This week, I will discuss the so-called R-services that provide various levels of interaction and command execution on a remote host. I will then show how to disable these services to eliminate their potential security risks.

Advertisement

On this topic Newsletters Linux Tips and Tricks. Sign up Now! More news on this subject Red Hat, HP ship Linux Itanium 2 workstations UnitedLinux plans under-$1,000 release, US entity Linux takes confidence says RS/6000 supporter Gartner: Linux will be the savior of Unix HP to work with US government on Linux clusters White Papers Unix Search the Newsletter Archives The Entire Archive WINDOWS SECURITYUNIX SYSTEM ADMINISTRATIONeBUSINESS INSIGHTSUNIX IN THE ENTERPRISEJAVA TUTORLINUX DESKTOP APPLICATIONSSECURITY STRATEGIESMANAGING THE IT PROFESSIONALWINDOWS IN THE ENTERPRISEUNIX SECURITYITWORLD.COM THIS WEEKSOLUTIONS INTEGRATORITWORLD.COM PRODUCT SPOTLIGHTSTORAGE SOLUTIONSWINDOWS SYSADMIN TIPSXML IN PRACTICEPERLECOMMERCE IN THE ENTERPRISECERTIFICATION NEWSDATA MANAGEMENT STRATEGIESIT CAREER ADVISORJAVA IN THE ENTERPRISEENTERPRISE NETWORKINGSUPERSITE MANAGERJAVA SECURITYHTML TUTORASP TUTORE-BUSINESS IN THE ENTERPRISELINUX SECURITYIT INSIGHTS FROM META GROUPINTEGRATING WINDOWS AND UNIXITWORLD.COM TODAYECOMMERCE IN ACTIONREMOTE AND MOBILE COMPUTINGLINUX TIPS AND TRICKSXSP TRENDSJAVASCRIPT View the LINUX TIPS AND TRICKS Archive

A Note on Security
All the R-services ("R" stands for "remote") are solid, convenient, and reliable tools when used inside a closed local network, preferably secured by a firewall. However, they easily turn into a dangerous security loophole when used in a public, open network or a Web server. Therefore, you should usually disable them on public Web servers.

rlogin
The rlogin (remote login) utility enables a user to log automatically into a remote machine without having to supply a username and a password. Once you have logged in, rlogin provides a telnet-like interface. For example, if you have two machines called "mac1" and "mac2" that are connected to each other on the same network, you can log into mac1 from mac2 using the following command:

$rlogin mac2

The automatic login is enabled only for known usernames that have a matching .rhosts entry; otherwise, the user will still be prompted for a valid username and a password. To disable rlogin, remove or comment out the rlogind (the rlogin server) entry from inetd.conf. In addition, you should delete /etc/hosts.equiv and any .rhosts files from your system.

rsh
The rsh (remote shell) service allows execution of remote commands. The rsh program runs on a client that connects to a remote host. rsh opens a shell on the remote host in which the command executes. To disable rsh, comment out the rshd entry in the inetd.conf file.

rexec
The rexec (remote execution) service offers remote command execution, similar to rsh. The only difference is that the user must supply a username and a password to execute a command using rexec. To disable rexec, remove or comment out the rexecd entry from inetd.conf.

rwho
The rwho (remote who) service reports information on currently logged users on a remote host. The information gained this way can be quite dangerous if it reaches the hands of professional crackers. To disable this service, comment out the rwhod entry in the inetd.conf file.