Georg Pauwen Sat, 08/27/2005 - 23:17
User Badges:
  • Green, 3000 points or more
  • Cisco Designated VIP,

    2017 WAN

Hello,


that message typically appears when somebody is doing a port scan on your network, and the RSHELL port (TCP port 514) is commonly part of that scan.

Of course, somebody could also try actively to connect to your router using RSHELL, and that message would appear when the router is not configured as RSHELL or RCP server.

Can you try and find out to whom that IP address (172.20.50.18) belongs ? It is a private space address and therefore, likely, originates in your own network...


HTH,


GP

Georg Pauwen Sun, 08/28/2005 - 02:13
User Badges:
  • Green, 3000 points or more
  • Cisco Designated VIP,

    2017 WAN

Hello,


if you want to prevent RSHELL access to your router alltogether, you could configure an access list with the following line:


access-list 101 deny tcp any any eq 514

access-list 101 permit ip any any


If you already have an access list configured, you can just add the first line.

If you want specific hosts to be able to remote shell to your router, amend the access list accordingly, e.g.:


access-list 101 permit tcp host 172.20.50.18 host 192.168.1.1 eq 514


This would allow the host from your log output to access the router with IP address 192.168.1.1 using RSHELL.


Does that make sense ?


Regards,


GP

Actions

This Discussion