Jose Tomás Pinal Salvador wrote: > > Hello Group! > > Could anybody tell me what4s mean the following log: > > 31w5d: %RCMD-4-RSHPORTATTEMPT: Attempted to connect to RSHELL > from x.x.x.x
The most likely meaning is simply that someone made an attempt to open a connection to the Remote Shell port on your router. That's port 514. See the end of this message for a more scary potential meaning for the message, however. For a list of port numbers, see the Internet Assigned Numbers Authority page here: http://www.iana.org/assignments/port-numbers Remote Shell (or rsh) allows UNIX users to execute shell commands on remote UNIX systems. It's sort of like Telnet but preferable in some ways because it recognizes trusted hosts and understands UNIX notions of standard input, error, etc. Someone was probably port scanning, most likely looking for a UNIX host. This happens all the time. Your machines are probably being port scanned many times per day. (Anyone have any actual stats on this?) Now, should you be concerned since this was a router and not a UNIX host? I think the answer is Yes, even though port scanning is a common occurance. Cisco uses parts of RSHELL because they support Remote Copy Protocol (RCP) for uploading and downloading configs and images. You may have that port open to support this service. If you do, you better have some access lists that say who can use it. Also, check out this bug report and Security Advisory with regards to port scanning and an error message about RSHELL: http://www.cisco.com/warp/public/707/ios-tcp-scanner-reload-pub.shtml The gist of the message is that you may see the error message that you are reporting when someone port scans you (not just for the RSHELL port). Due to a bug, you'll see that error message and your router may reload. You may be seeing this message because someone is trying to take advantage of this vulnerability. If you are running the IOS versions mentioned in this alert, update now! Priscilla > > Maybe the IP Address x.x.x.x is making a scaning port to my > router?It is > maybe an attack? I have to send a prevent message to the owner > of this IP > address? > > Note:I don4t put the correct IP for to be carefull. > > Thanks group.- > > > > _________________________________________________________________ > Send and receive Hotmail on your mobile device: > http://mobile.msn.com > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=51760&t=51743 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
