Tomcat/JBoss: Suppressing Server Identity - Part One
If you are as 'fortunate' as I am, you've got paranoid network security administrators just thinking up ways to ward off those wily hackers. If you want or need to suppress the server's identity that gets returned by your tomcat or jboss servers (and we can also assume for the sake of this post that your tomcat or jboss server is the front-end), then a couple of modifications could be made to help "anonymize" your server.
Changing the Server Header
You can modify your tomcat or jboss server's server.xml and add a "server
" option and set it to whatever you want. The server
option should be set for any http or ssl connectors that you have running. For example, if you have the following set in your tomcat's server.xml for the http connector:
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
Change it so that it looks like the following:
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"
server="This site has got moxy!"/>
Perl Script to Verify Change
The following perl script will perform an HTTP HEAD request against the site of your choosing so you can validate the change.
#/usr/bin/env perl
# usage: get-servertype.pl http|https://hostname[:port](-if non-standard)/
#
## These first three lines should go in all scripts
use strict;
use warnings;
use feature ':5.10'; #not needed for this but I need to get into the habit of using it
use LWP::UserAgent;
use HTTP::Headers;
use Crypt::SSLeay; #provides ssl support
print "Enter the URL you want to get the Server Type for: ";
my $url = <>;
my $ua = LWP::UserAgent->new;
$ua->timeout(10);
$ua->env_proxy; #if you have proxy environment variable set
$ua->requests_redirectable; #this might not be working
$ua->agent('allsortsandnotions/1.0'); #shameless plug
my $header = $ua->head( $url );
$header->is_success or
die "Failed to HEAD '$url': ", $header->status_line;
print $header->server;
Running this against one of my tomcat instances prior to making the change, I would get the following:
perl get-servertype.pl
...
Apache Coyote/1.1
After making the server
change, I now get:
perl get-servertype.pl
...
This site has got moxy!!
Part 2 in this two-part series will deal with suppressing the version number returned by tomcat and jboss in default error pages. A loosely-related Part 3, which is JBoss-specific, deals with suppressing the X-Powered-By header returned by JBoss.