"Warning" to SSH users!

Daily Logs • Linux SysAdmin • Projects • DevOps • Security • SSH • Ansible

August 13, 2019

Okay, not to worry. There is no such actual warning. :D

I am just trying to extend my previous post on securing SSH by adding another one-liner (actually it was one liner before I decided to implement it with ansible again) solution to it.

And the solution is:

You can add "warning banners" for the incoming nodes which are trying to establish a SSH connection to your concerned nodes. These banners will give a proper insight of the guidelines and the measures, the authorities are imposing on users to ensure their server's safety and security.

me :P

• Expanding the same ansible playbook we built in the last post, edit the file "/playbook/ssh/tasks/main.yml" to add the following lines in there.
  • The new tasks will do the following:
    • Find the line "#Banner none" in sshd_config file and replacing it with "Banner /etc/issue".
    • Copy the contents of "ssh/templates/issue" file to remote node's "/etc/issue" file.
    • And finally restart the ssh service daemon again to reflect the changes.

- regexp: "^#?Banner none"
  line: "Banner /etc/issue"

- name: Copy the banner issue file in remote node
  copy:
    src: /etc/ansible/playbooks/ssh/templates/issue
    dest: /etc/issue
    owner: root
    group: root
    mode: 0644

After adding the above lines, the actual "ssh" ansible role will now look like this:

---
# tasks file for ssh
- name: Add local public key for key-based SSH authentication
  authorized_key:
          user: ""
          state: present
          key: ""
  with_fileglob: public_keys/*.pub
- name: Harden sshd configuration
  lineinfile:
          dest: /etc/ssh/sshd_config
          regexp: ""
          line: ""
          state: present
  with_items:
    - regexp: "^#?PermitRootLogin"
      line: "PermitRootLogin no"
    - regexp: "^^#?PasswordAuthentication"
      line: "PasswordAuthentication no"
    - regexp: "^#?AllowAgentForwarding"
      line: "AllowAgentForwarding no"
    - regexp: "^#?AllowTcpForwarding"
      line: "AllowTcpForwarding no"
    - regexp: "^#?MaxAuthTries"
      line: "MaxAuthTries 2"
    - regexp: "^#?MaxSessions"
      line: "MaxSessions 2"
    - regexp: "^#?TCPKeepAlive"
      line: "TCPKeepAlive no"
    - regexp: "^#?UseDNS"
      line: "UseDNS no"
    - regexp: "^#?AllowAgentForwarding"
      line: "AllowAgentForwarding no"
    - regexp: "^#?Banner none"
      line: "Banner /etc/issue"

- name: Copy the banner issue file in remote node
  copy:
    src: /etc/issue
    dest: /etc/issue
    owner: root
    group: root
    mode: 0644

- name: Restart sshd
  systemd:
          state: restarted    
          daemon_reload: yes
          name: sshd
...

• The contents of "/etc/ansible/playbooks/ssh/templates/issue" can be written like the following example template (This example template is taken from here.)

----------------------------------------------------------------------------------------------
You are accessing a XYZ Government (XYZG) Information System (IS) that is provided for authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:

+ The XYZG routinely intercepts and monitors communications on this IS for purposes including, but not limited to,
penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM),
law enforcement (LE), and counterintelligence (CI) investigations.

+ At any time, the XYZG may inspect and seize data stored on this IS.

+ Communications using, or data stored on, this IS are not private, are subject to routine monitoring,
interception, and search, and may be disclosed or used for any XYZG authorized purpose.

+ This IS includes security measures (e.g., authentication and access controls) to protect XYZG interests--not
for your personal benefit or privacy.

+ Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching
or monitoring of the content of privileged communications, or work product, related to personal representation
or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work
product are private and confidential. See User Agreement for details.
----------------------------------------------------------------------------------------------

So, now, after implementing the new modified ansible playbook again, if someone tries to establish a SSH connection to our concerned nodes, they will be welcomed with a warning banner like this.

I found this small approach towards SSH security, very interesting, thus, writing it down here.

That's all for this short post. Hope it helps!

Till next time, o/