Friday, December 14, 2012

Security: Stop Tomcat info disclosure

Not that I believe obscuring information of your running backend services will stop any smart hacker from figuring out what version you are running. In fact are hackers still doing that manually? I would expect them to have automated tools that would simply try to attack using a reverse historical vulnerability list for example.

In any case it is "recommended" to obscure tomcat version number and here is a recipe to do exactly that. We cannot afford patching dozens of tomcat servers following steps and while any configuration and management tool could help we prefer Plain Old Bash (POB) recipes run from Remoto-IT. So we just include a recipe line like:
common/tomcat/tomcat-remove-server-info-from-catalina-jar.sh /opt/tomcat

No comments:

Followers