Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
338
Views
0
Helpful
1
Replies

I have noticed instances of %RCMD-4-RSHPORTATTEMPT showing up in my router logs, could this be an attempt to hack into the router

admin_2
Level 3
Level 3

‎07-03-2002 09:35 AM - edited ‎03-08-2019 11:19 PM

I run a university network and the gateway router that manages NAT and our current access lists showed a number od instance of the %RCMD-4-RSHPORTATTEMPT statement in the syslogs. I wanted to verify that the only reason for such a log entry is an attempt to access the router itself or could this message be generated by someone attempting unsuccessfully to rshell to a device accross the router. If it was in fact an attempt to Rshell into the router I will act on this as an attempted hack.

Labels:
0 Helpful
1 Reply 1

Not applicable

‎07-03-2002 09:35 AM

Check whether these attempts were all made from different IP addresses

In such case this was/is a DOS (denial of service) attack.

a.) experienced a Port Scan (such as by nmap or similar software... nmap seen here--> http://www.insecure.org/nmap/)

b.) Is experiencing someone (or a group of people) trying to login to this router using the RSHELL port (TCP port 512).

This could be a DOS (Denial Of Service) attack.

There is a write up on this on Cisco's homepage at these locations...

http://www.cisco.com/warp/public/707/21.html

http://www.cisco.com/warp/public/707/22.html

These will help identify the type of DOS attack going on and how to defend against it.

Basically the Router should only accept TCP connections from known IP addresses, and not just anywhere.

One method to resolve this attach would be to impliment Access lists.

I did not see any config indicating that you are supporting RSHELL configs.

So what you will want to do is block the RSHELL destination port (512) with an access list.

--> Here is an "example" of an access list that could be used to block the RSHELL connection attempts -->

access-list 151 deny tcp any any eq 512

access-list 151 permit ip any any

You will want to apply this to the outbound interface of the device nearest the host in question.

An example of this would be-->

interface POS11/0/0

IP access-group 151 out

0 Helpful
Customers Also Viewed These Support Documents