MikroTik

Hey Guys, I hope someone can help.

I have been using RouterOS for some years now, but only recently has this started popping up on my routers that have vulnerability scans running on them.

I use OpenVPN for many of my clients to access their networks. However, I am now getting errors on vulnerability scans stating that the rsh service is detected over TCP port 1194, which it states is high severity. Here is the exact message:

The rsh service is running. This service is dangerous in the sense that it is not ciphered - that is, everyone can sniff the data that passes between the rsh client and the rsh server. This includes logins and passwords. You should disable this service and use ssh instead.

Other low severity errors related are:

Unix R-Services (e.g., rlogin, rsh, etc.) are accessible on this host. These services allow for the remote execution of commands on a system. This generally reflects a lack of adequate firewall rules or other network-level access control which violates requirement 1 of the PCI DSS.

and

One or more remote access services were detected on the remote host. As defined by the PCI ASV Program Guide: "remote access software includes, but is not limited to: VPN (IPSec, PPTP, SSL), pcAnywhere, VNC, Microsoft Terminal Server, remote web-based administration, ssh, Telnet."

I have firewall rules dropping all input other than established/related and approved IP addresses, and I only have Winbox and SSH enabled under /ip services (firewall rules limit these to only my public IPs).

I cannot find any correlation to RSH and OVPN, nor between RouterOS and RSH. Any ideas are greatly appreciated.

Hey Guys, I hope someone can help.

I have been using RouterOS for some years now, but only recently has this started popping up on my routers that have vulnerability scans running on them.

I use OpenVPN for many of my clients to access their networks. However, I am now getting errors on vulnerability scans stating that the rsh service is detected over TCP port 1194, which it states is high severity. Here is the exact message:

The rsh service is running. This service is dangerous in the sense that it is not ciphered - that is, everyone can sniff the data that passes between the rsh client and the rsh server. This includes logins and passwords. You should disable this service and use ssh instead.

Other low severity errors related are:

Unix R-Services (e.g., rlogin, rsh, etc.) are accessible on this host. These services allow for the remote execution of commands on a system. This generally reflects a lack of adequate firewall rules or other network-level access control which violates requirement 1 of the PCI DSS.

and

One or more remote access services were detected on the remote host. As defined by the PCI ASV Program Guide: "remote access software includes, but is not limited to: VPN (IPSec, PPTP, SSL), pcAnywhere, VNC, Microsoft Terminal Server, remote web-based administration, ssh, Telnet."

I have firewall rules dropping all input other than established/related and approved IP addresses, and I only have Winbox and SSH enabled under /ip services (firewall rules limit these to only my public IPs).

I cannot find any correlation to RSH and OVPN, nor between RouterOS and RSH. Any ideas are greatly appreciated.

Weird. and what is the name of that scanner?
I think this alerts are false.

It is trustwave. We have a few customers that use it.

When I use rlogin (related to RSH) over TCP port 1194 to ANY RouterOS device that I have been trying, I do indeed get more response than the normal "rlogin username:". Specifically, I get "rlogin username: @Vú°XÒQPuTTY" or other varying random characters after the username.

When I use rlogin (related to RSH) over TCP port 1194 to ANY RouterOS device that I have been trying, I do indeed get more response than the normal "rlogin username:". Specifically, I get "rlogin username: @Vú°XÒQPuTTY" or other varying random characters after the username.

I also tried to rlogin to routeros on 1194 port. when ovpn server is disabled, there is connection reset, but when it's enabled, there is some strange output, and in routeros log there is "ovpn info: tcp connection is established from x.x.x.x".

All this is weird and it's should not be so imho, but it's not a security issue and no one can do something bad to your devices with this things.

Agreed, but it's hard to argue that against the PCI compliance company that credit card companies are asking the tests of. The purpose of the test is so that the credit card processing company that my client uses knows that it can trust my client's network.

This particular company is HIGHLY dependent upon the OpenVPN set up, so it is putting me in a difficult position.