What's in Your Issue File?

Tony Shepps asks: "A recent story about security kept this question in my mind: what should one really put in the /etc/issue file, for those systems that permit telnet? I know that logins that say "welcome" are a bad idea, but is it necessary to have a ton of legalese there? How about company name? System name? Is one type of login more (or less) attractive to crackers? Does anyone have anything lighthearted or funny there?" How about sweet ANSI banner? Or the proper legalese and disclaimers take away from the intended effect?

My /etc/issue.net

[Baloo+Ursidae]

Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Debian GNU/Linux 2.2 ursine.dyndns.org Unauthorized login is naughty. ursine login:

My /etc/issue.net formatted right...

[Baloo+Ursidae]

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Debian GNU/Linux 2.2 ursine.dyndns.org

Unauthorized login is naughty.

ursine login:

how about...

[eMBee]

how about:

$ telnet xxxx.xxxxx.xx
Trying xxx.xx.xxx.xx...
Connected to xxxx.xxxxx.xx.
Escape character is '^]'.
Dies ist ein Mailserver.

Mit anderen Worten:
Unsere Rechtsabteilung findet es sehr interessant,
was Sie so mit unserem Mailserver machen wollen.

Bis demnächst, vor Gericht

Hochachtungsvoll


Ihre Xxxxx-Xxx Xxxxxxxxxxxxxx GmbH

login:
Login incorrect
Connection closed by foreign host.

translation:
This is a mailserver.

In other words:
Our legaldepartment finds it very interresting,
what you would like to do with our mailserver.

See you in court.

respectfully


your Xxxxx-Xxx Xxxxxxxxxxxxxx GmbH

greetings, eMBee.
--

Some things..

[Jason+W]

If your company requires legal stuff, of course you should put it in /etc/issue. Unless it only pertains to logged in users, in which case you can just add it to the logon message (adding an echo in /etc/profile works well for bash).

Some other things to stay away from are:

• Displaying OS/Distro/Kernel version. This only encourages crackers and gives them a place to start. There are other ways to obtain that info, though (HTTP/Port scanning)
• Hardware info. If a cracker sees a sweet machine, he/she will try harder to get access.
• Network info/topology. "We are hooked into the local T3 network in the CS department at Foobar U in Cambridge, UK". Gives crackers a place to start (once again, this info can be obtained elsewhere)
• Advertisements. No one wants to see ads
• Bragging about the machine's security.

Some things you should have:

• A system name. 'mail' or 'web' is fine, but everyone loves characters from books, films, ect.
• System status notes. A "We were down last night from 8-12" is a nice notice to have for regular users. Just don't let it get outdated
• Humor. Funny is good. ASCII art the size of an xterm window is not.

Re:Some things..

[randombit]

A system name. 'mail' or 'web' is fine, but everyone loves characters from books, films, etc.

My personal preference is to have two (or more) names for each machine. Like if I had one machine running ftpd, bind, and sendmail, it would be called ftp.randombit.net, dns.randombit.net, and mail.randombit.net, along with a "normal" name like siouxsie or fiona (which the IP address will normally resolve to). That lets you move services from one machine to another with minimal disruption while still getting to use nice names normally.

System status notes. A "We were down last night from 8-12" is a nice notice to have for regular users. Just don't let it get outdated

/etc/motd is generally a better place for that, especially as people ssh'ing will still see it.

my /etc/issue file

[LWolenczak]

This system is for authorized use only. Trespassers will be prosecuted

On my Laptop...

[Anomalous+Canard]

This system belongs to Roy Murphy. If found, please call (xxx)xxx-xxxx. Reward offered.

Anomalous: inconsistent with or deviating from what is usual, normal, or expected

Legal disclaimer needed

[Kefaa]

I usually put the machine name and the legal disclaimer.

I was told several years ago by the lawyers we needed to put the disclaimer in because an under informed judge had ruled you could not prosecute someone if you did not tell them they are not allowed in your system.

While this may seem as silly as requiring me to post signs in my yard "It is illegal to steal from this location" apparently it is because I am merely a layman.

I wonder if this was ever really a case or if an urban legend made its way into legal circles.

Quiz time: Can anyone site the case?

Re:Legal disclaimer needed

[randombit]

I wonder if this was ever really a case or if an urban legend made its way into legal circles.

I don't know the answer, but it's best to err on the side of caution. So (if you really have to run telnet - ick), put something like "NO UNAUTHORIZED ACCESS" into your /etc/issue, just to be on the safe side. If this case really happened, you're safe, and if not, well, it doesn't matter either way (I really hope not, though - the idea that people that clueless are running are legal system frightens me).

