Great Circle Associates Firewalls
(February 1993)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: rlogin??
From: dupuy @ tiemann . cs . columbia . edu (Alexander Dupuy)
Date: Tue, 23 Feb 93 22:51:13 EST
To: brent @ GreatCircle . COM, doug @ seas . smu . edu
Cc: 1333P @ VM1 . CC . NPS . NAVY . MIL, firewalls @ GreatCircle . COM
In-reply-to: <9302232246 . AA16399 @ mycroft . GreatCircle . COM> (brent @ greatcircle . com)
Reply-to: dupuy @ cs . columbia . edu

> No.  You can't allow rlogin without opening up access to all the TCP
> services that live below port 1024 (finger, sendmail, ftp, ...),
> because rlogin uses a random port below 1024 for the client end of the
> connection.

If you have a filtering mechanism which supports some variant of the
"established" keyword, you could allow outbound rlogin/rsh/etc. without having
to support inbound access to all the other TCP services which live below port
1024.  Since rlogin uses a random port, you will have to allow outbound
connections from any service below port 1024, unless you can do filtering
based on source ports.  (Also beware of the problems with "established" on
ciscos, as noted on this list).

> We dealt with the faculty problem problem like this, we got all
> the complaintents in a room in which I showed them a program I
> wrote that spoofed rlogind's and then I hacked into a couple of their
> accounts from a remote machine (at another University) to prove that
> it could be done.

I'm not quite sure I follow this.  To write a spoofed rlogind might be useful
in collecting passwords, but this is an insider attack; not something one
would expect a firewall to protect against (and anyone who could write a
rlogind spoof could do the same for telnet, and get a password every time!).
Hacking into their accounts using rlogin and bogus nameserver packets is a
good argument against inbound rlogin, but doesn't prove outbound rlogin to be
a threat.

@alex



Follow-Ups:
  • Re: rlogin??
    From: rens @ lorax . shearson . com (Rens Troost)

References:
  • Re: rlogin??
    From: Brent Chapman <brent @ GreatCircle . COM>
Indexed By Date Previous: Re: Cisco IGS and established
From: Brent Chapman <brent @ GreatCircle . COM>
Next: wais [please elaborate on Rik's notes]
From: gjkriger @ gjk . OCUnix . on . ca (George J. Kriger)
Indexed By Thread Previous: Re: rlogin??
From: Brent Chapman <brent @ GreatCircle . COM>
Next: Re: rlogin??
From: rens @ lorax . shearson . com (Rens Troost)

Google
 
Search Internet Search www.greatcircle.com