I want to hide the identity of my tomcat version in red5. So far I have done the following:
webapps folder except for vod and root\web-inf. The other directories/webapps were not necessary.I have added an error valve in conf/j2ee-container.xml based on the answer at https://stackoverflow.com/a/25237686/1688441 .
</bean>
<bean id="valve.error" class="org.apache.catalina.valves.ErrorReportValve">
v<property name="showServerInfo" value="false" />
<property name="showReport" value="false" />
</bean>
</list>
The page is very empty now when an error happens:
HTTP Status 404 - /testing
However I have not found how to do three remaining things:
Server:Apache-Coyote/1.1)2 and 3 should be relatively simple for me to find.... but not sure about 1 .
Current tomcat is Apache Tomcat/7.0.57
This does not mean that I am endorsing relying only on security through obscurity. Instead I believe hiding the version will add a small delay to an attack forcing the attacker to perform more information gathering. Reducing information leakage is considered a best practice from OWASP.
You can disable several settings in Tomcats "/conf/web.xml", like setting these to false:
xpoweredBy, listings, showServerInfo, ...