9.4. Restrict console messages

Generating a stready stream of console messages can easily overwhelm a 9600bps link.

Although displaying all syslog messages on the console appears to be a good idea, this actually provides a nice method to deny effective use of the remote console.

Configure log messages to the console to the bare minimum, especially if the machine accepts remotely generated syslog messages. Look in /etc/syslog.conf for lines ending with /dev/console.

Users that are logged into the serial console should not accept broadcast messages. Add new files to /etc/profile.d to do this. Figure 9-1 shows a file for use by the Bourne shell.

#
# Do we have files referred to?
if [ -x /usr/bin/mesg -a -x /usr/bin/tty ]
then
  # Are we on serial console?
  if [ `/usr/bin/tty` = /dev/ttyS0 ]
  then
    # Do not accept broadcast messages
    /usr/bin/mesg n
  fi
fi

As this file is run frequently, we use a faster but less readable version of the above, shown in Figure 9-2.

#
# /etc/profile.d/mesg.sh -- prevent people hassling the serial console user
[ -x /usr/bin/mesg -a -x /usr/bin/tty -a `/usr/bin/tty` = /dev/ttyS0 ] && /usr/bin/mesg n

We also need a C shell version, shown in Figure 9-3.

#
# /etc/profile.d/mesg.csh -- prevent people hassling the serial console user
if (-X mesg && -X tty && `tty` == /dev/ttyS0) then
  mesg n
endif

Although mesg.sh and mesg.csh are included by the parent shell rather than executed, the files need the execute permission set. The procedure in Figure 9-4 installs the files and sets the permissions.

bash# cp mesg.*sh /etc/profile.d/
bash# chown root:root /etc/profile.d/mesg.*sh
bash# chmod u=rwx,g=rx,o=rx /etc/profile.d/mesg.*sh