TransWikia.com

Disable GetCapabilities in GeoServer

Geographic Information Systems Asked by Tedd on February 3, 2021

My project currently uses GeoServer 2.6.2 to serve out a few WFS and WMS layers to our application.

The results of some penetration testing raised the fact that GeoServer can be called with GetCapabilities which will then give out some juicy information that could be used against us.

Is there a way, specifically from within GeoServer, that you can disable the GetCapabilities requests or block them?

There is currently no need for the operation as we only use it ourselves.

3 Answers

The reason why GeoServer (as every server compliant to the OpenGIS Webservice-format) provides this function is to be able to determine what your WMS or WFS is able to do, which kind of data they use (spatial reference, accuracy, layers), what the extent for them (bounding box) is and who might be responsible for issues when having problems on dealing with the service (service-admin).

I strongly would not recommend do deactivate this, as it is needed for every kind of automatic search for your service. The function simply provides metadata about your services, I doubt there are security-issues which it hands out.

Even noticing that you´re using the service only yourself does not justify disabling this as there might be collegues that do not understand every single parameter or every method that is provided by your WFS for exapmle. Looking into the document simplifies the process on getting all those information.

However if you really have to do this you may simply deactivate the servlet which is related to the function. As GeoServer is a simple servlet-container it provides a web.xml-file which you may modify. Simply delete the mservlet-mapping for GetCapabilities and you´re done. See this doc from oracle for how to do this.

Anyway I doubt you can do much without the function, as many products (ArcGIS, OpenLayers, ...) use this information before even making any request for your actual data.

Answered by HimBromBeere on February 3, 2021

If you only use the service yourself then the solution would be to only serve fake metainformation.

What I think could be used against you is the contacts information and other metadata. Simply fake this, and your pentesters should be happy. That way you retain getCapabilities functionality, while not providing any identifying data to potential attackers.

You could also reveal a bit more on what exactly the pentest identified as possible attack vectors. Then we could better discuss mitigation stratgies.

Answered by til_b on February 3, 2021

To kill this thread what I did was follow the security docs that user30184 commented: How to disable getCapabilities in GeoSserver http://docs.geoserver.org/latest/en/user/security/webadmin/services.html

So within geoserver web interface > Services I added some rules to restrict some of the Services' functions.

So that when they are hit you get an authentication error.

I am aware that this is not necessarily to everyone's taste, but it is all that I needed for my situation.

None the less I think that the answers and comments on this thread will serve to help others down the line. Thank you too all contributors.

Answered by Tedd on February 3, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP