HPE Community
Operating System - HP-UX
1752793 Members
6349 Online
108789 Solutions
New Discussion юеВ

Re: track rlogin,remsh,rcmd

 
SOLVED
Go to solution
Pradep
Regular Advisor

тАО09-10-2009 11:05 PM

тАО09-10-2009 11:05 PM

track rlogin,remsh,rcmd

Hi, Is there anyway to track which users are using these services and login to the servers using above remote services, so that i can contact them not to use that and then i can safely disable these services, without impacting business.
0 Kudos
Reply
15 REPLIES 15
Matti_Kurkela
Honored Contributor

тАО09-11-2009 12:51 AM

тАО09-11-2009 12:51 AM

Solution

Re: track rlogin,remsh,rcmd

Add the '-l' option to INETD_ARGS variable in /etc/rc.config.d/netdaemons, then restart inetd with "sh /sbin/init.d/inetd stop; sh /sbin/init.d/inetd start".

Now inetd will log the source hostname, IP and the service used on every connection.

Read /var/adm/syslog/syslog.log to find out where the connection attempts are coming from and which user account they're using. Then track down the users with this information.

MK
MK
Reply
Hakki Aydin Ucar
Honored Contributor

тАО09-11-2009 04:00 AM

тАО09-11-2009 04:00 AM

Re: track rlogin,remsh,rcmd

Use whodo:

it is for which users are doing what

For long list, use:

# whodo -l
0 Kudos
Reply
Hakki Aydin Ucar
Honored Contributor

тАО09-11-2009 04:03 AM

тАО09-11-2009 04:03 AM

Re: track rlogin,remsh,rcmd

I want to add that for a specific users it is useful to issue:

# whodo -l | grep -i

for more info check the man page

# man whodo
0 Kudos
Reply
Mel Burslan
Honored Contributor

тАО09-11-2009 07:34 AM

тАО09-11-2009 07:34 AM

Re: track rlogin,remsh,rcmd

I know this is not a direct response to your question, but contacting users to convince them to change from r-series commands to using ssh based commands is not easy, if not totally impossible. People do not like to give up their tested and true ways of doing things no matter what you say.

Best way to accomplish your goal is to put a message display block in the /etc/profile starting 30 days before you cut off the r-commands. And make sure it is read by asking for the user to hit enter after reading, by putting something like

read dummy

at the end of message echo statements. At the end of the 30 day period, just plain cut them off. They will be forced to comply. First few days after that will be a little harsh on the support team, but slowly, they will resume functioning properly.

HTH
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Pradep
Regular Advisor

тАО09-11-2009 08:10 AM

тАО09-11-2009 08:10 AM

Re: track rlogin,remsh,rcmd

Hi Mel,
good suggestion of /etc/profile.
But i am looking for helping users moving out of r* commands. like finding alternative ways for executing scripts/ automated processed which use these commands.

my first step is to find out if anyone is using these commands in manual or automated ways. more difficult is to find out where these cmd used in automation.

any ideas around that pls ?
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО09-11-2009 08:26 AM

тАО09-11-2009 08:26 AM

Re: track rlogin,remsh,rcmd

Hi:

> But i am looking for helping users moving out of r* commands. like finding alternative ways for executing scripts/ automated processed which use these commands.

First, I wholly agree with Mel. Advertise the demise of the unsecure r-commands and then cut those off when you say you will.

As for finding their use in automated processes, start by examining the processes listed in the 'crontabs' of any users with them. You could 'grep' for 'rcp', 'remsh', 'rlogin', 'rexec', etc. When found you could advise the user via mail that these methods will be prohibited after some date --- a fix it or it won't work dictum. Of course you need the support of management. Company auditors make excellent "bad-guys" too.

Regards!

...JRF...
0 Kudos
Reply
Pradep
Regular Advisor

тАО09-11-2009 08:30 AM

тАО09-11-2009 08:30 AM

Re: track rlogin,remsh,rcmd

Hi Matti.
thanks for the valuable suggestion.
I am testing it. rlogin attempt shows as login/tcp in syslog and remsh attempt as shell/tcp. still need to test rcmd,rcp etc.
thanks.
0 Kudos
Reply
Suraj K Sankari
Honored Contributor

тАО09-11-2009 09:27 AM

тАО09-11-2009 09:27 AM

Re: track rlogin,remsh,rcmd

Hi Pradep,
Please make a habit to assign points, people who give there valuable time to your problem you also take some time to assign points to there work.
If you don├в t know how to assign please see this below link.

http://forums13.itrc.hp.com/service/forums/helptips.do?#33

Suraj
0 Kudos
Reply
Pradep
Regular Advisor

тАО09-15-2009 09:33 PM

тАО09-15-2009 09:33 PM

Re: track rlogin,remsh,rcmd

Hey, sure..i always assing points to every reply. infact to every reply, whether it helps to solve problem or not. ( it is to appreciate the time people spend in replyign to my queries). thanks for the reminders. i am still working on the issue.

Please let me know if you have any suggestions about this problem.

regards.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.