Web Hosting Talk : Web Hosting Main Forums : Web Hosting : Web Hosting Tutorials : Creating custom SSH welcome messages

[DediZoneSales]

This is good if you enable ssh login to your users, you can place some text once they login.

*PLEASE INSTALL AT YOUR OWN RISK!

-------------------------------------------------

1. Login to your server as root via SSH.

2. Type: pico /etc/motd

3. Now type in the message you want everyone to see. Something like this is good.

"This computer system is for authorized users only. All activity is logged and regulary checked by systems personal. Individuals using this system without authority or in excess of their authority are subject to having all their services revoked. Any illegal services run by user or attempts to take down this server or its services will be reported to local law enforcement, and said user will be punished to the full extent of the law. Anyone using this system consents to these terms."

(The above is just sample text, you may create your own or use this!)

4. Save & Exit Pico Type: CTRL-X, Y, Enter

[Stacie]

Quote:

Originally posted by Minimalistix
This is good if you enable ssh login to your users, you can place some text once they login.

*PLEASE INSTALL AT YOUR OWN RISK!

-------------------------------------------------

1. Login to your server as root via SSH.

2. Type: pico /etc/motd

3. Now type in the message you want everyone to see. Something like this is good.

"This computer system is for authorized users only. All activity is logged and regulary checked by systems personal. Individuals using this system without authority or in excess of their authority are subject to having all their services revoked. Any illegal services run by user or attempts to take down this server or its services will be reported to local law enforcement, and said user will be punished to the full extent of the law. Anyone using this system consents to these terms."

(The above is just sample text, you may create your own or use this!)

4. Save & Exit Pico Type: CTRL-X, Y, Enter

That probably belongs in a banner not MOTD.

Also you should do echo "update_motd=\"NO\"" >> /etc/rc.conf

[valmark]

Quote:

Originally posted by Stacie
That probably belongs in a banner not MOTD.

Also you should do echo "update_motd=\"NO\"" >> /etc/rc.conf

Also you shoud edit the /etc/issue to something like this :

Quote:

This computer system is for authorized users only. Individuals using this system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded or examined by any authorized person, including law enforcement, as system personnel deem appropriate. In the course of monitoring individuals improperly using the system or in the course of system maintenance, the activities of authorized users may also be monitored and recorded. Any material so recorded may be disclosed as appropriate. Anyone using this system consents to these terms.

[AstroNyu]

nice one. thanks for your nice tut.
and what etc/issue does?

[kalpin]

/etc/issue and /etc/issue.net appear if you nor your user remote to your server via telnet no ssh. If you want to display your messages after they provide their login but before password prompt (via ssh) then you should put it in your sshd_config located at /etc/ssh/sshd_config with line:

banner /etc/warning

But if you want put your messages after you nor your user successfull login to your server then you have to put it at /etc/motd. Unfortunely your users can avoid this if they create an empty .hushlogin in their home (and also will hide their last login).

[UniServe Hosting]

PLEASE, PLEASE DO NOT LOGIN in VIA SSH as the user "root". This option should be disabled for the SSH Daemon by default. When are people going to realise that logging in VIA ssh root is like using telnet.

[Lightwave]

Just my 2c... but that explicit of a warning message seems excessive.

Legitimate users are only going to be scared off from using the shell account.

Non-legitimate users won't give a crap anyways. The host/account they are coming from is likely compromised as well.

[rotoiti]

Quote:

Originally posted by UniServe Hosting
PLEASE, PLEASE DO NOT LOGIN in VIA SSH as the user "root". This option should be disabled for the SSH Daemon by default. When are people going to realise that logging in VIA ssh root is like using telnet.

Even when using public key authentication?

[jNive]

log in via another user, and su - as root perhaps

[nadtz]

Instead of not logging in as root, why not lock down SSH properly. Disabling root is only a bandaid. Most people use such crappy passwords and such worthless security that rooting the box after accessing another acct is childplay.

Logging in as root is nothing like using telnet. Anyone who has ever run a sniffer (for malice or curiosity) can tell you the difference.

[UniServe Hosting]

Quote:

Logging in as root is nothing like using telnet. Anyone who has ever run a sniffer (for malice or curiosity) can tell you the difference.

My implication was simply that logging via SSH root is a security hazard/risk. Of course, there are many other determining factors to take into consideration. To cover the scope of hardening any UNIX system is clearly beyond the scope of this thread.

Quote:

Disabling root is only a bandaid.

Sure, it's a bandaid, however, atleast the initial poster is aware that root logins via SSH should be disabled by default. Maybe when you have the time you can write an outlined paper on securing UNIX based systems. I had no intentions on detailing security specifics. The only point I tried to bring across was, root via SSH should be disabled.

[rotoiti]

Quote:

I had no intentions on detailing security specifics. The only point I tried to bring across was, root via SSH should be disabled.

Again, I am trying to understand what kind of security risk I am creating by remotely logging in as root using public key authentication? I understand root login using password (keyboard interactive) auth should be disabled, but what is wrong with public key?

[linux-tech]

Quote:

Originally posted by UniServe Hosting
PLEASE, PLEASE DO NOT LOGIN in VIA SSH as the user "root". This option should be disabled for the SSH Daemon by default. When are people going to realise that logging in VIA ssh root is like using telnet.

Quote:

logging in VIA ssh root is like using telnet.

Not true at all. SSH is NOT telnet, never will BE telnet, and is flat out MUCH more secure. This analogy is quite ridiculous, and, honestly quite overused. The same can be said for logging in as ANY user over ssh!!

Quote:

This option should be disabled for the SSH Daemon by default.

Incorrect. Like it or not, ssh is MUCH more secure than telnet, and there is absolutely NO reason whatsoever to deny root logins to the server via ssh. Of course, there are numerous individuals who would do nothing more than pull this kind of scare tactic, running around claiming "it's insecure, it's insecure, it's insecure!", when there is absolutely NO proof that it is insecure at all.

Now:
Allowing root access via password isn't a good idea (though it's hardly "insecure"). Requiring dsa keys to login as root will always be the best option.

Disallowing root login only creates more work on an often overworked administrator, and means that specific administrator has to jump through more hoops to get things solved. In a critical situation, this could be incredibly bad.

This is only a "layer" of quasi-security, as weak a layer as changing the ssh port. The fact is that this will not actually STOP much of anything at all, only create MORE work for the systems administrator, and isn't exactly beneficial in this respect.

Now, keeping sessions alive, when users are idle, that's a different story altogether, which is why I tend to get on people who just sit and idle on the server for hours. In fact, I set a default timeout of 5 minutes for idled users.

[mycroftx]

Also if you want that every users will see a different motd, you should modify the /etc/login.conf ( This is only under FreeBSD )
Example:

user:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\

[dzeanah]

I've left root logins via SSH open. Of course, my passphrase in in excess of 20 characters and uses more than just alphanumerics...

The problem is when someone runs a program to try and brute force your SSH password. Don't have a password that's brute-forceable, and you oughta be OK...