there is a binary program that generates nice ASCII linux logos:
apt-get install linuxlogo; # install it in debian yum install linux_logo; # install it in redhat/centos linuxlogo -L list; # list all available logos linuxlogo -L debian_banner_2; # output debian banner (if not run as root RAM might be wrong)
in centos standard configuration – centos outputs this logo:
the difference in bogomips comes from debian being asigned 4 virtual cpus…
while the colorful logos play out well in /etc/issue they come out crap in /etc/issuen.net 😀 (or maybe that is just because of the windows ssh client)
proper usage of linux_logo
actually i have no idea how to use this tool properly… because it needs root previliges to generate correct RAM and other values.
putting this line into /etc/profile is a stupid idea – because of incorrect RAM values generated for non-root users:
echo 'if [ -f /usr/bin/linux_logo ]; then linux_logo; fi' >> /etc/profile;
what you could do is do a script and a root-cron job to renew the /etc/issue.net every minute if you don’t mind the extra ressource usage.
For all users that physically login to your machine – you can put your own ascii-based-welcome message into:
… this will be displayed even before login.
for all users that login via telnet/ssh/network:
… will be displayed after login – no useage of \b special chars allowed.
under Debian the usage of /etc/issue.net via ssh is not enabled per default.
make shure to uncomment the #Banner line in:
vim /etc/ssh/sshd_config Banner /etc/issue.net
and restart ssh service:
/etc/init.d/ssh restart; # and restart ssh service
relogin and test.
exit; # logoff
you could put a cool ascii generated logo like:
____________________________________________________ 8888b. Yb dP db Yb dP 888888 .dP"Y8 8I Yb Yb db dP dPYb Yb dP 88__ `Ybo." 8I dY YbdPYbdP dP__Yb YbdP 88"" o.`Y8b 8888Y" YP YP dP""""Yb YP 888888 8bodP' please do not missuse this server! rather unite mankind!
in debian special chars that translate into real-time information can only be used in /etc/issue but not /etc/issue.net?
under centos/redhat/suse it seems they work for both config files.
\n = hostname
\o = domainname
\b = baudrate
\s = systemname
\m = i386 or 64
\r = release of kernel
\v = os version
\d = date
\t = current time
\u or \U = logged in users
so if you want to put an ascii logo with \ into /etc/issue you need to escape it \\
(not in /etc/issue.net or /etc/motd)
_ _ _ _ _ ___ __ _ _ __ _ _ | (_)_ __ _ ___ __ __| | ___| |__ (_) __ _ _ __ / _ \\ / _` | '_ \\| | | | | | | '_ \\| | | \\ \\/ / / _` |/ _ \\ '_ \\| |/ _` | '_ \\ (_) | | (_| | | | | |_| | | | | | | | |_| |> < | (_| | __/ |_) | | (_| | | | \\__, | \\__, |_| |_|\\__,_| |_|_|_| |_|\\__,_/_/\\_\\ \\__,_|\\___|_.__/|_|\\__,_|_| |_| /_/ |___/ Holla die Waldfee \n \p \b \l \s \m \r \v \d \t \u \U
for security reasons, you probably do not want to disclose what version of SSH and distro you are running…
# it seems like hiding the ssh version number is not possible # but you can hide your distro-version telnet dwaves.de 22 Trying 126.96.36.199... Connected to dwaves.de. Escape character is '^]'. SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3 echo "DebianBanner no" >> /etc/ssh/sshd_config; service sshd restart Escape character is '^]'. SSH-2.0-OpenSSH_6.7p1
hiding ssh version info
I don’t like this it’s announcing the protocol and specific software package and version to the world, so the nasty hackers will know just what attacks to try. Can I turn this off?
Only partially, and it may not be worth the trouble. The version announcement is part of the SSH protocol. Each side sends a string of the form:
The protocol version is mandatory; it is necessary to allow different versions to interoperate. The comment field is optional, and you can remove it (though you will have to edit the source and recompile, or patch the image; none of the common servers have options to alter the comment).
However, if you do this, you may cause yourself some grief. Many SSH clients use the comment string to recognize particular servers and work around bugs and incompatibilities, so you may find other problems cropping up as a result.
knock, knock – who’s there?
simple technique to hide anything that is running on your server. (except from someone that can monitor all your TRAFFIC – and might just record the order of ports knocked.)
Here is a good implementation: http://www.zeroflux.org/projects/knock
“knockd is a port-knock server. It listens to all traffic on an ethernet (or PPP) interface, looking for special “knock” sequences of port-hits.
A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server.
This port need not be open — since knockd listens at the link-layer level, it sees all traffic even if it’s destined for a closed port.
When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file.
This can be used to open up holes in a firewall for quick access.”