隐藏Tomcat异常页面中的版本信息,Tomcat服务器版本号泄露
在Tomcat报错页面中,显示Apache Tomcat/8.5.51相关版本号等信息,是不安全的。这会被攻击者获取到,利用该版本的其他漏洞对服务器进行攻击。所以需要隐藏掉。
修改ServerInfo.properties
- 进入tomcat安装目录
cd /usr/local/tomcat/apache-tomcat-8.5.51/lib
- 备份catalina.jar包
cp catalina.jar catalina.jar_bak
- 下载catalina.jar包到本地,用压缩工具打开。
进入路径:org\apache\catalina\util,打开ServerInfo.properties文件
源文件:
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
server.info=Apache Tomcat/8.5.51
server.number=8.5.51.0
server.built=Feb 5 2020 22:26:25 UTC
修改server.info、server.number、server.built,修改后:
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
server.info=
server.number=
server.built=
重启Tomcat
[root@q bin]# ps -ef|grep tomcat
root 5621 4860 0 10:01 pts/0 00:00:00 grep tomcat
root 9431 1 0 Feb17 ? 08:50:31 /usr/local/java/jdk1.8.0_11/bin/java -Djava.util.logging.config.file=/usr/local/tomcat/apache-tomcat-8.5.51/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.endorsed.dirs= -classpath /usr/local/tomcat/apache-tomcat-8.5.51/bin/bootstrap.jar:/usr/local/tomcat/apache-tomcat-8.5.51/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/tomcat/apache-tomcat-8.5.51 -Dcatalina.home=/usr/local/tomcat/apache-tomcat-8.5.51 -Djava.io.tmpdir=/usr/local/tomcat/apache-tomcat-8.5.51/temp org.apache.catalina.startup.Bootstrap start
[root@q bin]# kill -9 9431
[root@q bin]# ps -ef|grep tomcat
root 5763 4860 0 10:01 pts/0 00:00:00 grep tomcat
[root@q bin]# ./startup.sh
重启后发现Tomcat版本信息消失。