一般情况下，软件的漏洞信息和特定版本，特定操作系统是相关的，因此，软件的版本号以及操作系统类型对攻击者来说是很有价值的。

在默认情况下，Tomcat会在返回信息中把自身的版本号，操作系统类型都显示出来，如下图：

这样做会造成潜在的安全风险，导致不必要的攻击行为。

在Ubuntu 14.04系统上隐藏Tomcat-7.0.52的版本号与操作系统类型的方法如下：

$ cd ~

$ mkdir catalina

$ cd catalina

$ cp /usr/share/tomcat7/lib/catalina.jar .

$ unzip catalina.jar

$ cd org/apache/catalina/util

$ vim ServerInfo.properties

1

2

3

4

5

6

7

8

9

10

11

12

13

$cd~

$mkdircatalina

$cdcatalina

$cp/usr/share/tomcat7/lib/catalina.jar.

$unzipcatalina.jar

$cdorg/apache/catalina/util

$vimServerInfo.properties

可以看到里面的内容如下：

# Licensed to the Apache Software Foundation (ASF) under one or more

# contributor license agreements. See the NOTICE file distributed with

# this work for additional information regarding copyright ownership.

# The ASF licenses this file to You under the Apache License, Version 2.0

# (the "License"); you may not use this file except in compliance with

# the License. You may obtain a copy of the License at

#

# http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS,

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.

server.info=Apache Tomcat/7.0.52 (Ubuntu)

server.number=7.0.52.0

server.built=Jun 30 2016 01:59:37

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

#LicensedtotheApacheSoftwareFoundation(ASF)underoneormore

#contributorlicenseagreements.SeetheNOTICEfiledistributedwith

#thisworkforadditionalinformationregardingcopyrightownership.

#TheASFlicensesthisfiletoYouundertheApacheLicense,Version2.0

#(the"License");youmaynotusethisfileexceptincompliancewith

#theLicense.YoumayobtainacopyoftheLicenseat

#

#http://www.apache.org/licenses/LICENSE-2.0

#

#Unlessrequiredbyapplicablelaworagreedtoinwriting,software

#distributedundertheLicenseisdistributedonan"AS IS"BASIS,

#WITHOUTWARRANTIESORCONDITIONSOFANYKIND,eitherexpressorimplied.

#SeetheLicenseforthespecificlanguagegoverningpermissionsand

#limitationsundertheLicense.

server.info=ApacheTomcat/7.0.52(Ubuntu)

server.number=7.0.52.0

server.built=Jun30201601:59:37

直接注释掉里面的内容，如下：

# Licensed to the Apache Software Foundation (ASF) under one or more

# contributor license agreements. See the NOTICE file distributed with

# this work for additional information regarding copyright ownership.

# The ASF licenses this file to You under the Apache License, Version 2.0

# (the "License"); you may not use this file except in compliance with

# the License. You may obtain a copy of the License at

#

# http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS,

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.

# server.info=Apache Tomcat/7.0.52 (Ubuntu)

# server.number=7.0.52.0

# server.built=Jun 30 2016 01:59:37

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

#LicensedtotheApacheSoftwareFoundation(ASF)underoneormore

#contributorlicenseagreements.SeetheNOTICEfiledistributedwith

#thisworkforadditionalinformationregardingcopyrightownership.

#TheASFlicensesthisfiletoYouundertheApacheLicense,Version2.0

#(the"License");youmaynotusethisfileexceptincompliancewith

#theLicense.YoumayobtainacopyoftheLicenseat

#

#http://www.apache.org/licenses/LICENSE-2.0

#

#Unlessrequiredbyapplicablelaworagreedtoinwriting,software

#distributedundertheLicenseisdistributedonan"AS IS"BASIS,

#WITHOUTWARRANTIESORCONDITIONSOFANYKIND,eitherexpressorimplied.

#SeetheLicenseforthespecificlanguagegoverningpermissionsand

#limitationsundertheLicense.

#server.info=ApacheTomcat/7.0.52(Ubuntu)

#server.number=7.0.52.0

#server.built=Jun30201601:59:37

修改完成后，把修改完成的数据存储到catalina.jar中。

$ cd ~

$ cd catalina

$ jar uvf catalina.jar org/apache/catalina/util/ServerInfo.properties

1

2

3

4

5

$cd~

$cdcatalina

$jaruvfcatalina.jarorg/apache/catalina/util/ServerInfo.properties

把修改后的catalina.jar放回到Tomcat的目录下面:

$ cd ~

$ cd catalina

$ sudo unlink /usr/share/tomcat7/lib/catalina.jar

$ sudo mv /usr/share/java/catalina.jar /usr/share/java/catalina.jar.old

$ sudo cp catalina.jar /usr/share/java/

$ sudo chmod +r /usr/share/java/catalina.jar

$ cd /usr/share/tomcat7/lib

$ sudo ln -s ../../java/catalina.jar catalina.jar

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

$cd~

$cdcatalina

$sudounlink/usr/share/tomcat7/lib/catalina.jar

$sudomv/usr/share/java/catalina.jar/usr/share/java/catalina.jar.old

$sudocpcatalina.jar/usr/share/java/

$sudochmod+r/usr/share/java/catalina.jar

$cd/usr/share/tomcat7/lib

$sudoln-s../../java/catalina.jarcatalina.jar

重启Tomcat的服务

$ sudo service tomcat7 restart

1

$sudoservicetomcat7restart

修改后的结果如下图所示，已经没有系统类型信息了，仅仅返回了一个404错误。