Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > RSH + Firewall

Reply
Thread Tools

RSH + Firewall

 
 
ales_1969@yahoo.com
Guest
Posts: n/a
 
      01-25-2005
Hi !

I had installed IPtables on a Linux machine. I have opened full access
from inside to outside.
Now If I want to use 'rsh' command from inside to outside, I got
stucked.

Tcpdump shows, that 'rsh' is acting almost the same way as passive FTP.
As I've seen, rsh establishes connection from local port L to port 514.
And then sends <L-1>\0 to port 514, so the output is sent from
remote host back to L-1 port.

Is there a way I can tell iptables to handle such requests ?

(I accept RELATED and ESTABLISHED states everywhere).

Thx
 
Reply With Quote
 
 
 
 
Michael J. Pelletier
Guest
Posts: n/a
 
      01-25-2005
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:

> Hi !
>
> I had installed IPtables on a Linux machine. I have opened full access
> from inside to outside.
> Now If I want to use 'rsh' command from inside to outside, I got
> stucked.
>
> Tcpdump shows, that 'rsh' is acting almost the same way as passive FTP.
> As I've seen, rsh establishes connection from local port L to port 514.
> And then sends <L-1>\0 to port 514, so the output is sent from
> remote host back to L-1 port.
>
> Is there a way I can tell iptables to handle such requests ?
>
> (I accept RELATED and ESTABLISHED states everywhere).
>
> Thx


Interesting. Have you ever thought about using ssh? You can tunnel (even X
apps) as well as use simple remote terminal sessions...

-- Michael

 
Reply With Quote
 
 
 
 
Michael J. Pelletier
Guest
Posts: n/a
 
      01-25-2005
Michael J. Pelletier wrote:

> (E-Mail Removed) wrote:
>
>> Hi !
>>
>> I had installed IPtables on a Linux machine. I have opened full access
>> from inside to outside.
>> Now If I want to use 'rsh' command from inside to outside, I got
>> stucked.
>>
>> Tcpdump shows, that 'rsh' is acting almost the same way as passive FTP.
>> As I've seen, rsh establishes connection from local port L to port 514.
>> And then sends <L-1>\0 to port 514, so the output is sent from
>> remote host back to L-1 port.
>>
>> Is there a way I can tell iptables to handle such requests ?
>>
>> (I accept RELATED and ESTABLISHED states everywhere).
>>
>> Thx

>
> Interesting. Have you ever thought about using ssh? You can tunnel (even X
> apps) as well as use simple remote terminal sessions...
>
> -- Michael



....it is also trivial to firewall it and you can use group membership to
further limit access. In other words, you might have an account on the box
but, you need to be in the group, say, "sshlogin" before you can use ssh to
connect...

It is a very nice solution. Much better than rsh...Much more secure too..

Michael
 
Reply With Quote
 
winged
Guest
Posts: n/a
 
      01-26-2005
Michael J. Pelletier wrote:
> Michael J. Pelletier wrote:
>
>
>>(E-Mail Removed) wrote:
>>
>>
>>>Hi !
>>>
>>>I had installed IPtables on a Linux machine. I have opened full access
>>>from inside to outside.
>>>Now If I want to use 'rsh' command from inside to outside, I got
>>>stucked.
>>>
>>>Tcpdump shows, that 'rsh' is acting almost the same way as passive FTP.
>>>As I've seen, rsh establishes connection from local port L to port 514.
>>>And then sends <L-1>\0 to port 514, so the output is sent from
>>>remote host back to L-1 port.
>>>
>>>Is there a way I can tell iptables to handle such requests ?
>>>
>>>(I accept RELATED and ESTABLISHED states everywhere).
>>>
>>>Thx

>>
>>Interesting. Have you ever thought about using ssh? You can tunnel (even X
>>apps) as well as use simple remote terminal sessions...
>>
>>-- Michael

>
>
>
> ....it is also trivial to firewall it and you can use group membership to
> further limit access. In other words, you might have an account on the box
> but, you need to be in the group, say, "sshlogin" before you can use ssh to
> connect...
>
> It is a very nice solution. Much better than rsh...Much more secure too..
>
> Michael


Concur ssh is more flexible and more secure. I find running ssh very
useful even for windows boxes. SSH doesn't require a VM and Linux to
run, n doesn't require a rocket scientist to set up securely.

