一般情况下,软件的漏洞信息和特定版本,特定操作系统是相关的,因此,软件的版本号以及操作系统类型对攻击者来说是很有价值的。
在默认情况下,Tomcat会在返回信息中把自身的版本号,操作系统类型都显示出来,如下图:
这样做会造成潜在的安全风险,导致不必要的攻击行为。
在Ubuntu 14.04系统上隐藏Tomcat-7.0.52的版本号与操作系统类型的方法如下:
$ cd ~
$ mkdir catalina
$ cd catalina
$ cp /usr/share/tomcat7/lib/catalina.jar .
$ unzip catalina.jar
$ cd org/apache/catalina/util
$ vim ServerInfo.properties
1
2
3
4
5
6
7
8
9
10
11
12
13
$cd~
$mkdircatalina
$cdcatalina
$cp/usr/share/tomcat7/lib/catalina.jar.
$unzipcatalina.jar
$cdorg/apache/catalina/util
$vimServerInfo.properties
可以看到里面的内容如下:
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
server.info=Apache Tomcat/7.0.52 (Ubuntu)
server.number=7.0.52.0
server.built=Jun 30 2016 01:59:37
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#LicensedtotheApacheSoftwareFoundation(ASF)underoneormore
#contributorlicenseagreements.SeetheNOTICEfiledistributedwith
#thisworkforadditionalinformationregardingcopyrightownership.
#TheASFlicensesthisfiletoYouundertheApacheLicense,Version2.0
#(the"License");youmaynotusethisfileexceptincompliancewith
#theLicense.YoumayobtainacopyoftheLicenseat
#
#http://www.apache.org/licenses/LICENSE-2.0
#
#Unlessrequiredbyapplicablelaworagreedtoinwriting,software
#distributedundertheLicenseisdistributedonan"AS IS"BASIS,
#WITHOUTWARRANTIESORCONDITIONSOFANYKIND,eitherexpressorimplied.
#SeetheLicenseforthespecificlanguagegoverningpermissionsand
#limitationsundertheLicense.
server.info=ApacheTomcat/7.0.52(Ubuntu)
server.number=7.0.52.0
server.built=Jun30201601:59:37
直接注释掉里面的内容,如下:
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# server.info=Apache Tomcat/7.0.52 (Ubuntu)
# server.number=7.0.52.0
# server.built=Jun 30 2016 01:59:37
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#LicensedtotheApacheSoftwareFoundation(ASF)underoneormore
#contributorlicenseagreements.SeetheNOTICEfiledistributedwith
#thisworkforadditionalinformationregardingcopyrightownership.
#TheASFlicensesthisfiletoYouundertheApacheLicense,Version2.0
#(the"License");youmaynotusethisfileexceptincompliancewith
#theLicense.YoumayobtainacopyoftheLicenseat
#
#http://www.apache.org/licenses/LICENSE-2.0
#
#Unlessrequiredbyapplicablelaworagreedtoinwriting,software
#distributedundertheLicenseisdistributedonan"AS IS"BASIS,
#WITHOUTWARRANTIESORCONDITIONSOFANYKIND,eitherexpressorimplied.
#SeetheLicenseforthespecificlanguagegoverningpermissionsand
#limitationsundertheLicense.
#server.info=ApacheTomcat/7.0.52(Ubuntu)
#server.number=7.0.52.0
#server.built=Jun30201601:59:37
修改完成后,把修改完成的数据存储到catalina.jar中。
$ cd ~
$ cd catalina
$ jar uvf catalina.jar org/apache/catalina/util/ServerInfo.properties
1
2
3
4
5
$cd~
$cdcatalina
$jaruvfcatalina.jarorg/apache/catalina/util/ServerInfo.properties
把修改后的catalina.jar放回到Tomcat的目录下面:
$ cd ~
$ cd catalina
$ sudo unlink /usr/share/tomcat7/lib/catalina.jar
$ sudo mv /usr/share/java/catalina.jar /usr/share/java/catalina.jar.old
$ sudo cp catalina.jar /usr/share/java/
$ sudo chmod +r /usr/share/java/catalina.jar
$ cd /usr/share/tomcat7/lib
$ sudo ln -s ../../java/catalina.jar catalina.jar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$cd~
$cdcatalina
$sudounlink/usr/share/tomcat7/lib/catalina.jar
$sudomv/usr/share/java/catalina.jar/usr/share/java/catalina.jar.old
$sudocpcatalina.jar/usr/share/java/
$sudochmod+r/usr/share/java/catalina.jar
$cd/usr/share/tomcat7/lib
$sudoln-s../../java/catalina.jarcatalina.jar
重启Tomcat的服务
$ sudo service tomcat7 restart
1
$sudoservicetomcat7restart
修改后的结果如下图所示,已经没有系统类型信息了,仅仅返回了一个404错误。