Re:Legal disclaimer needed

[talks_to_birds]

Actually, very much this same idea just came up two days ago when (bear with me, here...) someone cut in the line of cars waiting for a Washington State ferry.

I reminded the Seattle police officer at the headend of the ferry dock, after he had thrown the cutter out of line, that there was a $50.00 fine for cutting in ferry lines.

He said he knew that, but as the cutter had not received formal notification of the law, the law would not be upheld in court if the cutter was cited and challenged the ticket, so the officer wouldn't even bother writing him up!

Apparently, ignorance of the law (some of 'em, anyway...) is an excuse.

I don't know if this is only a Washington State deal, or what.

The Seattle police officer sounded as though this general concept is why so god damn many criminals get off the hook so easily..

His personal perspective, I'm sure...

t_t_b
--

Re:Legal disclaimer needed

[FiNaLe]

I'm not a legal professional by any stretch of the imagination, I do remember something from highschool history class though.

Can't remember what the exact terminology was, it fell right in next to the Habeus Corpus...

What it boiled down to was that you can't be prosecuted for a crime you didn't know you committed...

Say I move into town and I own a poodle. Turns out owning a poodle in that town is punishable by 90 days in the local prison. I didn't know that, should I be sent to jail for some obscure ruling I was unaware of.

Granted everyone should be aware of all laws applied to them, in the case of the ferry cutter that was just indecent.

Re:Legal disclaimer needed

[djweis]

That's ridiculous. Ignorance of the law is no excuse. People are ignorant enough without encouraging them to know even less.

Remember...

[randombit]

that one at least some distros (RH comes to mind...), /etc/issue and /etc/issue.net are rebuilt at boot time (on RH in /etc/rc.d/rc.local). So make sure you comment out those lines before making any changes.

Though if you're not running telnet (good move), it doesn't matter much either way (I like have a nice issue message on the console, and ssh doesn't display the issue file).

What's in Your Issue File?

[Qaseem]

From my experience, I learned that you should have nothing but the Login: prompt. any extra info will help the hacker know what he is dealing with. Event the legal copright notice should be removed.

a better idea

[Anonymous+Sniper]

/sbin/ipchains -A input -i eth1 -p tcp --syn -j DENY

Here's mine

[Q*bert]

************************************************** ******************************
* This system is for authorized use only. *
************************************************ ********************************

This system is for authorized use only. Any resemblance to any operating
system living or dead is purely coincidental. All trademarks are copyleft ())
their respective authors. All rights reversed.

I like it. Yes, you could make a good guess as to my operating system (Linux) based on the content,
but you could find that out with a TCP/IP stack
fingerprinting tool like nmap anyway.

I used to work at a university, where we were
constantly bombarded by script kiddie attacks.
Back then, I used this /etc/issue:

************************************************ ********************************
* This system is for authorized use only, r0dent! *
************************************************ ********************************

Then again, I doubt anyone ever saw it, since the
only service I ran was ssh. ;)

By the way, those messages are padded with enough spaces to make the middle asterisk line up on the
right. Methinks we just stumbled across a very
subtle Slash bug.

Vovida, OS VoIP
Beer recipe: free! #Source
Cold pints: $2 #Product

Re:Here's mine

[nomadic]

right. Methinks we just stumbled across a very subtle Slash bug.

Yes, a bug called HTML. You just have to put in the appropriate formatting tags...

My /etc/issue.net

[matthewg]

This is zevils. Unauthorized access prohibited. Violators will be LARTed. All access is monitored.

Here's mine:

[Wakko+Warner]

