An SSH Pre-login message can deliver a legal warning to unauthorized users. If the response after typing root@ip.address displays only the password: field, then an attacker’s advocate in the court may argue that we have not warned his/her innocent client. Of course, you must enable a Passwordless SSH Login method whenever possible, even add a Bastion host for login purpose. But, we can not use that key-based login in every Linux server.
After we successfully pass the password authentication, what we get usually refers to SSH Welcome Message or Message of the Day (MOTD). On an Ubuntu server, you get this one:
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.2.0 x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
You have new mail.
Last login: Sat Jan 27 09:08:28 2024 from xyz.abc.def.ghi
Naturally, if you are using key key-based, passwordless login then after running ssh -i example.pem user@your.server.ip command, you’ll see only the MOTD. You will bypass the SSH Pre-Login Message. If you run the ssh root@your.server.ip command for such a server, you’ll receive a Permission denied (publickey) message. In such a case, I guess you need not warn the attackers with an SSH Pre-Login Message. Also, you are using Fail2Ban.
---
What the guide is supposed to do is an outdated process. Even 7 years back, I have not forced novice users to use the key-based authentication system. But, today with data/AI-driven tools, intruding on a server with root user access is easy. Even if we use Fail2Ban, it is super risky to use the root account (or any account) for SSH. You also can guess that my username can be abhishek or abhishekghosh. You can see, the screenshot is old.
Steps to Show a Basic SSH Pre-Login Message
It is easy. It is about uncommenting /etc/ssh/sshd_config, editing /etc/issue.net and restarting the SSH service. Here are the steps:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | # login as root nano /etc/ssh/sshd_config # find the phrase # Banner /etc/issue.net # with O + W # remove that hash before it and save the file with # ^ + O and exit with ^ + X nano /etc/issue.net # remove the default Ubuntu version text # copy-paste things which is a kind of "Trespassers Will Be prosecuted" # you can copy it : ******************************************************************** * * * This system is for the use of authorized users only. Usage of * * this system may be monitored and recorded by system personnel. * * * * Anyone using this system expressly consents to such monitoring * * and is advised that if such monitoring reveals possible * * evidence of criminal activity, system personnel may provide the * * evidence from such monitoring to law enforcement officials. * * * ******************************************************************** # restart sshd sudo service SSH restart # or /etc/init.d/sshd restart # exit and login exit ssh root@your-IP |
