Port 513 – RLOGIN (Remote Login)

Why It’s Open

Port 513 hosts the Remote Login (RLOGIN) service, a legacy Unix protocol that provides remote terminal access to systems. Like its sibling REXEC, RLOGIN was widely used in early Unix networks but is now considered dangerous due to its lack of security features.

The service was designed for easy remote access between trusted Unix hosts, using a simple trust model based on hostnames and usernames. While obsolete, it may still appear in older environments or systems that haven’t been properly modernized.

Common Risks

Trust Exploitation
Weak host-based authentication can be spoofed.
Plaintext Transmission
All session data is sent unencrypted.
Host Spoofing
DNS or IP spoofing can bypass trust relationships.
Credential Exposure
Login credentials visible to network sniffers.
Session Hijacking
No protection against connection takeover.

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

Enumeration & Testing

Check if it’s open:

nmap -sT -p 513

Test RLOGIN access:

nc -v  513

Basic connection:

rlogin

What to Look For

Checkpoint	What it means
RLOGIN service active	Insecure legacy protocol in use
Trust relationships	Potential for authentication bypass
No encryption	All traffic can be intercepted
Automatic login allowed	Host-based trust being used

Mitigation

Disable RLOGIN
Remove or disable the RLOGIN service.
Implement SSH
Replace with SSH for secure remote access.
Network Restrictions
If required, limit to internal trusted networks.
Strong Authentication
Require explicit authentication if must be used.
Monitor Access
Log and audit all RLOGIN connection attempts.

TL;DR

Port 513 = RLOGIN service
Obsolete remote access protocol
No encryption or strong auth
Should be replaced with SSH

Known CVEs and Exploits

CVE-1999-0520 – RLOGIN trust relationship exploitation
CVE-2001-0554 – Format string vulnerability in rlogind
Metasploit rlogin_login module – Automated login attempts