Re: [WEB SECURITY] Tomcat Security

[Cyrill Brunschwiler <cyrill.brunschwiler () csnc ch>]

Hi Nate

Im not sure whether it is possible to configure a different server 
banner by file. However, from the security point of view vendor, 
product and version info should be hidden from clients. Of course, 
practically is it possible to guess what application server is in use 
because of its appearance and behaviour (eg. JSESSIONID). Worms and 
Botz may lack this detection due to the programmatically effort that 
must be done to detect it and as long as there are enough weak sites 
your fine.

How ever it is at least possible to overwrite the server banner by 
application. 

httpservletresponse.setHeader("Server", "");

This allows to create a filter servlet which simply removes the server 
from each resonse header. The built filter should then be configured 
for each servlet (this is done by WEB-INF/web.xml). Application 
servers are also often placed behind an entry server or reverse proxy 
infrastructure. Most of these components allow to hidde server 
banners.

Hope this helps
Cyrill


On Thursday 11 August 2005 17:44, Nathan Tobik wrote:
> Are you changing the banner information in Tomcat as part of your
> security process?  There was a discussion on this list a few months
> ago about the value of changing banners.  From what I remember
> there is almost no security value added by changing a banner.  I
> would work on making sure your application is secure and then it
> won't matter if an attacker knows you're running Java or not.
>
> Nate Tobik
> (412)661-5700 x206
> VigilantMinds
>
> <snip>...
>
> One of my unanswered questions is how to change the banner
> information in
> Tomcat.
> Any info would be greatly appreciated,
>
> Thks,
>
> Andy
>
> </snip>

--