As security conscious as the authors of OpenBSD are, I'm surprised they do exactly this. Perhaps this is just a default setting on servers that are off by default and which the OpenBSD authors regard as inherently insecure. Both telnetd and ftpd announce the operating system and hostname before a login is completed. Telnetd also gives the architecture. Elsewhere, in the TCPD Wrappers section, an "h" was added to the command that starts telnet sessions to surpress this information. I haven't found an ftpd option to surpress this information. The best I've found is that the contents of /etc/ftpwelcome will be displayed before the ready message (which contains the hostname, OS and server release information).
Instead of announcing to the world what the OS is, the login banner should tell unauthorized users to stay away. According to Creating Login Banners if you want to use system logs in a U.S. court of law against an intruder, your system needs a notice that system activity is logged. This specifically applies to government computers. I'm not sure if there is such a requirement for privately owned computers but it can't hurt to have an explicit warning. My current login banner reads:
Unauthorized access prohibited; all access and activities
No information that identifies the system being connected to is provided. This custom banner has been placed in both /etc/ftpwelcome and /etc/motd.
I see no more point in displaying the operating system and architecture information after a login is completed than before. sshd, telnetd and ftpd display /etc/motd after a successful login. To assure that the custom banner continues to appear and that the OS and platform information does not, the following lines from /etc/rc need to be removed or commented out:
# patch /etc/motd if [ ! -f /etc/motd ]; then install -c -o root -g wheel -m 664 /dev/null /etc/motd fi T=`mktemp /tmp/_motd.XXXXXXXXXX` if [ $? -eq 0 ]; then sysctl -n kern.version | sed 1q > $T echo "" >> $T sed '1,/^$/d' < /etc/motd >> $T cmp -s $T /etc/motd || cp $T /etc/motd rm -f $T fi
The lines above are the ones that put "OpenBSD", the version, the kernel name and when it was compiled at the top of the /etc/motd. The above lines don't display this information but rather restore this information to the /etc/motd file if a system administrator has taken it out. They also update this information if a custom kernel is built.
<P Controlling Change <
^ Hardening Details Contents ^
> Removing Files N>
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is
|Copyright © 2000-2014, George Shaffer. Terms and Conditions of Use.|