Skip to content
ProtocolPorts

Port reference

Port 513 (TCP) – rlogin

Legacy Berkeley remote-login service using cleartext and trust-based authentication via .rhosts.

tcpWell-knownCommonly attacked

Default state

Deprecated and disabled on modern systems, but still present on legacy Unix hosts and in lab images like Metasploitable.

Common attacks

  • Cleartext credential and session capture via sniffing
  • Trust-based authentication abuse via .rhosts and hosts.equiv
  • Passwordless login from a spoofed trusted host
  • Credential brute force against the rlogin daemon

Hardening

  • Disable rlogin entirely and use SSH (port 22) instead
  • Remove rlogind from inetd/xinetd and uninstall the r-services package
  • Block inbound 513 at the perimeter firewall
  • Audit and remove any .rhosts and hosts.equiv trust files

nmap snippet

nmap -p513 --script rlogin-brute,banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 513?

Port 513 is the well-known port for rlogin, a legacy Berkeley r-service for interactive remote login. Like its siblings rexec (512) and rsh (514), it dates from an era of trusted networks. It provides a remote terminal session and is deprecated in favor of SSH, but still appears on legacy Unix hosts and deliberately vulnerable lab images like Metasploitable.

Why it matters for security

rlogin sends the entire session and credentials in cleartext, so anyone on the path can capture them. Its defining weakness is trust-based authentication: with a .rhosts or hosts.equiv entry, a user from a "trusted" host can log in with no password at all. Because that trust is based on easily spoofed source addresses, rlogin is one of the most trivially abused legacy services.

How it's attacked

Attackers sniff the cleartext session to steal credentials, or spoof a trusted host to obtain a passwordless login through .rhosts. They also brute-force the rlogin daemon directly. Any of these yields an interactive shell on the target with minimal effort.

Hardening checklist

Disable rlogin entirely and use SSH (port 22) for remote login. Remove rlogind from inetd/xinetd and uninstall the r-services package. Block inbound 513 at the perimeter firewall, and audit and remove any .rhosts and hosts.equiv files that grant passwordless trust. The nmap snippet above probes the service and tests authentication on systems you are authorized to test.

Related ports

Port 512Port 514Port 22Port 23

Frequently asked questions

Is rlogin on port 513 safe?
No. rlogin is a legacy Berkeley r-service that sends the session and credentials in cleartext and trusts .rhosts files for passwordless login. It is trivially sniffed and spoofed — use SSH instead.
What is the difference between rlogin and Telnet?
Both give cleartext remote terminals, but rlogin adds Berkeley trust-based authentication via .rhosts that can allow passwordless login. Both are deprecated in favor of SSH on port 22.