How to disable the Linux login banner - TechRepublic
Security
SHARE
Facebook X Pinterest WhatsApp

How to disable the Linux login banner

Looking to eke out as much security as you can from your Linux servers? Jack Wallen shows you how you can limit the information would-be ne’er-do-wells get by disabling the login banner.

Written By
Jack Wallen
Jack Wallen
May 24, 2021
We may earn from vendors via affiliate links or sponsorships. This might affect product placement on our site, but not the content of our reviews. See our Terms of Use for details.

When you log in to Linux, either by way of SSH or the console, you are greeted with a banner that offers up a few important bits of information. If you’re doing everything you can to secure that Linux server, the information shared by that banner can be a gold mine to ne’er do wells and would-be attackers. Information like kernel release, distribution type, available updates, and more can be revealed.

So how do you prevent that information from being displayed when users log into your Linux systems? Let me show you.

SEE: Checklist: Securing digital information (TechRepublic Premium)

The most effective way to do this is by way of creating a per-user file that disables the login banner. To do that, log in to your Linux server and issue the command: 

sudo touch /home/USER/.hushlogin

Where USER is the name of the user who logs into the machine. The next time that user logs in to the system, they will no longer see the banner. That method works great if you only have a few users.

If you’re on a system that houses a large number of users, you need a more efficient way of handling this task. For that, you will first open the sshd_config file with the command: 

sudo nano /etc/ssh/sshd_config

In that file, remove the # character before the line PrintMotd no and then add the line PrintLastLog no below it.

Save and close the file. On Red Hat distributions, restart SSH with the command: 

sudo systemctl restart ssh on Ubuntu distributions and sudo systemctl restart sshd

Next, open the PAM SSH config file with the command: 

sudo nano /etc/pam.d/sshd

In that file, comment out (by adding a # character) the line session optional pam_motd.so motd=/run/motd.dynamic and the line session optional pam_motd.so noupdate.

With these configurations in place, it won’t matter who logs into your Linux machine, they won’t see the banner. This is just a tiny step forward in gaining more security on your Linux servers, but even small progress is still progress.

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.


Image: iStock/structuresxx
Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic, The New Stack, and Linux New Media. He's covered a variety of topics for over twenty years and is an avid promoter of open source. For more news about Jack Wallen, visit his website jackwallen.com.