HPE Community
Operating System - HP-UX
1832331 Members
3051 Online
110041 Solutions
New Discussion

who used r-commands?

 
SAST
New Member

‎11-20-2008 11:13 AM

‎11-20-2008 11:13 AM

who used r-commands?

Hi everybody,

Is there a way to know who used r-commands to access to my server?
0 Kudos
7 REPLIES 7
Rita C Workman
Honored Contributor

‎11-20-2008 11:39 AM

‎11-20-2008 11:39 AM

Re: who used r-commands?

By r-commands I'll assume you mean the Berkley group of r.

Well....for them to gain access to "your" server by using the Berkley commands, you would have had to set up an .rhost file giving them the right. So I might start by checking the .rhost files on all "my" boxes and see what is in them.

Just a thought,
Rita
0 Kudos
Pete Randall
Outstanding Contributor

‎11-20-2008 12:01 PM

‎11-20-2008 12:01 PM

Re: who used r-commands?

The last command will identify those who may have "remsh'd" to your server, but I expect it to be near impossible to identify the source of rcopy's and the like.


Pete

Pete
0 Kudos
Ninad_1
Honored Contributor

‎11-20-2008 12:19 PM

‎11-20-2008 12:19 PM

Re: who used r-commands?

Hi,

Check your /var/adm/syslog/syslog.log on the destination server.
I have seen r- commands getting logged into syslog.log

Regards,
Ninad
0 Kudos
Armin Kunaschik
Esteemed Contributor

‎11-21-2008 12:48 AM

‎11-21-2008 12:48 AM

Re: who used r-commands?

You can use nettl (or tcpdump) to monitor present/future connections to the r-ports 512, 513 and 514.
But this will not tell you about the past.
r-commands rarely log something. Most of the time you'll see login failures in syslog.

Maybe a bit more aggressive approach: Configure ssh, tell all potential users to migrate to ssh and simply deactivate r-services.

My 2 cents,
Armin

PS: Assign points if you find answers useful!
And now for something completely different...
0 Kudos
SAST
New Member

‎11-21-2008 03:47 AM

‎11-21-2008 03:47 AM

Re: who used r-commands?

I've tested rlogin and remsh connections to my box. last command and syslog doesn't show any activity.

Oh sorry, i've this output using last :

root pts/0 Fri Nov 21 11:26 - 11:33 (00:07)

But no other indication.
0 Kudos
SAST
New Member

‎11-21-2008 03:51 AM

‎11-21-2008 03:51 AM

Re: who used r-commands?

Thanks everybody for your help. It was my first post and your replies was helpful for me.
0 Kudos
SAST
New Member

‎11-21-2008 06:40 AM

‎11-21-2008 06:40 AM

Re: who used r-commands?

the best way as explained is to deactivate r* services.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.