RSH + Firewall

Discussion in 'Computer Security' started by ales_1969@yahoo.com, Jan 25, 2005.

  1. Guest

    Hi !

    I had installed IPtables on a Linux machine. I have opened full access
    from inside to outside.
    Now If I want to use 'rsh' command from inside to outside, I got
    stucked.

    Tcpdump shows, that 'rsh' is acting almost the same way as passive FTP.
    As I've seen, rsh establishes connection from local port L to port 514.
    And then sends <L-1>\0 to port 514, so the output is sent from
    remote host back to L-1 port.

    Is there a way I can tell iptables to handle such requests ?

    (I accept RELATED and ESTABLISHED states everywhere).

    Thx
     
    , Jan 25, 2005
    #1
    1. Advertising

  2. wrote:

    > Hi !
    >
    > I had installed IPtables on a Linux machine. I have opened full access
    > from inside to outside.
    > Now If I want to use 'rsh' command from inside to outside, I got
    > stucked.
    >
    > Tcpdump shows, that 'rsh' is acting almost the same way as passive FTP.
    > As I've seen, rsh establishes connection from local port L to port 514.
    > And then sends <L-1>\0 to port 514, so the output is sent from
    > remote host back to L-1 port.
    >
    > Is there a way I can tell iptables to handle such requests ?
    >
    > (I accept RELATED and ESTABLISHED states everywhere).
    >
    > Thx


    Interesting. Have you ever thought about using ssh? You can tunnel (even X
    apps) as well as use simple remote terminal sessions...

    -- Michael
     
    Michael J. Pelletier, Jan 25, 2005
    #2
    1. Advertising

  3. Michael J. Pelletier wrote:

    > wrote:
    >
    >> Hi !
    >>
    >> I had installed IPtables on a Linux machine. I have opened full access
    >> from inside to outside.
    >> Now If I want to use 'rsh' command from inside to outside, I got
    >> stucked.
    >>
    >> Tcpdump shows, that 'rsh' is acting almost the same way as passive FTP.
    >> As I've seen, rsh establishes connection from local port L to port 514.
    >> And then sends <L-1>\0 to port 514, so the output is sent from
    >> remote host back to L-1 port.
    >>
    >> Is there a way I can tell iptables to handle such requests ?
    >>
    >> (I accept RELATED and ESTABLISHED states everywhere).
    >>
    >> Thx

    >
    > Interesting. Have you ever thought about using ssh? You can tunnel (even X
    > apps) as well as use simple remote terminal sessions...
    >
    > -- Michael



    ....it is also trivial to firewall it and you can use group membership to
    further limit access. In other words, you might have an account on the box
    but, you need to be in the group, say, "sshlogin" before you can use ssh to
    connect...

    It is a very nice solution. Much better than rsh...Much more secure too..

    Michael
     
    Michael J. Pelletier, Jan 25, 2005
    #3
  4. winged Guest

    Michael J. Pelletier wrote:
    > Michael J. Pelletier wrote:
    >
    >
    >> wrote:
    >>
    >>
    >>>Hi !
    >>>
    >>>I had installed IPtables on a Linux machine. I have opened full access
    >>>from inside to outside.
    >>>Now If I want to use 'rsh' command from inside to outside, I got
    >>>stucked.
    >>>
    >>>Tcpdump shows, that 'rsh' is acting almost the same way as passive FTP.
    >>>As I've seen, rsh establishes connection from local port L to port 514.
    >>>And then sends <L-1>\0 to port 514, so the output is sent from
    >>>remote host back to L-1 port.
    >>>
    >>>Is there a way I can tell iptables to handle such requests ?
    >>>
    >>>(I accept RELATED and ESTABLISHED states everywhere).
    >>>
    >>>Thx

    >>
    >>Interesting. Have you ever thought about using ssh? You can tunnel (even X
    >>apps) as well as use simple remote terminal sessions...
    >>
    >>-- Michael

    >
    >
    >
    > ....it is also trivial to firewall it and you can use group membership to
    > further limit access. In other words, you might have an account on the box
    > but, you need to be in the group, say, "sshlogin" before you can use ssh to
    > connect...
    >
    > It is a very nice solution. Much better than rsh...Much more secure too..
    >
    > Michael


    Concur ssh is more flexible and more secure. I find running ssh very
    useful even for windows boxes. SSH doesn't require a VM and Linux to
    run, n doesn't require a rocket scientist to set up securely.

