Show a Notice/Warning Before Anyone Logs In.

So someone comes along and randomly tries to login to your server. You think “dude, go away and stop trying to login to my server!” In the real world, it’s usually required to post “No Trespassing” signs to warn people. Ya, they should know by the barb wire fence… but that doesn’t always work.

Here I’m going to show how to display such a notice on the Console and SSH, letting others know before that prompt that they shouldn’t be trying to login if they aren’t authorized. And in the end we will get something like:

image-center

Yes, you’ll be able to your own logo. I just wanted to show a full example.

Also, if you are want to show awesome stats about the system health, here’s an easy article of mine on how to do so.

Before we start

So, just as a word of caution:

The following are suggestions of what to say, and how to do it, but ultimately you should refer to a lawyer and/or other qualified professionals to make sure you’re doing it right. I take no responsibility for this. That’s all yours :)

Also, you’ll want to customize it to your liking, and your needs.

There we go, warning out of the way.

Show it on the Console

First we will show the notice on the Console, or the tty. For those that don’t know, the console/tty is the login prompt that shows up when the system finishes booting (when it doesn’t go to a GUI). You’ll usually see (tty1) near it.

Why show it on the console? Well, while your system(s) may be physically safe (as they should), if you do have an intruder, or if an unattended visitor sees an admin’s password being typed in and should do something bad, that notice may help turn things in your favor. Those things should never happen, but without the notice they may get away with “Well, no one told me I couldn’t login.” Just my thoughts.

ASCII logos can get messed up when displaying on the console. I wasn’t able to use mine, but YMMV.

The contents of the /etc/issue file is what the system uses to display information before a user logs in, above the console login prompt.

Modify and save the following to /etc/issue:


                        [[ Your Company's Name Here ]]

 ****************************************************************************
 *                                                                          *
 *            !!!  POSTED: PRIVATE PROPERTY. NO TRESPASSING. !!!            *
 *                                                                          *
 *  This computer system is for authorized users only, who have obtained    *
 *  authorization in writing from the owner of this server. All activity    *
 *  is logged and regularly checked by system personal. Individuals,        *
 *  companies, states, etc using this system without authority or in excess *
 *  of their authority are subject to having all their services revoked     *
 *  and/or prosecution for damages, seen and unseen. Any illegal services   *
 *  or activities performed by user, attempts to take down this server or   *
 *  any of its services, and/or any other malicious or disruptive action(s) *
 *  will be reported to local/national/international law enforcement, and   *
 *  said user(s) will be prosecuted to the full extent of the law.          *
 *                                                                          *
 *      Anyone or anything using this system consents to these terms.       *
 *                                                                          *
 ****************************************************************************

                       \d  -  \t

This is \n - \s \m \r  (\l)
 

The bottom line will show something like:

                       Mon May 09  2017 - 07:23:34

This is host.example.com (Linux x86_64 4.0.1)  (tty1)

For those lines, here is the list of options (for each \x, obtained from man agetty):

d      Insert the current date.

s      Insert the system name, the name of the operating system. Same as `uname -s'.

l      Insert the name of the current tty line.

m      Insert the architecture identifier of the machine. Same as `uname -m'.

n      Insert the nodename of the machine, also known as the hostname. Same as `uname -n'.

o      Insert the NIS domainname of the machine. Same as `hostname -d'.

O      Insert the DNS domainname of the machine.

r      Insert the release number of the OS. Same as `uname -r'.

t      Insert the current time.

An alternate suggestion you can use is:

This is \n (\l)
\s \m \r
\d \t

Which will say:

This is host.example.com (tty1)
Linux x86_64 4.0.1
Mon May 09  2017 07:23:34

Now at the console you can press Enter (no username or password), and you should see the new notice. The system rereads the file each time the login prompt loads (so you don’t have to restart the machine).

Show the notice for SSH connections.

We will now make the notice show up for SSH connections, and do so before the user has a chance to login.

We will start by creating a file called /etc/issue.remote and putting the notice in it.

If your system happens to already use /etc/issue.remote, then you should use a different file, and substitute the following accordingly.

Do not, I repeat DO NOT add the above \n or \r or ANY such agetty flags to this file. Doing so can leak critical data to attackers, making your server an easy target. That’s why we are making a separate file for this, even though the notice is the same.

Ok, so in the /etc/issue.remote add the following, modifying according to your desires:

                  [[ Your Company's Name / ASCII Logo Here ]]

 ****************************************************************************
 *                                                                          *
 *            !!!  POSTED: PRIVATE PROPERTY. NO TRESPASSING. !!!            *
 *                                                                          *
 *  This computer system is for authorized users only, who have obtained    *
 *  authorization in writing from the owner of this server. All activity    *
 *  is logged and regularly checked by system personal. Individuals,        *
 *  companies, states, etc using this system without authority or in excess *
 *  of their authority are subject to having all their services revoked     *
 *  and/or prosecution for damages, seen and unseen. Any illegal services   *
 *  or activities performed by user, attempts to take down this server or   *
 *  any of its services, and/or any other malicious or disruptive action(s) *
 *  will be reported to local/national/international law enforcement, and   *
 *  said user(s) will be prosecuted to the full extent of the law.          *
 *                                                                          *
 *      Anyone or anything using this system consents to these terms.       *
 *                                                                          *
 *    *** Disconnect IMMEDIATELY if you are not an authorized user! ***     *
 *                                                                          *
 ****************************************************************************
 

Then in your ssh config file /etc/ssh/sshd_config add/set this:

Banner /etc/issue.remote

Bonus: If you have a /etc/motd, you can make sure it’s displayed with:

PrintMotd yes

Then test your sshd_config file:

sshd -t

If there’s no errors, restart it.

systemctl restart sshd

Post Login motd notice

Even with adding the above, it’s possible that someone will not see it, or that it fails to show (or user used ssh -q). In that case you can add this to your normal /etc/motd file (with whatever you already have in there):

POSTED: PRIVATE PROPERTY. NO TRESPASSING. TRESPASSERS WILL BE PROSECUTED.

This should then show up after your tty login. For the ssh connections you may have to set this in your /etc/ssh/sshd_config:

PrintMotd yes

Restart sshd and when you login you’ll see it.

systemctl restart sshd

Pitfalls

issue.net file

Don’t use /etc/issue.net for SSH

There is a file /etc/issue.net that can be used for remote logins, but some distros add system info in there, so I’d suggest you don’t use it for SSH. Even if you modify it, a system update could revert it back to what it was before. That would remotely display Kernel versions and other info that the world shouldn’t see, to all ssh connections.

You can copy the warning from /etc/issue.remote (the one without the agetty flags) into /etc/issue.net to cover all your bases in the event that some service should decide to use it. But I would never tell SSH to use it.

Remote Script Failing

While the notice is great, having SSH display a message before login could cause automated ssh scripts to not work. The message is not saved as part of the ssh output, but if you have an issue with scripts failing, try using ssh -q to silence the message, or use Match Host <ip> with or similar things in sshd_config to disable it as needed.

Match Host x.x.x.x
       Banner none

I’ve only had this issue on a few backup programs, usually when they were initially trying to accept the new host’s key signature on a new setup. But once the host’s key signature was accepted, they worked just fine.

Conclusion

This is a great way to display messages to both local and remote users. And now that you’ve setup a notice for pre-logins, it’d be nice to show server status information after the login, which this article will show you how to do so.