Slashdot Mirror
What's in Your Issue File?
Tony Shepps asks: "A recent story about security kept this question in my mind: what should one really put in the /etc/issue file, for those systems that permit telnet? I know that logins that say "welcome" are a bad idea, but is it necessary to have a ton of legalese there? How about company name? System name? Is one type of login more (or less) attractive to crackers? Does anyone have anything lighthearted or funny there?" How about sweet ANSI banner? Or the proper legalese and disclaimers take away from the intended effect?
Some other things to stay away from are:
Some things you should have:
This system belongs to Roy Murphy. If found, please call (xxx)xxx-xxxx. Reward offered.
Anomalous: inconsistent with or deviating from what is usual, normal, or expected
Anomalous: deviating from what is usual, normal, or expected
Canard: a false or unfounded repor
that one at least some distros (RH comes to mind...), /etc/issue and /etc/issue.net are rebuilt at boot time (on RH in /etc/rc.d/rc.local). So make sure you comment out those lines before making any changes.
Though if you're not running telnet (good move), it doesn't matter much either way (I like have a nice issue message on the console, and ssh doesn't display the issue file).
From my experience, I learned that you should have nothing but the Login: prompt. any extra info will help the hacker know what he is dealing with. Event the legal copright notice should be removed.
/-\ |-|
This is zevils. Unauthorized access prohibited. Violators will be LARTed. All access is monitored.
..ooOOOOooo....OOOOOOOOO OOOOOOOOOOOOOOOOOOOOOOOOOOOOOP
oOOOOOOOOOOOOOOOOOoo.OOOOOOOOOOOOOOOOOOOOOOOOOO
.OOOOOOOOOOOOOOOOOOOOOOO#OOOOOOOOOOOOOOOOOOOOOO
.OOOOOOOOOOOOOOOOOOOOOOOOOO#OOOOOOOOOOOOOOOOOOO
oOOOOOOOOOOOOOOOOOOOOOOOOOOOO#OOOOOOOOOOOOOOOOO
.OOOOOOOOOOOOOOOOOOOOOOOOOOOOOO#OOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOP######O##
OOOOOOOOOOOOOOOOOOOOOOOP#####################..
O#########OP.############################......
O####P..#############.## ###########.######...WWWWWWWWWWWWW
P..########## 
..##########
'..:.......#########.oO#OOo#.#####.#####....###
........########OO###OOOo#####.#####.#.##. ###
.........######OOO##OOOP###.#####.## ##.#.##
...##########oOOOO Oo###.####.##.####.#
#######.....
#######.
Welcome ###.##oO.OOO##
##.#OOO.OOO##+-------------------+
to ##.oOOO.OO#|*-*LINUX*-* |
OOOOOO#| |
tettie.wtower.com OOOOOOO.|-*- 2.0.36-*-|
oOOOOO.+-------------------+
oOOOO.
oO.
I know this will come out looking like shit since it looked fine in preview mode.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
I know that the standard advice du jour is to have *nothing* in the /etc/issue file other than an "unauthorized access prohibited" message, but I believe that's asking for trouble down the road.
/etc/issue file most systems are totally indistinguishable - a world full of Ford Model T's, all in black.
The problem? Consider the analogy to "stealing a car" in a crowded parking lot. If you drive a white Neon but are trying to get into a blue pickup, you've got some explaining to do. But if you drive a white Neon and you're trying to get into another white Neon - esp. in the same general area as your car - it's an innocent mistake. People aren't required to verify license plates and VINs before driving off, and there have been cases where a person innocently drove off in the wrong car because everything - even the keys - matched.
Of course, we all know that the same thing could never happen on the internet. People never misspell hostnames or IP addresses. The DNS system is never fscked up. (*snort*)
You can probably guess my point now. An "unauthorized access prohibited" message begs the question - *who is authorized*? You seem to leak a little information with
This system is maintained by Megacorp Corp.
Unauthorized access prohibited.
but that information is available to attackers anyway via "whois" on the IP address. (It's also available to people making honest mistakes... but when's the last time you checked the plates on *your* car?!) In the meanwhile, with that additional statement it's *much* harder for someone to argue that they innocently mistook your system for another one. After all, other than the
Beyond that, I agree completely with the minimalist approach. Some people would add a telephone number, but I would usually discourage that.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
-------begin /etc/issue----------
/etc/issue----------
This is the AntiCypher main server, maintained by the European Cryptanalysis Association
You are connecting from %%unauthorised-IP-address%%, your unauthorised access has been traced and logged.
Access to this server is strictly forbidden. All access and hacking attempts are logged for prosecution.
Please disconnect now.
The system administration team, security.alert@anti.co.uk
-------end
With a message like this, you don't give away any information about your system. Certainly the information can be obtained through other means, but why help the script kiddies. You've got the basic "go away" requirement to keep the lawyers happy and if another system manager comes knocking on your door, there is an email address for them to contact. Don't put telephone numbers, you are only asking for trouble.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
The legalese is almost assuredly unnecesary. It's illegal to break into your box and you don't have to explicilty reserve your rights in that regard.
/etc/issue says. Like disabling external telnet access for one. Set up SSH instead so passwords aren't sent in the clear. Disable unused services. Keep up to date with patches. If you run a web server and do any kind of CGI, be mindful of your code: If you use Perl, then use "-w -T" and "use strict;" all over the place. Again in Perl, use the multi-parameter version of "system" if you must use it at all -- "system('ls', '-l', '/home/foo')" instead of "system('ls -l /home/foo')".
Now, not to advocate "security through obscurity", but posting information about the system that is potentially useful to crackers is a Very Bad Idea. Sure, they may very well be able to get it through other means, but the way you make a system unattractive to hackers is to make it harder and more tedious to break into your system than the next system...
Make them fight for every inch.
But this is all somewhat beside the point. There are far more important, fundamental security measures than what your
-JF
MrJoy.com -- Because coding is FUN!
WARNING!
This is a U.S. Government computer system, which may be accessed and used only for official Government business by authorized personnel. Unauthorized access or use of this computer system may subject violators to criminal, civil, and/or administrative action.
All information on this computer system may be intercepted, recorded, read, copied, and disclosed by and to authorized personnel for official purposes, including criminal investigations. Such information includes sensitive data encrypted to comply with confidentiality and privacy requirements.
Access or use of this computer system by any person, whether authorized or unauthorized, constitutes consent to these terms. There is no right of privacy in this system.
Red Hat Linux release 6.1 (Cartman)
Kernel 2.2.12-20smp on a 2-processor i686
login:
I use Macs for work, Linux for education, and Windows for cardplaying.
Okay, I give up. What is it?
I'm guessing a pig with a mohawk and its right eye hanging out of the socket sticking out it's tongue and saying, "WASSUP!!"
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"