An SSH banner is usually configured to provide a disclaimer or set of rules that govern who needs to have access to the message. It is simply a warning message that typically warns unauthorized users from proceeding to access the system. Most organizations are likely to configure a banner to ward off unauthorized users and stipulate repercussions of doing so which, most of the time, have legal ramifications.
Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform related Linux system queries.
In this context, we shall look into how you can create your own custom SSH banner.
1. Make changes to the sshd_config configuration file
Start by making a small tweak in the /etc/ssh/sshd_config SSH configuration file. Here, We are going to open the file using the vim command-line editor:
$ sudo vim /etc/ssh/sshd_configScroll and locate the Banner attribute which specifies the location of the file that contains the banner message. By default, this is assigned the value of none.
The next thing you need to do is to uncomment the line and specify your custom banner file. In our case, we have specified the file to hold the SSH banner as /etc/custom_banner:
Banner /etc/custom_bannerSave the changes and exit the SSH configuration file. Then restart the SSH daemon to apply the changes:
$ sudo systemctl restart sshdAnd confirm that SSH is up and running:
$ sudo systemctl status sshd2. Create the SSH warning banner
Here, we will create the file that will contain the banner message. This is the file that that we have just specified in the /etc/ssh/sshd_config SSH configuration file:
$ sudo vim /etc/custom_bannerFor example, you can copy and paste the following content into the file:
Authorized access only!
This system is a property of Linuxapt and is only meant to be accessed by system administrators and the IT manager. If you are not authorized to access this system, disconnect immediately!Save the changes and exit. Let’s now try to log in to the system remotely and verify if we have the banner displayed. On your Linux terminal run the command:
$ ssh user@server-ipAlternatively, you can use the Putty ssh client, and once you have specified your username, the pre-authentication banner message that you configured.
Next, provide your password to gain access to your system.
3. Create a MOTD banner ( optional )
Additionally, if you wish to set a MOTD banner, short for the Message Of The Day banner, edit the /etc/motd file:
$ sudo vim /etc/motdNext, define the message to appear on the SSH banner upon login. You can create a fancy ASCII artwork using an ASCII generator. Here is our sample ASCII banner art. Create your own ASCII art and paste it to the file:
_ _
| | (_)
| | _ _ __ _ ___ ____ ____ _ _ _ ___
| | | | ‘_ \| | | \ \/ /\ \ /\ / / _` | | | / __|
| |___| | | | | |_| |> < \ V V / (_| | |_| \__ \
\_____/_|_| |_|\__,_/_/\_\ \_/\_/ \__,_|\__, |___/
__/ |
|___/
Save and exit. Once again, restart the SSH service:
$ sudo systemctl restart sshdNext time round you try logging in, the banner will be displayed once you have successfully provided your password and accessed the system.
This article covers How to Set a Custom SSH Warning Banner and MOTD in Linux. In fact, SSH banner warnings are necessary when companies or organizations want to display a stern warning to discourage unauthorized parties from accessing a server.
