Ubuntu 14.04隐藏Tomcat-7.0.52的版本号与操作系统类型

推荐方案

另外更推荐的方法是通过 Tomcat 的配置文件完成,而不是修改代码,具体配置方法为:

conf/server.xml 配置文件中的 <Host> 配置项中添加如下配置:

<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />

配置项说明:

  • showReport:默认值为true,默认显示报错信息
  • showServerInfo:默认值为true,默认显示Tomcat的版本号

其他方案

一般情况下,软件的漏洞信息和特定版本,特定操作系统是相关的,因此,软件的版本号以及操作系统类型对攻击者来说是很有价值的。

在默认情况下,Tomcat会在返回信息中把自身的版本号,操作系统类型都显示出来,如下图:
TomcatErrorPageVersion

这样做会造成潜在的安全风险,导致不必要的攻击行为。

Ubuntu 14.04系统上隐藏Tomcat-7.0.52的版本号与操作系统类型的方法如下:

$ cd ~

$ mkdir catalina

$ cd catalina

$ cp /usr/share/tomcat7/lib/catalina.jar .

$ unzip catalina.jar

$ cd org/apache/catalina/util

$ vim ServerInfo.properties

可以看到里面的内容如下:

# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

server.info=Apache Tomcat/7.0.52 (Ubuntu)
server.number=7.0.52.0
server.built=Jun 30 2016 01:59:37

直接注释掉里面的内容,如下:

# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# server.info=Apache Tomcat/7.0.52 (Ubuntu)
# server.number=7.0.52.0
# server.built=Jun 30 2016 01:59:37

修改完成后,把修改完成的数据存储到catalina.jar中。

$ cd ~

$ cd catalina

$ jar uvf catalina.jar org/apache/catalina/util/ServerInfo.properties

把修改后的catalina.jar放回到Tomcat的目录下面:

$ cd ~

$ cd catalina

$ sudo unlink /usr/share/tomcat7/lib/catalina.jar 

$ sudo mv /usr/share/java/catalina.jar /usr/share/java/catalina.jar.old

$ sudo cp catalina.jar /usr/share/java/

$ sudo chmod +r /usr/share/java/catalina.jar

$ cd /usr/share/tomcat7/lib

$ sudo ln -s ../../java/catalina.jar catalina.jar

重启Tomcat的服务

$ sudo service tomcat7 restart

修改后的结果如下图所示,已经没有系统类型信息了,仅仅返回了一个404错误。

TomcatErrorPageVersionAfterHide

至于如何隐藏Apache的版本号,参考链接 Ubuntu 14.04隐藏Apache-2.4的版本号与操作系统类型

参考链接

Tomcat隐藏版本号和报错信息(修改配置文件方式)

发布者

默默

码农

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注