The real purpose of login banners (on Linux)

Login banners on Linux

The first thing you might see when connecting to a Linux machine, is a login banner. Some systems use the default, others have put some serious work into it. Think of great forms of ASCII art, or a lot of impressive text. You might be surprised to learn the real reasons for having a banner in the first place. In this article we will discuss the purpose, and determine how we can improve the quality of our login banners.

Reasons for using login banners

Most administrators don’t put a lot of thought in the banners, like the one used for SSH connections. Some welcome anyone who connects, others filled it with background details of the system. Those with time on their hands, might have added goofy textual graphics. So what is the reason for showing someone a banner in the first place?

Scare hackers?

If you ask this question about the purpose, most will say it is to scare away unauthorized visitors. While it might work for some malicious users, most of them use automated scripts. In such case the banner is not even displayed to a human, which defeats its purpose. So if that is not the real reason, there is not much else, right?

Provide information?

Well, if you simply want to be informative about the system, you definitely can do this in a banner. Like sharing what system hostname or IP address you are connecting to. It might be a good confirmation that you connected to the right system. But be careful, you might give away too much information. This is called “information disclosure”, and makes it easier for attackers to find the information they are looking for. It is similar to provide program names and versions. So being informative can be an option, but it definitely not the main reason.

All these mentioned reasons are not the primary goal of a banner. It is about legal and privacy. First, it is to tell upfront that only authorized users are allowed to move forward with the authentication procedure. This way a human connecting manually to a system, is told (friendly) to leave if they shouldn’t be there. More interesting is the privacy part. The banner is there to strip away any privacy rights users have on the system. What, removing all privacy for users? Yes, that is correct.

With a banner, you warn legitimate users about the possibility of system monitoring and privacy invasion. Of course, it is not like you want to gather their most intimate secrets. But you might have applied automated monitoring and snooping. Like storing every single command they execute, or files they accessed. This already invades privacy, and should be shared with the user.

The usage of banners is similar to warning signs, like for video surveillance, or other defensive measures. This way users can’t complain they are being watched. With a banner or warning sign you also gain the effect of preventing things from happening. We also call this is deterent measure, which helps users not crossing the line.

For Linux systems, you can define banners on common services like FTP and SSH. You could also add a banner to the login page on a web application, to make clear what happens after logging in.

Good versus bad banners

With these insights in mind, it is a lot easier to come up with a good banner. So here are some tips:

Don’t:

  • Welcome the user
  • Provide information only authorized people should know
  • Share system resources or performance

Do:

  • Share that only authorized people and services are allowed to proceed
  • Explain that monitoring is active on the system
  • Add a line stating that by proceeding, you accept to the terms

Now the legal system varies a lot in the world. So for exact wording, it is advised to contact your legal department, if you have any. If you don’t have access to a legal person, continue reading.

Example banner

Here is a list of words that you would generally expect to be in the banner:

  • access (by accessing this machine)
  • audit (this system is audited by means of automatic and manual monitoring)
  • accept (by proceeding, you accept the contents of this banner)
  • authorized or unauthorized (this system is only available for authorized users)
  • enforce (policies are enforced to monitor this system)
  • law (unauthorized access will be reported to law agencies)
  • legal (we will take legal measures)
  • monitor (this system is monitored)
  • private / prohibited / restricted
  • privacy (no privacy is guaranteed as this system will be monitored)
  • proceed (by proceeding…)
  • subject
  • terms

Banners of government or other restricted systems will typically have many of these terms in their banners. Use a banner that matches best with the typical audience that will use your service. Verify it meets the do’s in this article, and at the same time is not filling up screens or scare away your real users.

Screenshot of Lynis security tool

Take the next step!

Want to learn more about Linux security? Have a look at the open source tool Lynis and become a Linux expert yourself.

Lynis is a battle-tested technical security audit tool. It is open source, freely available, and used by system administrators all over the world. Other users include IT auditors, security professionals, like pentesters.

Tool Information

Visit project page