cancel
Showing results for 
Search instead for 
Did you mean: 

track rlogin,remsh,rcmd

 
SOLVED
Go to solution
Pradep
Regular Advisor

track rlogin,remsh,rcmd

Hi, Is there anyway to track which users are using these services and login to the servers using above remote services, so that i can contact them not to use that and then i can safely disable these services, without impacting business.
15 REPLIES
Matti_Kurkela
Honored Contributor
Solution

Re: track rlogin,remsh,rcmd

Add the '-l' option to INETD_ARGS variable in /etc/rc.config.d/netdaemons, then restart inetd with "sh /sbin/init.d/inetd stop; sh /sbin/init.d/inetd start".

Now inetd will log the source hostname, IP and the service used on every connection.

Read /var/adm/syslog/syslog.log to find out where the connection attempts are coming from and which user account they're using. Then track down the users with this information.

MK
MK
Hakki Aydin Ucar
Honored Contributor

Re: track rlogin,remsh,rcmd

Use whodo:

it is for which users are doing what

For long list, use:

# whodo -l
Hakki Aydin Ucar
Honored Contributor

Re: track rlogin,remsh,rcmd

I want to add that for a specific users it is useful to issue:

# whodo -l | grep -i

for more info check the man page

# man whodo
Mel Burslan
Honored Contributor

Re: track rlogin,remsh,rcmd

I know this is not a direct response to your question, but contacting users to convince them to change from r-series commands to using ssh based commands is not easy, if not totally impossible. People do not like to give up their tested and true ways of doing things no matter what you say.

Best way to accomplish your goal is to put a message display block in the /etc/profile starting 30 days before you cut off the r-commands. And make sure it is read by asking for the user to hit enter after reading, by putting something like

read dummy

at the end of message echo statements. At the end of the 30 day period, just plain cut them off. They will be forced to comply. First few days after that will be a little harsh on the support team, but slowly, they will resume functioning properly.

HTH
________________________________
UNIX because I majored in cryptology...
Pradep
Regular Advisor

Re: track rlogin,remsh,rcmd

Hi Mel,
good suggestion of /etc/profile.
But i am looking for helping users moving out of r* commands. like finding alternative ways for executing scripts/ automated processed which use these commands.

my first step is to find out if anyone is using these commands in manual or automated ways. more difficult is to find out where these cmd used in automation.

any ideas around that pls ?
James R. Ferguson
Acclaimed Contributor

Re: track rlogin,remsh,rcmd

Hi:

> But i am looking for helping users moving out of r* commands. like finding alternative ways for executing scripts/ automated processed which use these commands.

First, I wholly agree with Mel. Advertise the demise of the unsecure r-commands and then cut those off when you say you will.

As for finding their use in automated processes, start by examining the processes listed in the 'crontabs' of any users with them. You could 'grep' for 'rcp', 'remsh', 'rlogin', 'rexec', etc. When found you could advise the user via mail that these methods will be prohibited after some date --- a fix it or it won't work dictum. Of course you need the support of management. Company auditors make excellent "bad-guys" too.

Regards!

...JRF...
Pradep
Regular Advisor

Re: track rlogin,remsh,rcmd

Hi Matti.
thanks for the valuable suggestion.
I am testing it. rlogin attempt shows as login/tcp in syslog and remsh attempt as shell/tcp. still need to test rcmd,rcp etc.
thanks.
Suraj K Sankari
Honored Contributor

Re: track rlogin,remsh,rcmd

Hi Pradep,
Please make a habit to assign points, people who give there valuable time to your problem you also take some time to assign points to there work.
If you donâ t know how to assign please see this below link.

http://forums13.itrc.hp.com/service/forums/helptips.do?#33

Suraj
Pradep
Regular Advisor

Re: track rlogin,remsh,rcmd

Hey, sure..i always assing points to every reply. infact to every reply, whether it helps to solve problem or not. ( it is to appreciate the time people spend in replyign to my queries). thanks for the reminders. i am still working on the issue.

Please let me know if you have any suggestions about this problem.

regards.
Pradep
Regular Advisor

Re: track rlogin,remsh,rcmd

Hi Matti,

inetd -l is tracing the connection source.
but not telling which user initiated it.
how to find the user pls.
Suraj K Sankari
Honored Contributor

Re: track rlogin,remsh,rcmd

Hi,

You can check your syslog.log file

Suraj
Matti_Kurkela
Honored Contributor

Re: track rlogin,remsh,rcmd

"inetd -l" gives you dates & times when someone used rlogin (or any other inetd service).

Run the "last" command to get a list of logins by time & username. When you find a login time that matches the time of the rlogin use (with an accuracy of about +/- 1 second), you'll know the name of the user account that was accessed with rlogin.

If you have assigned personal user accounts to each user, the name of the user account should normally be enough to identify the user.

If you have user accounts that are used by multiple users, you may have to examine the logs of each rlogin client machine to find out who was using them at the time rlogin was used. (And you will also understand by experience why security auditors say that multi-user accounts are a bad thing.)

MK
MK
Pradep
Regular Advisor

Re: track rlogin,remsh,rcmd

Thanks, Matti.
Is there a way to find the connections initiated from the server.
inetd -l is showing only the ones coming to the server.
thanks.
Mel Burslan
Honored Contributor

Re: track rlogin,remsh,rcmd

unless accounting is turned on the source system (initiating system) there is no traces of what application has been launched on this system. rlogin or remsh are just mere applications. Short of putting wrappers around these executables to log something to some log file, you are pretty much out of luck tracking them.
________________________________
UNIX because I majored in cryptology...
Pradep
Regular Advisor

Re: track rlogin,remsh,rcmd

Thank you all.
I close the thread here.