That said it is essential to use a firewall to restrict access to
specific locations. I would restrict access as tightly as I could at
the firewall. SSH as with everything else, make sure the software is
current there have been a number of spectacular ssh hacks last couple
years.

Winged

Trust No One...opps thats what this thread is all about...

 
Reply With Quote
 
ales
Guest
Posts: n/a
 
      02-01-2005
In article <ct6td0$(E-Mail Removed)>, (E-Mail Removed)
says...
> Michael J. Pelletier wrote:
> > Michael J. Pelletier wrote:
> >
> >
> >>(E-Mail Removed) wrote:
> >>
> >>
> >>>Hi !
> >>>
> >>>I had installed IPtables on a Linux machine. I have opened full access
> >>>from inside to outside.
> >>>Now If I want to use 'rsh' command from inside to outside, I got
> >>>stucked.
> >>>
> >>>Tcpdump shows, that 'rsh' is acting almost the same way as passive FTP.
> >>>As I've seen, rsh establishes connection from local port L to port 514.
> >>>And then sends <L-1>\0 to port 514, so the output is sent from
> >>>remote host back to L-1 port.
> >>>
> >>>Is there a way I can tell iptables to handle such requests ?
> >>>
> >>>(I accept RELATED and ESTABLISHED states everywhere).
> >>>
> >>>Thx
> >>
> >>Interesting. Have you ever thought about using ssh? You can tunnel (even X
> >>apps) as well as use simple remote terminal sessions...
> >>
> >>-- Michael

> >
> >
> >
> > ....it is also trivial to firewall it and you can use group membership to
> > further limit access. In other words, you might have an account on the box
> > but, you need to be in the group, say, "sshlogin" before you can use ssh to
> > connect...
> >
> > It is a very nice solution. Much better than rsh...Much more secure too..
> >
> > Michael

>
> Concur ssh is more flexible and more secure. I find running ssh very
> useful even for windows boxes. SSH doesn't require a VM and Linux to
> run, n doesn't require a rocket scientist to set up securely.
>
> That said it is essential to use a firewall to restrict access to
> specific locations. I would restrict access as tightly as I could at
> the firewall. SSH as with everything else, make sure the software is
> current there have been a number of spectacular ssh hacks last couple
> years.

As I've expected, all answers were regarding SSH. Im aware of all
weaknesses regarding RSH protocol. I am using SSH for logins for a long
time.
However, I still have some old machines to administer, and the work
geting SSH server on them would be pretty expensive (OpenSSH won't work
on old crap). So I'm stuck on RSH for some time.

Still expecting any hint regarding RSH & Firewall.

thx.

p.s. Please, don't point me to any newer stuff being better.

 
Reply With Quote
 
danpritts danpritts is offline
Junior Member
Join Date: Apr 2007
Posts: 1
 
      04-24-2007
following up to this thread since it was a high google hit when i went looking for this.

It looks like there is an iptables module that you can use for this with modern 2.6 kernels (posting this april 2007). I am running redhat 4 so i can't test this without building a new kernel but check here:

http://www.netfilter.org/projects/pa...#pom-extra-rsh
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
rsh error trying to connect to cisco 1601 router tony Cisco 0 06-05-2006 02:20 PM
RSH over IPSEC VPN ramuesq.cisco@gmail.com Cisco 2 03-14-2006 04:32 PM
Search java rsh Api or Sample program pcouas@infodev.fr Java 1 04-08-2005 04:04 PM
disconnecting rsh session sc0ri0n Perl 1 02-16-2005 12:46 AM
rsh to router B Wert Cisco 1 08-20-2004 09:10 PM



Advertisments