[root@tettie] 5:25:12am /tmp%> more /etc/issue
....oooOOOOOooooo......
.oOOOO OOOOOOOOOOOOOOOOOOOOOOOOooo
.OOOOOOOOOOOOOOOOO OOOOOOOOOOOOOOOOOOOOo
.OOOOOOOOOOOOOOOOOOOOOOO OOOOOOOOOOOOOOOO
..ooOOOOooo....OOOOOOOOO OOOOOOOOOOOOOOOOOOOOOOOOOOOOOP
oOOOOOOOOOOOOOOOOOoo.OOOOOOOOOOOOOOOOOOOOOOOOOOO OOOOOOOOOOOP
.OOOOOOOOOOOOOOOOOOOOOOO#OOOOOOOOOOOOOOOOOOOOOOO OOOOOOOOOOOP.....
.OOOOOOOOOOOOOOOOOOOOOOOOOO#OOOOOOOOOOOOOOOOOOOO OOOOOOOOO###OOOOOOOO
oOOOOOOOOOOOOOOOOOOOOOOOOOOOO#OOOOOOOOOOOOOOOOOO OOOOO###OOOOOOOOOOOO
.OOOOOOOOOOOOOOOOOOOOOOOOOOOOOO#OOOOOOOOOOOOOOOO OO####OOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOP######O### #OOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOP#####################... ....OOOOOPWWWWWWWWWWW
O#########OP.############################....... ....WWWWWWWWWWWWW
O####P..#############.## ###########.######...WWWWWWWWWWWWW
P..##########&nbsp ;###########.###########..WWWWW
..########## .###.#####.##############WW
'..:.......#########.oO#OOo#.#####.#####....#### #
........########OO###OOOo#####.#####.#.##. ###
.........######OOO##OOOP###.#####.## ##.#.##
...##########oOOOO Oo###.####.##.####.#
.#####`..########.####.#.####.##.#
..########..######..####.###.##
#######..... ...##
#######. .o.OOO###
Welcome ###.##oO.OOO##
##.#OOO.OOO##+-------------------+
to ##.oOOO.OO#|*-*LINUX*-* |
OOOOOO#| |
tettie.wtower.com OOOOOOO.|-*- 2.0.36-*-|
oOOOOO.+-------------------+
oOOOO.
oO.

I know this will come out looking like shit since it looked fine in preview mode.

- A.P.
--

"One World, one Web, one Program" - Microsoft promotional ad

Don't remove *too* much!

[coyote-san]

I know that the standard advice du jour is to have *nothing* in the /etc/issue file other than an "unauthorized access prohibited" message, but I believe that's asking for trouble down the road.

The problem? Consider the analogy to "stealing a car" in a crowded parking lot. If you drive a white Neon but are trying to get into a blue pickup, you've got some explaining to do. But if you drive a white Neon and you're trying to get into another white Neon - esp. in the same general area as your car - it's an innocent mistake. People aren't required to verify license plates and VINs before driving off, and there have been cases where a person innocently drove off in the wrong car because everything - even the keys - matched.

Of course, we all know that the same thing could never happen on the internet. People never misspell hostnames or IP addresses. The DNS system is never fscked up. (*snort*)

You can probably guess my point now. An "unauthorized access prohibited" message begs the question - *who is authorized*? You seem to leak a little information with

This system is maintained by Megacorp Corp.
Unauthorized access prohibited.

but that information is available to attackers anyway via "whois" on the IP address. (It's also available to people making honest mistakes... but when's the last time you checked the plates on *your* car?!) In the meanwhile, with that additional statement it's *much* harder for someone to argue that they innocently mistook your system for another one. After all, other than the /etc/issue file most systems are totally indistinguishable - a world full of Ford Model T's, all in black.

Beyond that, I agree completely with the minimalist approach. Some people would add a telephone number, but I would usually discourage that.

give very little info, scare the script kiddies

[anticypher]

-------begin /etc/issue----------
This is the AntiCypher main server, maintained by the European Cryptanalysis Association

You are connecting from %%unauthorised-IP-address%%, your unauthorised access has been traced and logged.

Access to this server is strictly forbidden. All access and hacking attempts are logged for prosecution.
Please disconnect now.

The system administration team, security.alert@anti.co.uk
-------end /etc/issue----------

With a message like this, you don't give away any information about your system. Certainly the information can be obtained through other means, but why help the script kiddies. You've got the basic "go away" requirement to keep the lawyers happy and if another system manager comes knocking on your door, there is an email address for them to contact. Don't put telephone numbers, you are only asking for trouble.

the AC

IANAL, but here's some advice anyway... :)

[jfrisby]

The legalese is almost assuredly unnecesary. It's illegal to break into your box and you don't have to explicilty reserve your rights in that regard.

Now, not to advocate "security through obscurity", but posting information about the system that is potentially useful to crackers is a Very Bad Idea. Sure, they may very well be able to get it through other means, but the way you make a system unattractive to hackers is to make it harder and more tedious to break into your system than the next system...

Make them fight for every inch.

But this is all somewhat beside the point. There are far more important, fundamental security measures than what your /etc/issue says. Like disabling external telnet access for one. Set up SSH instead so passwords aren't sent in the clear. Disable unused services. Keep up to date with patches. If you run a web server and do any kind of CGI, be mindful of your code: If you use Perl, then use "-w -T" and "use strict;" all over the place. Again in Perl, use the multi-parameter version of "system" if you must use it at all -- "system('ls', '-l', '/home/foo')" instead of "system('ls -l /home/foo')".

-JF

Re:Put up no extra info

[mustermark]

Excuse me? This is not flamebait. This is my actual login prompt. You people have no sense of humor.

from a machine at NIH (not telling which one)

[imac.usr]

the following is in fact required by my employer, see here for why:

WARNING!

