Nipper and Cisco configuration results
Jo¢
jbfixurpc at gmail.com
Fri Apr 3 01:09:01 UTC 2009
Subba,
Sorry, perhaps I am confussed about the nature of your question? Did you
have acls up for logging these attempts and they weren't logged? or are you
asking for help from the Nipper portion of this as to why its reporting this
item.
With my logging turned up to debug I do see entries about RSHPORTATTEMPTs,
but I suspect theres a lesser logging
for that based on facility.
At 12.3 I don't see any sort of problem with an open Rlogin/Rsh, and I have
tested this on a router running a very minimal configuration. Hands out DHCP
and does OSPF, but that's about it.
Can you clarify your problem a bit?
-Joe
________________________________
From: Subba Rao [mailto:castellan2004-nsm at yahoo.com]
Sent: Thursday, April 02, 2009 8:25 PM
To: nanog at nanog.org; Jo¢
Subject: RE: Nipper and Cisco configuration results
I did not scan the routers yet with nmap. These results are from
Nipper analysis. None of the access lists are showing "port 513" as Nipper
is complaining about. The IOS version is 12.4
Subba Rao
--- On Thu, 4/2/09, Jo¢ <jbfixurpc at gmail.com> wrote:
From: Jo¢ <jbfixurpc at gmail.com>
Subject: RE: Nipper and Cisco configuration results
To: castellan2004-nsm at yahoo.com, nanog at nanog.org
Date: Thursday, April 2, 2009, 8:18 PM
What IOS version are you using? I don't see that behavior
(rlogin/rsh) by
default, but I'm a few revisions behind on the latest. @
12.2
I do see from the router:
RCMD-4-RSHPORTATTEMPT Attempted to connect to RSHELL from
192.168.1.52
from nmaps, but theres no response to the SYN packet of the
attempting IP. I
think this has been
the case since w-a-y earlier versions of IOS for logging
levels but not sure
at which level.
Looks to only be logging an attempt, no session is made,
sort of like a
firewall
just letting you know there was an attempt. The router gets
the request but
it falls on deaf
ears, no one home. Unless perhaps theres some other sort of
flag/bit that
can be presented to
open that connection(extremely doubtful) I don't believe
theres any way to
connect.
Perhaps turning down your logging will prevent your testing
program from
reporting a false positive?
I'd snoop/sniff the traffic and see if your router is
SYN/ACK-ing the
request of rlogin/rsh to be sure.
<sarcasm>And make sure their not to close to one another,
incase their using
undocumented
internal wireless units as a means to complete the
connection, those Cisco
guys you know..</sarcasm>
Regards
Joe Blanchard
> -----Original Message-----
> From: Subba Rao [mailto:castellan2004-nsm at yahoo.com]
> Sent: Thursday, April 02, 2009 6:33 PM
> To: nanog at nanog.org
> Subject: Nipper and Cisco configuration results
>
> I am using Nipper for verifying my Cisco configuration.
> Nipper is finding the "rlogin" service that is not in the
> configuration. I have searched the access lists and do
not
> see it anywhere. The explanation by Nipper about this
> finding, "....Telnet protocol implemented by this
> service...." is confusing. Here is the Nipper's output:
>
> ______________________________
> Rlogin Service Settings
>
> The Rlogin service enables remote administrative access to
a
> CLI on Cisco Router Devices. The Telnet protocol
implemented
> by th service is simple and provides no encryption of the
> network communications between client and the server.
This
> section details the Rlogin settings.
>
> Description Setting
> Rlogin Service Enabled
> Service TCP Port 513
> ______________________________
>
> I have checked a few other routers where SSH was not
enabled
> with the same results.
>
> Can someone explain why Nipper is saying "Rlogin is
enabled"
> when I do not see it in the configuration file? Is there
> something else that I need to be looking at?
>
> Thank you in advance for any help.
>
> Subba Rao
More information about the NANOG
mailing list