HPE Community
Operating System - Linux
1758738 Members
2726 Online
108874 Solutions
New Discussion юеВ

Re: rsh and rlogin

 
SOLVED
Go to solution
luis de carlos
Occasional Advisor

тАО06-27-2005 04:57 PM

тАО06-27-2005 04:57 PM

Re: rsh and rlogin

OK, The plot Thickens !!!
First, answer to Stuart question : I am trying to connect as a normal user : oracle who has a valid login in both boxes ...
next when I run the iptables -L command I get :
[root@uxcoedb001 root]# iptables -nvL
/lib/modules/2.4.18-e.41smp/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.18-e.41smp/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.18-e.41smp/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.18-e.41smp/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

????????????????????????
Well as mentioned , I am not aware of the firewall being used, I ran the services iptables stop and still no joy.

What is more puzzling is that there are no relevant entries in either /var/log/messages or /var/log/secure (ie recorded when commands entered) even with me running rlogin -d ???

Do I have to explicitely start other service? this is the list from chkconfig
[root@uxcoedb002 etc]# chkconfig --list
keytable 0:off 1:on 2:on 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off
kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off
netdump-server 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
random 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off
acpid 0:off 1:off 2:off 3:on 4:on 5:on 6:off
ipchains 0:off 1:off 2:on 3:on 4:on 5:on 6:off
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off
lpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
xfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off
identd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
radvd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rwhod 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rstatd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rusersd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rwalld 0:off 1:off 2:off 3:off 4:off 5:off 6:off
yppasswdd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ypserv 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ypxfrd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
winbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off
smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off
arpwatch 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ipvsadm 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netdump 0:off 1:off 2:off 3:off 4:off 5:off 6:off
snmptrapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rhnsd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
isdn 0:off 1:off 2:on 3:on 4:on 5:on 6:off
httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
squid 0:off 1:off 2:off 3:off 4:off 5:off 6:off
xinetd based services:
chargen-udp: off
chargen: off
daytime-udp: off
daytime: off
echo-udp: off
echo: off
services: off
servers: off
time-udp: off
time: off
sgi_fam: on
finger: off
rexec: on
rlogin: on
rsh: on
ntalk: off
talk: off
telnet: on
rsync: off
0 Kudos
Stuart Browne
Honored Contributor

тАО06-27-2005 05:23 PM

тАО06-27-2005 05:23 PM

Re: rsh and rlogin

Ok, as 'iptables' didn't workk, try 'ipchains -nvL'. It's an older method of firewalling.

Now, we know the service is 'started and listening' (those three lines form the 'netstat -ntlp' I pasted back proove that), and no. Once you issue 'chkconfig rsh on', it's started and listening.

Things to verify on server machine (i.e. the one you are trying to 'rlogin' into):

ls -l ~oracle/.rhosts
cat ~oracle/.rhosts
cat /etc/hosts.{allow,deny}

The permissions on the '.rhosts' should be no more than 0600. The content of the '.rhosts' file should hvae the machine-name or IP address of the remote machine, and can be pinged.

The '/etc/hosts.allow' & '/etc/hosts.deny' should have enough in them to allow 'in.rshd' and 'in.rlogind' (or both be empty).

Nothing is required on the client machine.
One long-haired git at your service...
0 Kudos
luis de carlos
Occasional Advisor

тАО06-27-2005 05:58 PM

тАО06-27-2005 05:58 PM

Re: rsh and rlogin

Hi Stuar,
Thanks for your time!
here is the output :
[root@uxcoedb002 etc]# ls -l ~oracle/.rhosts
-r-------- 1 oracle dba 145 Jun 28 15:58 /home/oracle/.rhosts
[root@uxcoedb002 etc]# cat ~oracle/.rhosts
10.49.123.22 oracle
10.49.123.23 oracle
uxcoedb001 oracle
uxcoedb001.coe.int oracle
10.49.123.22
10.49.123.23
uxcoedb001
uxcoedb001.coe.int
[root@uxcoedb002 etc]# cat /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
in.rshd:10.49.123.22
in.rlogind:10.49.123.22
in.rshd:uxcoedb001
in.rlogind:uxcoedb001
[root@uxcoedb002 etc]# cat /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
in.rshd:10.49.123.22
in.rlogind:10.49.123.22
in.rshd:uxcoedb001
in.rlogind:uxcoedb001
[root@uxcoedb002 etc]# ipchains -nvL
Chain input (policy ACCEPT: 4765 packets, 214133 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
0 0 ACCEPT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 22
5 240 ACCEPT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 23
192 10558 ACCEPT all ------ 0xFF 0x00 lo 0.0.0.0/0 0.0.0.0/0 n/a
172 9672 REJECT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 0:1023
0 0 REJECT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 2049
26386 2446K REJECT udp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 0:1023
0 0 REJECT udp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 2049
0 0 REJECT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 6000:6009
0 0 REJECT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 7100
Chain forward (policy ACCEPT: 0 packets, 0 bytes):
Chain output (policy ACCEPT: 3228 packets, 316082 bytes):
0 Kudos
luis de carlos
Occasional Advisor

тАО06-27-2005 06:02 PM

тАО06-27-2005 06:02 PM

Re: rsh and rlogin

ooops forgot the deny ...
[root@uxcoedb002 etc]# cat /etc/hosts.deny
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!

[root@uxcoedb002 etc]#
0 Kudos
Stuart Browne
Honored Contributor

тАО06-27-2005 06:08 PM

тАО06-27-2005 06:08 PM

Solution

Re: rsh and rlogin

And here's why:

[root@uxcoedb002 etc]# ipchains -nvL
Chain input (policy ACCEPT: 4765 packets, 214133 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
0 0 ACCEPT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 22
5 240 ACCEPT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 23
192 10558 ACCEPT all ------ 0xFF 0x00 lo 0.0.0.0/0 0.0.0.0/0 n/a
172 9672 REJECT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 0:1023
0 0 REJECT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 2049
26386 2446K REJECT udp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 0:1023
0 0 REJECT udp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 2049
0 0 REJECT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 6000:6009
0 0 REJECT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 7100


In particular, this line:

172 9672 REJECT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 0:1023

What this is doing is rejecting any packet destened for TCP ports 512-514.

So what you need to do is insert some firewall rules to allow it through, i.e.:

ipchains -I input -j ACCEPT -p tcp -y -d 0/0 512:514
One long-haired git at your service...
0 Kudos
luis de carlos
Occasional Advisor

тАО06-27-2005 06:39 PM

тАО06-27-2005 06:39 PM

Re: rsh and rlogin

Thank you so much to all, you guys were right, it was a firewall issue that I did not even knew was in place!
and in particular, thanks to Stuart for his time, patience and effort ...
Hope this helps others as well
Spot - on .
Beats me how this policy got in, but now I can work ....
:-)))))
Luis

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.