Set a security banner for SSH logins on a Linux server (like an EC2 instance running Amazon Linux or RHEL/CentOS), and configures the SSH daemon to show this banner and enforce a client keepa

Last updated: September 4, 2025

Steps

  1. Creates a login banner at /etc/issue.net.

  2. Sets permissions for that file.

  3. Configures SSHD (/etc/ssh/sshd_config) to use this banner.

  4. Backs up the SSH config file.

  5. Sets ClientAliveInterval to 300 seconds (5 minutes) to disconnect idle sessions.

Prerequisites

Before running the script:

  • You must have SSH access to the target Linux server.

  • You need sudo privileges on the target server.

  • Port 22 (SSH) must be open in the security group (for EC2).

How to Use It

Assume you are running the script from your local machine, and applying it to a remote EC2 instance.

Script

#!/bin/bash

# ssh ec2-user@<instance-ip> 'bash -s' < set-banner.sh

BANNER_PATH="/etc/issue.net"
SSH_CONFIG="/etc/ssh/sshd_config"

cat << 'EOF' > $BANNER_PATH
*************************************************************************
        You are accessing a company Information System ("IS") that
        is provided for company authorized use only.

        Users of this IS have no expectation of privacy while using
        this IS and all activities on this IS are subject to
        monitoring, recording, and auditing.

        Unauthorized use of this IS is strictly prohibited and may
        result in disciplinary action and civil/criminal penalties.

        By continuing to use this IS you indicate your awareness of
        and consent to these terms and conditions of use.
        If you do not agree to the conditions stated in this notice,
        log off immediately.
*************************************************************************
EOF

# Set permissions
chmod 644 $BANNER_PATH

# Enable banner in SSH
if grep -q "^Banner" $SSH_CONFIG; then
    sed -i 's|^Banner.*|Banner /etc/issue.net|' $SSH_CONFIG
else
    echo "Banner /etc/issue.net" >> $SSH_CONFIG
fi

FILE="/etc/ssh/sshd_config"
BACKUP="/etc/ssh/sshd_config.bak.$(date +%s)"

sudo cp "$FILE" "$BACKUP"

# Replace or append the settings
sudo sed -i '/^ClientAliveInterval/d' "$FILE"
sudo sed -i '/^#ClientAliveInterval/d' "$FILE"
echo "ClientAliveInterval 300" | sudo tee -a "$FILE"

Save the script to a file called set-banner.sh on your local machine.

chmod +x set-banner.sh

Run the Script Remotely via SSH

Replace <instance-ip> with your EC2 instance's public IP or DNS name.

ssh ec2-user@<instance-ip> 'bash -s' < set-banner.sh

💡 Use ubuntu@<ip> if the instance is Ubuntu.

Post-Script Manual Step

After the script runs, restart the SSH service on the remote server:

sudo systemctl restart sshd

Or, on some systems:

sudo service sshd restart

Files Modified or Created

Files

FilePurpose

/etc/issue.net

Contains the SSH login banner text

/etc/ssh/sshd_config

SSH daemon configuration

/etc/ssh/sshd_config.bak.<timestamp>

Backup before editing

Resulting Configuration

In /etc/ssh/sshd_config, you will see:

Banner /etc/issue.net
ClientAliveInterval 300

Verification Steps

  1. Login to the server via SSH again:

    ssh ec2-user@<instance-ip>

  2. You should see the banner message before the shell prompt.

  3. Confirm SSH config:

    grep -Ei 'banner|clientaliveinterval' /etc/ssh/sshd_config