Hi, Is there anyway to track which users are using these services and login to the servers using above remote services, so that i can contact them not to use that and then i can safely disable these services, without impacting business.
Add the '-l' option to INETD_ARGS variable in /etc/rc.config.d/netdaemons, then restart inetd with "sh /sbin/init.d/inetd stop; sh /sbin/init.d/inetd start".
Now inetd will log the source hostname, IP and the service used on every connection.
Read /var/adm/syslog/syslog.log to find out where the connection attempts are coming from and which user account they're using. Then track down the users with this information.
I know this is not a direct response to your question, but contacting users to convince them to change from r-series commands to using ssh based commands is not easy, if not totally impossible. People do not like to give up their tested and true ways of doing things no matter what you say.
Best way to accomplish your goal is to put a message display block in the /etc/profile starting 30 days before you cut off the r-commands. And make sure it is read by asking for the user to hit enter after reading, by putting something like
read dummy
at the end of message echo statements. At the end of the 30 day period, just plain cut them off. They will be forced to comply. First few days after that will be a little harsh on the support team, but slowly, they will resume functioning properly.
HTH
________________________________ UNIX because I majored in cryptology...
Hi Mel, good suggestion of /etc/profile. But i am looking for helping users moving out of r* commands. like finding alternative ways for executing scripts/ automated processed which use these commands.
my first step is to find out if anyone is using these commands in manual or automated ways. more difficult is to find out where these cmd used in automation.
> But i am looking for helping users moving out of r* commands. like finding alternative ways for executing scripts/ automated processed which use these commands.
First, I wholly agree with Mel. Advertise the demise of the unsecure r-commands and then cut those off when you say you will.
As for finding their use in automated processes, start by examining the processes listed in the 'crontabs' of any users with them. You could 'grep' for 'rcp', 'remsh', 'rlogin', 'rexec', etc. When found you could advise the user via mail that these methods will be prohibited after some date --- a fix it or it won't work dictum. Of course you need the support of management. Company auditors make excellent "bad-guys" too.
Hi Matti. thanks for the valuable suggestion. I am testing it. rlogin attempt shows as login/tcp in syslog and remsh attempt as shell/tcp. still need to test rcmd,rcp etc. thanks.
Hi Pradep, Please make a habit to assign points, people who give there valuable time to your problem you also take some time to assign points to there work. If you donâ t know how to assign please see this below link.
Hey, sure..i always assing points to every reply. infact to every reply, whether it helps to solve problem or not. ( it is to appreciate the time people spend in replyign to my queries). thanks for the reminders. i am still working on the issue.
Please let me know if you have any suggestions about this problem.
"inetd -l" gives you dates & times when someone used rlogin (or any other inetd service).
Run the "last" command to get a list of logins by time & username. When you find a login time that matches the time of the rlogin use (with an accuracy of about +/- 1 second), you'll know the name of the user account that was accessed with rlogin.
If you have assigned personal user accounts to each user, the name of the user account should normally be enough to identify the user.
If you have user accounts that are used by multiple users, you may have to examine the logs of each rlogin client machine to find out who was using them at the time rlogin was used. (And you will also understand by experience why security auditors say that multi-user accounts are a bad thing.)
unless accounting is turned on the source system (initiating system) there is no traces of what application has been launched on this system. rlogin or remsh are just mere applications. Short of putting wrappers around these executables to log something to some log file, you are pretty much out of luck tracking them.
________________________________ UNIX because I majored in cryptology...
