GeodSoft logo   GeodSoft

Hardening OpenBSD Internet Servers
Logon Banners

Logon banners and system greetings usually provide information useful to intruders. Instead they should warn intruders against unauthorized access so all legal remedies may be persued against the intruders. Finding and changing OpenBSD logon banners is discussed here.

I've never understood why virtually every computer system ever built announces itself to the world when anyone makes a connection to it. It's of almost no interest to ordinary non technical users and legitimate administrators can get this other ways. This is one of the essential pieces of information in cracking a system. Potential intruders seem to be about the only audience likely to actually benefit from this information.

Fyodor, the author of nmap, has gone to great lengths to build OS finger printing capabilities into nmap. OS finger printing in nmap is identifying the OS by examining minor variations in how the TCP/IP stack responds to non standard packets. As he says in his article on OS finger printing

There is no point going to all this trouble of fingerprinting if the machine will blatantly announce to the world exactly what it is running! Sadly, many vendors ship current systems with these kind of banners and many admins do not turn them off. Just because there are other ways to figure out what OS is running (such as fingerprinting), does not mean we should just announce our OS and architecture to every schmuck who tries to connect.

As security conscious as the authors of OpenBSD are, I'm surprised they do exactly this. Perhaps this is just a default setting on servers that are off by default and which the OpenBSD authors regard as inherently insecure. Both telnetd and ftpd announce the operating system and hostname before a login is completed. Telnetd also gives the architecture. Elsewhere, in the TCPD Wrappers section, an "h" was added to the command that starts telnet sessions to surpress this information. I haven't found an ftpd option to surpress this information. The best I've found is that the contents of /etc/ftpwelcome will be displayed before the ready message (which contains the hostname, OS and server release information).

Instead of announcing to the world what the OS is, the login banner should tell unauthorized users to stay away. According to Creating Login Banners if you want to use system logs in a U.S. court of law against an intruder, your system needs a notice that system activity is logged. This specifically applies to government computers. I'm not sure if there is such a requirement for privately owned computers but it can't hurt to have an explicit warning. My current login banner reads:

Unauthorized access prohibited; all access and activities
not explicitly authorized by George Shaffer are unauthorized.
All activities are monitored and logged. There is no privacy
on this system. Unauthorized access and activities or any
criminal activity will be reported to appropriate authorities.

No information that identifies the system being connected to is provided. This custom banner has been placed in both /etc/ftpwelcome and /etc/motd.

I see no more point in displaying the operating system and architecture information after a login is completed than before. sshd, telnetd and ftpd display /etc/motd after a successful login. To assure that the custom banner continues to appear and that the OS and platform information does not, the following lines from /etc/rc need to be removed or commented out:

# patch /etc/motd
if [ ! -f /etc/motd ]; then
        install -c -o root -g wheel -m 664 /dev/null /etc/motd
T=`mktemp /tmp/_motd.XXXXXXXXXX`
if [ $? -eq 0 ]; then
   sysctl -n kern.version | sed 1q > $T
   echo "" >> $T
   sed '1,/^$/d' < /etc/motd >> $T
   cmp -s $T /etc/motd || cp $T /etc/motd
   rm -f $T

The lines above are the ones that put "OpenBSD", the version, the kernel name and when it was compiled at the top of the /etc/motd. The above lines don't display this information but rather restore this information to the /etc/motd file if a system administrator has taken it out. They also update this information if a custom kernel is built.

transparent spacer

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in (or These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of (or cgi-bin/ from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.


What's New
Email address

Copyright © 2000-2014, George Shaffer. Terms and Conditions of Use.