The best practice would be to completely disable all non-encrypted login methods (telnet, rlogin, rexec and remsh) and use SSH instead.
Unlike those older login methods, SSH has a flexible configuration file that can be used to configure many types of restrictions as necessary.
You can disable telnet, rlogin, rexec and remsh by commenting out the appropriate lines in /etc/inetd.conf and then sending a "kill -HUP" signal to the inetd process.
If you cannot disable rlogin, you should instead verify that root rlogin is not authorized in /etc/hosts.equiv or the .rhosts file in root user's home directory. Also verify that /etc/securetty has only "console" and nothing else.