    That said it is essential to use a firewall to restrict access to
    specific locations. I would restrict access as tightly as I could at
    the firewall. SSH as with everything else, make sure the software is
    current there have been a number of spectacular ssh hacks last couple
    years.

    Winged

    Trust No One...opps thats what this thread is all about...
     
    winged, Jan 26, 2005
    #4
  5. ales Guest

    In article <ct6td0$>,
    says...
    > Michael J. Pelletier wrote:
    > > Michael J. Pelletier wrote:
    > >
    > >
    > >> wrote:
    > >>
    > >>
    > >>>Hi !
    > >>>
    > >>>I had installed IPtables on a Linux machine. I have opened full access
    > >>>from inside to outside.
    > >>>Now If I want to use 'rsh' command from inside to outside, I got
    > >>>stucked.
    > >>>
    > >>>Tcpdump shows, that 'rsh' is acting almost the same way as passive FTP.
    > >>>As I've seen, rsh establishes connection from local port L to port 514.
    > >>>And then sends <L-1>\0 to port 514, so the output is sent from
    > >>>remote host back to L-1 port.
    > >>>
    > >>>Is there a way I can tell iptables to handle such requests ?
    > >>>
    > >>>(I accept RELATED and ESTABLISHED states everywhere).
    > >>>
    > >>>Thx
    > >>
    > >>Interesting. Have you ever thought about using ssh? You can tunnel (even X
    > >>apps) as well as use simple remote terminal sessions...
    > >>
    > >>-- Michael

    > >
    > >
    > >
    > > ....it is also trivial to firewall it and you can use group membership to
    > > further limit access. In other words, you might have an account on the box
    > > but, you need to be in the group, say, "sshlogin" before you can use ssh to
    > > connect...
    > >
    > > It is a very nice solution. Much better than rsh...Much more secure too..
    > >
    > > Michael

    >
    > Concur ssh is more flexible and more secure. I find running ssh very
    > useful even for windows boxes. SSH doesn't require a VM and Linux to
    > run, n doesn't require a rocket scientist to set up securely.
    >
    > That said it is essential to use a firewall to restrict access to
    > specific locations. I would restrict access as tightly as I could at
    > the firewall. SSH as with everything else, make sure the software is
    > current there have been a number of spectacular ssh hacks last couple
    > years.

    As I've expected, all answers were regarding SSH. Im aware of all
    weaknesses regarding RSH protocol. I am using SSH for logins for a long
    time.
    However, I still have some old machines to administer, and the work
    geting SSH server on them would be pretty expensive (OpenSSH won't work
    on old crap). So I'm stuck on RSH for some time.

    Still expecting any hint regarding RSH & Firewall.

    thx.

    p.s. Please, don't point me to any newer stuff being better.
     
    ales, Feb 1, 2005
    #5
  6. danpritts

    Joined:
    Apr 24, 2007
    Messages:
    1
    iptables may allow this now - 2007

    following up to this thread since it was a high google hit when i went looking for this.

    It looks like there is an iptables module that you can use for this with modern 2.6 kernels (posting this april 2007). I am running redhat 4 so i can't test this without building a new kernel but check here:

    http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra-rsh
     
    danpritts, Apr 24, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. B Wert

    rsh to router

    B Wert, Aug 20, 2004, in forum: Cisco
    Replies:
    1
    Views:
    2,796
    Aaron Leonard
    Aug 20, 2004
  2. RSH over IPSEC VPN

    , Mar 14, 2006, in forum: Cisco
    Replies:
    2
    Views:
    605
  3. tony
    Replies:
    0
    Views:
    1,682
  4. Dmitry Melekhov

    can't rsh to cisco

    Dmitry Melekhov, Oct 10, 2008, in forum: Cisco
    Replies:
    0
    Views:
    661
    Dmitry Melekhov
    Oct 10, 2008
  5. jcle

    telnet/rsh not responding

    jcle, Oct 13, 2008, in forum: Cisco
    Replies:
    0
    Views:
    480
Loading...

Share This Page