Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

I have noticed instances of %RCMD-4-RSHPORTATTEMPT showing up in my router logs, could this be an attempt to hack into the router

I run a university network and the gateway router that manages NAT and our current access lists showed a number od instance of the %RCMD-4-RSHPORTATTEMPT statement in the syslogs. I wanted to verify that the only reason for such a log entry is an attempt to access the router itself or could this message be generated by someone attempting unsuccessfully to rshell to a device accross the router. If it was in fact an attempt to Rshell into the router I will act on this as an attempted hack.

  • Other Security Subjects
1 REPLY
Anonymous
N/A

Re: I have noticed instances of %RCMD-4-RSHPORTATTEMPT showing u

Check whether these attempts were all made from different IP addresses

In such case this was/is a DOS (denial of service) attack.

a.) experienced a Port Scan (such as by nmap or similar software... nmap seen here--> http://www.insecure.org/nmap/)

b.) Is experiencing someone (or a group of people) trying to login to this router using the RSHELL port (TCP port 512).

This could be a DOS (Denial Of Service) attack.

There is a write up on this on Cisco's homepage at these locations...

http://www.cisco.com/warp/public/707/21.html

http://www.cisco.com/warp/public/707/22.html

These will help identify the type of DOS attack going on and how to defend against it.

Basically the Router should only accept TCP connections from known IP addresses, and not just anywhere.

One method to resolve this attach would be to impliment Access lists.

I did not see any config indicating that you are supporting RSHELL configs.

So what you will want to do is block the RSHELL destination port (512) with an access list.

--> Here is an "example" of an access list that could be used to block the RSHELL connection attempts -->

access-list 151 deny tcp any any eq 512

access-list 151 permit ip any any

You will want to apply this to the outbound interface of the device nearest the host in question.

An example of this would be-->

interface POS11/0/0

IP access-group 151 out

68
Views
0
Helpful
1
Replies