Nipper and Cisco configuration results

Subba Rao castellan2004-nsm at yahoo.com
Fri Apr 3 01:43:27 UTC 2009 

Joe,

Thank you for replying.  I am asking about the Nipper complaint.  Why is Nipper report saying "Rlogin" is enabled when I don't see any ACL in the config?

Using IOS 12.4

Cheers,

Subba Rao



--- On Thu, 4/2/09, Jo¢ <jbfixurpc at gmail.com> wrote:

From: Jo¢ <jbfixurpc at gmail.com>
Subject: RE: Nipper and Cisco configuration results
To: castellan2004-nsm at yahoo.com, nanog at nanog.org
Date: Thursday, April 2, 2009, 9:09 PM


Subba,

Sorry, perhaps I am confussed about the nature of your question? Did you
have acls up for logging these attempts and they weren't logged? or are you
asking for help from the Nipper portion of this as to why its reporting this
item. 
With my logging turned up to debug I do see entries about RSHPORTATTEMPTs,
but I suspect theres a lesser logging
for that based on facility.
At 12.3 I don't see any sort of problem with an open Rlogin/Rsh, and I have
tested this on a router running a very minimal configuration. Hands out DHCP
and does OSPF, but that's about it. 

Can you clarify your problem a bit? 

-Joe

 


________________________________

    From: Subba Rao [mailto:castellan2004-nsm at yahoo.com] 
    Sent: Thursday, April 02, 2009 8:25 PM
    To: nanog at nanog.org; Jo¢
    Subject: RE: Nipper and Cisco configuration results
    
    
    I did not scan the routers yet with nmap.  These results are from
Nipper analysis.  None of the access lists are showing "port 513" as Nipper
is complaining about.  The IOS version is 12.4
    
    Subba Rao
    
    
    --- On Thu, 4/2/09, Jo¢ <jbfixurpc at gmail.com> wrote:
    


        From: Jo¢ <jbfixurpc at gmail.com>
        Subject: RE: Nipper and Cisco configuration results
        To: castellan2004-nsm at yahoo.com, nanog at nanog.org
        Date: Thursday, April 2, 2009, 8:18 PM
        
        
        What IOS version are you using? I don't see that behavior
(rlogin/rsh) by
        default, but I'm a few revisions behind on the latest. @
12.2
        I do see from the router: 
        RCMD-4-RSHPORTATTEMPT Attempted to connect to RSHELL from
192.168.1.52
        from nmaps, but theres no response to the SYN packet of the
attempting IP. I
        think this has been
        the case since w-a-y earlier versions of IOS for logging
levels but not sure
        at which level.
        Looks to only be logging an attempt, no session is made,
sort of like a
        firewall 
        just letting you know there was an attempt. The router gets
the request but
        it falls on deaf
        ears, no one home. Unless perhaps theres some other sort of
flag/bit that
        can be presented to 
        open that connection(extremely doubtful) I don't believe
theres any way to
        connect. 
        
        Perhaps turning down your logging will prevent your testing
program from
        reporting a false positive?
        I'd snoop/sniff the traffic and see if your router is
SYN/ACK-ing the
        request of rlogin/rsh to be sure.
        
        <sarcasm>And make sure their not to close to one another,
incase their using
        undocumented 
        internal wireless units as a means to complete the
connection, those Cisco
        guys you know..</sarcasm>
        
        Regards
        Joe Blanchard
        
        > -----Original Message-----
        > From: Subba Rao [mailto:castellan2004-nsm at yahoo.com] 
        > Sent: Thursday, April 02, 2009 6:33 PM
        > To: nanog at nanog.org
        > Subject: Nipper and Cisco configuration results
        > 
        > I am using Nipper for verifying my Cisco configuration.  
        > Nipper is finding the "rlogin" service that is not in the 
        > configuration.  I have searched the access lists and do
not 
        > see it anywhere.  The explanation by Nipper about this 
        > finding, "....Telnet protocol implemented by this 
        > service...." is confusing.  Here is the Nipper's output:
        > 
        > ______________________________
        > Rlogin Service Settings
        > 
        > The Rlogin service enables remote administrative access to
a 
        > CLI on Cisco Router Devices.  The Telnet protocol
implemented 
        > by th service is simple and provides no encryption of the 
        > network communications between client and the server.
This 
        > section details the Rlogin settings.
        > 
        > Description                Setting
        > Rlogin Service            Enabled
        > Service TCP Port        513
        > ______________________________
        > 
        > I have checked a few other routers where SSH was not
enabled 
        > with the same results.
        > 
        > Can someone explain why Nipper is saying "Rlogin is
enabled" 
        > when I do not see it in the configuration file?  Is there 
        > something else that I need to be looking at?
        > 
        > Thank you in advance for any help.
        > 
        > Subba Rao
        
        

       

More information about the NANOG mailing list