In my last post we discussed basic terminal access. The commands that I reviewed were for accessing the console port or vty lines of a Cisco router or switch. Network administrators should configure banners for legal and liability purposes. Now, we will see how to configure the different types of banners that you can display when a user gains access to the system.
The first type of banner is the banner login command. When a user tries to login to a router or switch, a banner can be displayed alerting him that his actions may result in prosecution issues (assuming he or she isn’t authorized ^_^). Configuring banners that say welcome is considered to be a bad practice, based on the fact that it may seem that the system is inviting a hacker to login. The global configuration command, banner login <special character> < banner message> is used to prompt a user when accessing the console port or vty lines.
As shown in the example above, you have to begin and end you banner with a specific character. This character cannot be a part of the message you want to display, because this specific character means start and end of the banner line. In example 2 you see the system is configured with a password on the five default vty lines. (This was also discussed in my last post).
In examples 3 and 4 we see a user trying to telnet to this system and the banner login message that prompts him before the line password.
It is also possible to configure a banner message of the day (motd). With the global configuration command banner motd <special character> < banner message>, you can have a modified banner message that will appear before the banner login message. There may be a situation where a message must be displayed so network controllers are alerted of an issue that must be observed or at least noticed. In other words, there may be administrative reason for having multiple banners that you can configure for any purpose necessary. In examples 5 and 6, you can see a banner motd that was created and will be alerting all network controllers (those with access to the system) of an important issue.
Also this message is displayed before the banner login.
Next, a banner can be displayed when someone successfully logs into a system. It is configured with the global configuration command banner exec <special character> < banner message>. Notice in example 7 that I added some tokens. A token is a special code that that will enter more information about how someone has logged into that given devices.
As shown above, the token of $(hostname) and $(line) will display the hostname of this system and line displays the line the user has logged into. Other tokens include $(line-desc) which displays the description to the attached interface and $(domain) which displays the ip domain of that device. These tokens can also be used on other banners.
Lastly, you can also configure a banner when the console session times out or password prompt times out. This is done with the global configuration commands banner prompt-timeout <special character> <banner message> and line vty command vacant-message <special character> <vacant banner message>. When a user attempts to log into a router or switch and doesn’t type the password within the password time limit, then that message will be displayed.
The vacant-message displays due to inactivity at the console port and is displayed when the exec-timeout has been reached.
In conclusion, there are many different banner messages that can be displayed on a router or switch when someone attempts to log into that device. I hope this post demonstrated to you multiple ways of using these messages and that they can be very useful for security purposes.