) Post navigation« Audit security events on Unix systemsPlus sign in ls output »Continue reading How the web changes with HTTP/2: Performance and Security Optimize SSL/TLS for Maximum Security and Speed Securing nginx configurations: implementing OCSP stapling Leave a Reply Cancel replyYour email address will not be published. Re