Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

RCMD-4-RSHPORTATTEMPT caused router to be unresponsive

127 views
Skip to first unread message

jcle

unread,
Aug 9, 2008, 8:17:10 PM8/9/08
to
I got a 7206xvr with an old npe 200 running Version 12.0(10)S.

This router isn't doing anything special basically using it as an
small office nat router to the internnet

i had a problem where a user claimed the router became unresponsive
and cut him off from the internet at the same time I got the following
trapped in my logs

*Aug 9 15:42:38: %RCMD-4-RSHPORTATTEMPT: Attempted to connect to
RSHELL from xxx.xxx.xxx.xxx
*Aug 9 15:42:44: %RCMD-4-RSHPORTATTEMPT: Attempted to connect to
RSHELL from xxx.xxx.xxx.xxx

I read this means that someone was trying to access my router using
from the ip listed. I already have my vty lines acls and as you can
see below with limited access froma few ips only. Anybody know why
this would cause the router to become unresponsive? It didn't
reboot. Some reading said that maybe there was a cpu spike from a
nessus or nmap scan. I am not aware of any bugs this router has been
in production for over a year with no probs.

line con 0
line aux 0
line vty 0 4
access-class 95 in
exec-timeout 0 0
transport input telnet ssh
line vty 5 15
access-class 95 in
!

Merv

unread,
Aug 10, 2008, 10:56:40 AM8/10/08
to

looks like CSCeb21552 - should be fixed in 12.0(28) and above


CSCeb21552 Need to remove %RCMD-4-RSHPORTATTEMPT messages

Symptoms: The following error message may be displayed when a router
receives
a connection request on command-shell (TCP, 514) and Kerberos-shell
(kshell)
(TCP, 544) ports:

%RCMD-4-RSHPORTATTEMPT: Attempted to connect to RSHELL from

192.168.2.2

Conditions: This symptom is observed on a Cisco router that has the
remote
shell (rsh) disabled.

Workaround: Filter the traffic that is destined for command-shell
(TCP, 514)
and Kerberos-shell (kshell) (TCP, 544) ports.

First, enter the <CmdBold>show ip interface brief<noCmdBold> EXEC
command to
display the usability status of interfaces that are configured for IP.
The
output may look like the following:

Interface IP-Address OK? Method Status
Protocol
Ethernet0/0 172.16.1.1 YES NVRAM up
up
Ethernet1/0 unassigned YES NVRAM administratively down
down
Serial2/0 192.168.2.1 YES NVRAM up
up
Serial3/0 192.168.3.1 YES NVRAM up
up
Loopback0 10.1.1.1 YES NVRAM up
up

Then, create the following access control list (ACL) for the router
and apply
this ACL to all interfaces that are enabled with the <CmdBold>ip
access-group
177 in<noCmdBold> router configuration command:

access-list 177 deny tcp any host 172.16.1.1 eq 514
access-list 177 deny tcp any host 172.16.1.1 eq 544
access-list 177 deny tcp any host 192.168.2.1 eq 514
access-list 177 deny tcp any host 192.168.2.1 eq 544
access-list 177 deny tcp any host 192.168.3.1 eq 514
access-list 177 deny tcp any host 192.168.3.1 eq 544
access-list 177 deny tcp any host 10.1.1.1 eq 514
access-list 177 deny tcp any host 10.1.1.1 eq 544
access-list 177 permit ip any any

0 new messages