When configuring a network server it is a good idea to add a login banner just to remind users that as a system administrator you ca monitor what they are doing and that by using the system they agree to allow you to monitor them. It won’t deter a determined attacker but just reminds users to behave themselves!
Generally it is a good idea NOT to put any information in a login banner that might help a potential attacker like the system name, release version, owner or what the system does.
By default ‘/etc/issue.net’ is used to hold the banner text displayed when a user connects from the network using ‘ssh’, ‘telnet’, and ‘ftp’ etc.
How you configure the login banner depends on how users are connecting to your system:
When logging in to the console including some information about the system is less of a security issue as if an attacker has access to the console they can obtain this sort information relatively easily by just rebooting the system!
When logging in on the console you can include some additional system information by using the following escape characters in the banner message:
Note that these escape sequences are not only translated by ‘agetty’ and have no effect when connecting remotely, unfortunately one of the things you can’t insert into the logon banner is the current network address, if you want to do this you have to update the banner text when the network address changes!
By default ‘/etc/issue’ is used to hold the banner text that is displayed when you login locally on the console.
Changes to ‘/etc/issue’ take effect immediately.
Remote connections via ssh
To configure a login banner for ‘ssh’ you need to uncomment (or add) the entry that defines the banner text in the ssh deamon configuration file.
For this change to take effect ‘sshd’ must be restarted.
After restarting ‘sshd’ users connecting to the system will be presented with a banner message when they login.
Remote connections using telnet
By default the telnet deamon (‘telnetd’) will display the contents of ‘/etc/issue.net’ before prompting the user for a password.