2

Question

I want to hide the identity of my tomcat version in red5. So far I have done the following:

  1. Removed all non necessary directories in webapps folder except for vod and root\web-inf. The other directories/webapps were not necessary.

  2. I have added an error valve in conf/j2ee-container.xml based on the answer at https://stackoverflow.com/a/25237686/1688441 .

                </bean>
            <bean id="valve.error" class="org.apache.catalina.valves.ErrorReportValve">
                    v<property name="showServerInfo" value="false" />
                    <property name="showReport" value="false" />
            </bean>
        </list>

The page is very empty now when an error happens:

HTTP Status 404 - /testing

However I have not found how to do three remaining things:

  1. Hide the response header outlining version (Server:Apache-Coyote/1.1)
  2. Disable Directory browsing
  3. Hide the favicon

2 and 3 should be relatively simple for me to find.... but not sure about 1 .

Current tomcat is Apache Tomcat/7.0.57

Disclaimer about security through obscurity

This does not mean that I am endorsing relying only on security through obscurity. Instead I believe hiding the version will add a small delay to an attack forcing the attacker to perform more information gathering. Reducing information leakage is considered a best practice from OWASP.

Community
  • 1
  • 1
Menelaos
  • 23,508
  • 18
  • 90
  • 155

2 Answers2

2

You can disable several settings in Tomcats "/conf/web.xml", like setting these to false:

xpoweredBy, listings, showServerInfo, ...

Stefan
  • 12,108
  • 5
  • 47
  • 66
-2

Security by obscurity has never worked and never will. You virtually gain nothing by doing so. Similar issues have been filed with Tomcat and Mark Thomas closed them as won't fix.

Michael-O
  • 18,123
  • 6
  • 55
  • 121
  • 1
    Actually hiding identifying features is a well known approach since many common attackers first identify the software running on a potential victim and then lookup exploits on sites such as exploit db. Obviously keeping a system patched and updated is number one. Your answer is not an answer and is more fitting of a comment. – Menelaos Mar 07 '16 at 19:02
  • @maythesource.com The is the stupidest approach thinking the attacker won't figure it out. All you do is to postpone a possible attack. Read [this](https://bz.apache.org/bugzilla/show_bug.cgi?id=58750) Tomcat bug report. – Michael-O Mar 07 '16 at 20:02
  • 1
    I disagree... making it more difficult for the attacker ( causing him to spend a little bit of additional time ) in order to identify the system is not a minus. Now, is it worth the additional effort? Maybe not if existing tools can detect the version based on behavior ( fingerprint). However, talking as if it is completely worthless makes your wrong. Security through obscurity is not a silver bullet... it should be a small deterrent on top of multiple other best security practices ( patches, updates, firewalls, best practices, etc. ). Spewing opinions isn't answering the question – Menelaos Mar 07 '16 at 21:55
  • 1
    "All you do is to postpone a possible attack." Exactly... one more obstacle for the attacker to work through. Additionally, you make it impossible for inexperienced script kddies. Now if your argument will be that more experienced attackers will be intrigued... your screwed anyway if your version isn't patched fast enough or there is a zero day vulnerability out there and a good enough hacker has it. So we can go at this all day but it's pointless because I will disagree with you. – Menelaos Mar 07 '16 at 21:59
  • 1
    https://en.wikipedia.org/wiki/Security_through_obscurity Obviously security by design is critical but obscurity as a defense in depth measure is useful. – ChrisGeo Mar 07 '16 at 22:06
  • @Michael-O I did add a disclaimer so that an inexperienced user doesn't get any ideas about this being a full-proof approach. – Menelaos Mar 07 '16 at 22:13