Subba, Sorry, perhaps I am confussed about the nature of your question? Did you have acls up for logging these attempts and they weren't logged? or are you asking for help from the Nipper portion of this as to why its reporting this item. With my logging turned up to debug I do see entries about RSHPORTATTEMPTs, but I suspect theres a lesser logging for that based on facility. At 12.3 I don't see any sort of problem with an open Rlogin/Rsh, and I have tested this on a router running a very minimal configuration. Hands out DHCP and does OSPF, but that's about it. Can you clarify your problem a bit? -Joe ________________________________ From: Subba Rao [mailto:castellan2004-nsm@yahoo.com] Sent: Thursday, April 02, 2009 8:25 PM To: nanog@nanog.org; Jo¢ Subject: RE: Nipper and Cisco configuration results I did not scan the routers yet with nmap. These results are from Nipper analysis. None of the access lists are showing "port 513" as Nipper is complaining about. The IOS version is 12.4 Subba Rao --- On Thu, 4/2/09, Jo¢ <jbfixurpc@gmail.com> wrote: From: Jo¢ <jbfixurpc@gmail.com> Subject: RE: Nipper and Cisco configuration results To: castellan2004-nsm@yahoo.com, nanog@nanog.org Date: Thursday, April 2, 2009, 8:18 PM What IOS version are you using? I don't see that behavior (rlogin/rsh) by default, but I'm a few revisions behind on the latest. @ 12.2 I do see from the router: RCMD-4-RSHPORTATTEMPT Attempted to connect to RSHELL from 192.168.1.52 from nmaps, but theres no response to the SYN packet of the attempting IP. I think this has been the case since w-a-y earlier versions of IOS for logging levels but not sure at which level. Looks to only be logging an attempt, no session is made, sort of like a firewall just letting you know there was an attempt. The router gets the request but it falls on deaf ears, no one home. Unless perhaps theres some other sort of flag/bit that can be presented to open that connection(extremely doubtful) I don't believe theres any way to connect. Perhaps turning down your logging will prevent your testing program from reporting a false positive? I'd snoop/sniff the traffic and see if your router is SYN/ACK-ing the request of rlogin/rsh to be sure. <sarcasm>And make sure their not to close to one another, incase their using undocumented internal wireless units as a means to complete the connection, those Cisco guys you know..</sarcasm> Regards Joe Blanchard > -----Original Message----- > From: Subba Rao [mailto:castellan2004-nsm@yahoo.com] > Sent: Thursday, April 02, 2009 6:33 PM > To: nanog@nanog.org > Subject: Nipper and Cisco configuration results > > I am using Nipper for verifying my Cisco configuration. > Nipper is finding the "rlogin" service that is not in the > configuration. I have searched the access lists and do not > see it anywhere. The explanation by Nipper about this > finding, "....Telnet protocol implemented by this > service...." is confusing. Here is the Nipper's output: > > ______________________________ > Rlogin Service Settings > > The Rlogin service enables remote administrative access to a > CLI on Cisco Router Devices. The Telnet protocol implemented > by th service is simple and provides no encryption of the > network communications between client and the server. This > section details the Rlogin settings. > > Description Setting > Rlogin Service Enabled > Service TCP Port 513 > ______________________________ > > I have checked a few other routers where SSH was not enabled > with the same results. > > Can someone explain why Nipper is saying "Rlogin is enabled" > when I do not see it in the configuration file? Is there > something else that I need to be looking at? > > Thank you in advance for any help. > > Subba Rao