This is a U.S. Government computer system, which may be accessed and used only for official Government business by authorized personnel. Unauthorized access or use of this computer system may subject violators to criminal, civil, and/or administrative action.

All information on this computer system may be intercepted, recorded, read, copied, and disclosed by and to authorized personnel for official purposes, including criminal investigations. Such information includes sensitive data encrypted to comply with confidentiality and privacy requirements.

Access or use of this computer system by any person, whether authorized or unauthorized, constitutes consent to these terms. There is no right of privacy in this system.

Red Hat Linux release 6.1 (Cartman)
Kernel 2.2.12-20smp on a 2-processor i686

login:

really irrelevant here...

[marcus]

...The legaleeze anyway. What good is some disclaimer that says unauthorized access is, well, unauthorized??!?!? That's a laugh. I put a lock on my door(password) and then have to post a sign that says something like "Breaking this lock and entering this house(computer) is illegal" in order to prosecute the crook?!?! Really, I'm cracking up. Just ask Kevin Mitnick if you think this is legit.

Anyway, lot's of good that warning note will do for you as you try to prosecute a cracker that has attacked your machine from his home in Khazakstan.

Re:really irrelevant here...

[BJH]

Actually, in many countries trespassing isn't trespassing unless there's a sign up saying "Keep out or we sue your ass" (or whatever) OR the owner of the property tells the trespasser to leave and is not obeyed.

issues with issue

[Medievalist]

Red Hat rewrites /etc/issue at boot to contain the host name and operating system version and then copies the rewritten version to /etc/issue.net. Comment out the last stanza of /etc/rc.d/rc.local to remove this horrible brain-dead code. rc.local gets executed after the rest of the runlevel-specific code.
/etc/issue is sent to the console and any other directly attached devices such as serial links (modems, dumb terminals, whatever) that use a getty. If you don't have any modems, this is kind of nice - I leave it in so that I get this info off the system console.
/etc/issue.net is sent to telnet connections - this is a Very Bad Idea (tm) because you will not survive a 3rd-party security audit. Why not? Because the US Gubmint, and most security consultants, require that pre-login banners contain NO INFORMATION. It's only a help to crackers anyway. You can get away with having the IP address and/or host name because anyone connecting to you should already know at least one of those, and can thus look up the other in DNS. But really anal types (such as your boss) don't want ANYTHING in there.
Other unices (for example, that horrible piece of antiquated cruft HP-UX 11.00) may use telnet daemons that automagically generate the hostname/opsys version header to telnet; these can be fixed by adding a switch to the telnet invocation line in /etc/inetd.conf that specifically tells telnetd to use /etc/issue.net. You can use the same trick in inittab if you have a getty that behaves poorly, or you can rip out your lame proprietary getty and use the excellent copylefted mgetty+sendfax instead.
--Charlie

Confusing ANSI Art, or Punk Pigs

[Valdrax]

Okay, I give up. What is it?

I'm guessing a pig with a mohawk and its right eye hanging out of the socket sticking out it's tongue and saying, "WASSUP!!"

Make sure your courier font is fixed-width.

[Wakko+Warner]

And then look at the login name.

- A.P.
--

"One World, one Web, one Program" - Microsoft promotional ad

Simple: "Go Away" (with link!)

[Mr+Z]

I use a very simple, lightly ANSI-fied /etc/issue. It says, in red, blinking letters, "Go Away".

Plain, simple, effective.

Once upon a time, I put up a web simulation of my machine's login sequence. At the time, the machine was named Asylum. You can find the web simulation here, at my old college account. You can read more about the Asylum here. (It's fun, click the link.) Ahh the memories...

--Joe
--

Here's mine!

[jeffstar]

Of course it looks better on a term... stole it from a company because it seemed kind of menacing.

************************************************ *************************
* WARNING *
* The programs, data and confidential information stored on this *
* computer system are either licensed to or are the property of *
* xxxxx xxxxxxxxxx and its subsidiaries and affiliates. Access *
* to any program, data or confidential information on this system *
* must be specifically authorized by xxxxx xxxxxxxxxx. Unauthorized *
* access to any program, data or confidential information on this *
* system is expressly prohibited. This system may be monitored at *
* any time for operational or security reasons. It is a criminal *
* offence (i) to secure unauthorized access to this computer system, *
* or (ii) to make any unauthorized modifications to the contents of *
* this computer system. Offenders are subject to criminal and civil *
* prosecution. Therefore, if you are not an authorized user, *
* DO NOT ATTEMPT TO LOGON. *
************************************************ *************************

login: