Adding a login banner

When configuring a network server it is a good idea to add a login banner just to remind users that as a system administrator you ca monitor what they are doing and that by using the system they agree to allow you to monitor them. It won’t deter a determined attacker but just reminds users to behave themselves!

Generally it is a good idea NOT to put any information in a login banner that might help a potential attacker like the system name, release version, owner or what the system does.

By default ‘/etc/issue.net’ is used to hold the banner text displayed when a user connects from the network using ‘ssh’, ‘telnet’, and ‘ftp’ etc.

# nano /etc/issue.net

 
 Unauthorized use of this system is an offence under the Computer Misuse Act 
 1990. By using this system you agree that your activity may be continuously 
 monitored and that you will comply with the conditions of use. 
 

How you configure the login banner depends on how users are connecting to your system:

When logging in to the console including some information about the system is less of a security issue as if an attacker has access to the console they can obtain this sort information relatively easily by just rebooting the system!

When logging in on the console you can include some additional system information by using the following escape characters in the banner message:

\b – Baudrate.
\d – Current date.
\s – System name, and name of the operating system.
\l – Current tty line.
\m – Machine architecture type
\n – Host name.
\o – Domain name.
\r – Kernel version
\t – Current time.
\u or \U – Number of users logged in.
\v – Operating system version

Note that these escape sequences are not only translated by ‘agetty’ and have no effect when connecting remotely, unfortunately one of the things you can’t insert into the logon banner is the current network address, if you want to do this you have to update the banner text when the network address changes!

By default ‘/etc/issue’ is used to hold the banner text that is displayed when you login locally on the console.

# nano /etc/issue

Debian GNU/Linux jessie \n (\l)
Kernel \r on an \m
 

Changes to ‘/etc/issue’ take effect immediately.

Debian GNU/Linux jessie <host name> (tty1)
Kernel 3.16.0-4-amd64 on am x86_64

<host name> login:

Remote connections via ssh

To configure a login banner for ‘ssh’ you need to uncomment (or add) the entry that defines the banner text in the ssh deamon configuration file.

# nano /etc/ssh/sshd_config

#Banner /etc/issue.net
Banner /etc/issue.net

For this change to take effect ‘sshd’ must be restarted.

# service sshd restart

After restarting ‘sshd’ users connecting to the system will be presented with a banner message when they login.

$ ssh root@192.168.0.1
 
 Unauthorized use of this system is an offence under the Computer Misuse Act 
 1990. By using this system you agree that your activity may be continuously 
 monitored and that you will comply with the conditions of use. 
 
root@192.168.0.1’s password:

Back to top

Remote connections using telnet

By default the telnet deamon (‘telnetd’) will display the contents of ‘/etc/issue.net’ before prompting the user for a password.

$ telnet localhost
Trying ::1…
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
 
 Unauthorized use of this system is an offence under the Computer Misuse Act 
 1990. By using this system you agree that your activity may be continuously 
 monitored and that you will comply with the conditions of use. 
 
<host name> login:

Back to top

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s