Title: Login screens and warning banners

KBTAG: kben10000017
URL: http://www.securityportal.com/lskb/10000000/kben10000017.html
Date created: 17/04/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Various notes on login screens and banners
Keywords: Legal, Network/Servers

Summary:

Most services have login banners or welcome screens, depending on the content these can help, or seriously harm your legal position should you experience a break-in. In at least one US court case a person was found not guilt of computer trespass since the login banner on the system said "Welcome". Also they can give valuable information to attackers, such as OS, and OS version ("Running RedHat 6.2 Zoot").

More information:

Make sure your banner clearly states that unauthorized access is forbidden, and only authorizes users are allowed in, you may also state usage guidelines:

This server is for authorized users of the Conglomo Corporate only. This 
server and it's resources are to be used for Conglomo approved work only. 
If you are unsure whether you are an authorized user or not log out 
immediately and phone Conglomo network services at 1-xxx-xxx-XXXX.

I typically use the shorter, but clearly understood message on my home machines:

Unauthorized access forbidden. This means you. GO AWAY.

Typical files that include these banners are "/etc/issue" and "/etc/issue.net" (usually generated at boot time from the "rc.local" script). For FTP servers usually a "welcome.msg" in the root directory (most FTP servers let you specify where the message is). Various other services will let you specify a connect message, for example proftpd lets you set the string for "ServerName", which can be a warning message. Also make sure you do not give the service name (i.e. proftpd, wu-ftpd, etc.) or the version, this will help attackers.