RE: Nipper and Cisco configuration results

[Subba Rao <castellan2004-nsm () yahoo com>]

I did not scan the routers yet with nmap.  These results are from Nipper analysis.  None of the access lists are 
showing "port 513" as Nipper is complaining about.  The IOS version is 12.4

Subba Rao


--- On Thu, 4/2/09, Jo¢ <jbfixurpc () gmail com> wrote:

From: Jo¢ <jbfixurpc () gmail com>
Subject: RE: Nipper and Cisco configuration results
To: castellan2004-nsm () yahoo com, nanog () nanog org
Date: Thursday, April 2, 2009, 8:18 PM

What IOS version are you using? I don't see that behavior (rlogin/rsh) by
default, but I'm a few revisions behind on the latest. @ 12.2
I do see from the router: 
RCMD-4-RSHPORTATTEMPT Attempted to connect to RSHELL from 192.168.1.52
from nmaps, but theres no response to the SYN packet of the attempting IP. I
think this has been
the case since w-a-y earlier versions of IOS for logging levels but not sure
at which level.
Looks to only be logging an attempt, no session is made, sort of like a
firewall 
just letting you know there was an attempt. The router gets the request but
it falls on deaf
ears, no one home. Unless perhaps theres some other sort of flag/bit that
can be presented to 
open that connection(extremely doubtful) I don't believe theres any way to
connect. 

Perhaps turning down your logging will prevent your testing program from
reporting a false positive?
I'd snoop/sniff the traffic and see if your router is SYN/ACK-ing the
request of rlogin/rsh to be sure.

<sarcasm>And make sure their not to close to one another, incase their using
undocumented 
internal wireless units as a means to complete the connection, those Cisco
guys you know..</sarcasm>

Regards
Joe Blanchard

> -----Original Message-----
> From: Subba Rao [mailto:castellan2004-nsm () yahoo com] 
> Sent: Thursday, April 02, 2009 6:33 PM
> To: nanog () nanog org
> Subject: Nipper and Cisco configuration results
>
> I am using Nipper for verifying my Cisco configuration.  
> Nipper is finding the "rlogin" service that is not in the 
> configuration.  I have searched the access lists and do not 
> see it anywhere.  The explanation by Nipper about this 
> finding, "....Telnet protocol implemented by this 
> service...." is confusing.  Here is the Nipper's output:
>
> ______________________________
> Rlogin Service Settings
>
> The Rlogin service enables remote administrative access to a 
> CLI on Cisco Router Devices.  The Telnet protocol implemented 
> by th service is simple and provides no encryption of the 
> network communications between client and the server.  This 
> section details the Rlogin settings.
>
> Description                Setting
> Rlogin Service            Enabled
> Service TCP Port        513
> ______________________________
>
> I have checked a few other routers where SSH was not enabled 
> with the same results.
>
> Can someone explain why Nipper is saying "Rlogin is enabled" 
> when I do not see it in the configuration file?  Is there 
> something else that I need to be looking at?
>
> Thank you in advance for any help.
>
> Subba Rao