[13365] in North American Network Operators' Group
Re: OK.
daemon@ATHENA.MIT.EDU (Wayne Bouchard)
Mon Nov 3 19:12:29 1997
From: Wayne Bouchard <web@typo.org>
To: alex@nac.net (Alex Rubenstein)
Date: Sat, 1 Nov 1997 21:53:34 -0700 (MST)
Cc: hannan@bythetrees.com, nanog@merit.edu
In-Reply-To: <Pine.BSF.3.96.971101233759.13405v-100000@iago.nac.net> from "Alex Rubenstein" at Nov 1, 97 11:40:56 pm
> > Moreover, and keeping with the operational charter of the newsgroup, I
> > would not recommend that folks enable r* commands on their cisco
> > routers.
>
> I have been thinking about this; and, I can't figure out why. If you can
> in the cisco specifically tell it which machines to listen to for rsh
> connections, and specifically tell it not to allow any enable commands,
> how can it be bad?
Well, if its possible to r* into a router, its possible to take
advantage of a mistake by an administrator (forgetting to disable a
service or temporarily enabling it and forgetting to AGAIN disable it)
and get into the router.
I think the primary reason for disabling r* commands is not so much
because of inherrint problems but more to close potential holes and
prevent accidents.
----------------------------------------------------------------------
Wayne Bouchard GlobalCenter
web@primenet.com
Primenet Network Operations Internet Solutions for
(602) 416-6422 800-373-2499 x6422 Growing Businesses
FAX: (602) 416-9422
http://www.primenet.com http://www.globalcenter.net
----------------------------------------------------------------------
