17 Apr, 2023

Remote who Protocol

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

“rwho” protocol is a legacy network protocol used for remote monitoring of logged-in users on a Unix or Unix-like system. “rwho” stands for “remote who.” It is a client-server protocol that allows one system to query another system for information about currently logged-in users, their terminal sessions, and their host names. The server, running the “rwhod” daemon, collects information about logged-in users from various sources, such as the utmp or wtmp files that store information about active terminal sessions, and makes this information available to remote clients via the “rwho” protocol.  

Rwho common ports 

The rwho protocol uses two common ports: 

TCP/UDP Port 513: This is the default port used by the rwho protocol for communication between the rwho server and clients. The rwho server listens on this port for incoming requests from rwho clients. 

TCP/UDP Port 514: This is the default port used by the rwhod (rwho daemon) for broadcasting system information, such as user login/logout details and system load averages, to other systems on the local network. 

Tools for using Rwho protocol 

There are several tools that can be used for interacting with the rwho protocol: 

rwho: This is the standard command-line tool that is used to display information about users who are logged into the local system or remote systems on the same network. It can show information such as username, terminal, login time, and system load averages. 

rwhod: This is the daemon (background process) that collects system-related information, such as user login/logout details and system load averages, and broadcasts it to other systems on the local network. The rwhod daemon is responsible for sending the information that can be displayed using the rwho command. 

Useful Information  

– The rwho protocol is used to monitor and display information about users who are logged into a Unix-based system. It provides details such as username, terminal, login time, and system load averages. This information can be helpful for system administrators to monitor system usage, identify active user sessions, and track system performance. 

– The rwho protocol uses a broadcasting mechanism to send system-related information from the rwhod daemon to other systems on the same local network. The rwhod daemon collects system information, such as user login/logout details and system load averages, and broadcasts it using UDP packets to a specific port (default port 514) on the local network. 

– As the rwho protocol uses broadcasting, it can pose potential security risks if not properly secured. Information broadcasted by the rwhod daemon, such as user login details, can be intercepted by other systems on the same network. Therefore, it’s important to configure proper access controls, firewalls, and other security measures to limit the exposure of rwho information to trusted systems and users. 

– The rwho protocol provides detailed information about users who are logged into a system, which may raise privacy concerns in some scenarios. System administrators should consider the privacy implications and obtain appropriate consent from users before collecting and displaying rwho information. 

– While rwho is a built-in protocol in Unix-based systems, there are other modern system monitoring tools available, such as syslog, SNMP (Simple Network Management Protocol), and web-based monitoring tools like Nagios, Zabbix, and Prometheus, which offer more advanced and secure monitoring capabilities compared to rwho. 

– The rwho protocol typically requires the installation and configuration of the rwhod daemon on the systems that need to broadcast information, and the use of rwho or other tools on the systems that need to display the information. Configuration files, such as /etc/hosts.equiv and /etc/rwhod.conf, can be used to control the behavior of the rwhod daemon and the rwho protocol. 

Books on Remote who protocol 

“UNIX Network Programming: Networking APIs: Sockets and XTI” by W. Richard Stevens: This book covers various networking concepts and protocols in Unix-based systems, including rwho, in detail. It provides a comprehensive understanding of network programming using sockets and XTI (X/Open Transport Interface) APIs. 

“The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols Reference” by Charles M. Kozierok: This book is a comprehensive reference guide to TCP/IP protocols, including rwho, with detailed explanations, illustrations, and examples. It covers the fundamentals of networking, protocols, and practical implementation in a clear and concise manner. 

“UNIX and Linux System Administration Handbook” by Evi Nemeth, Garth Snyder, Trent R. Hein, and Ben Whaley: This book is a comprehensive guide to system administration in Unix and Linux environments, covering various protocols, including rwho, and their usage in managing Unix and Linux systems. It provides practical examples, tips, and best practices for system administrators. 

“The Practice of Network Security Monitoring: Understanding Incident Detection and Response” by Richard Bejtlich: This book focuses on network security monitoring, including protocols like rwho, and provides insights into detecting and responding to security incidents. It covers the principles, tools, techniques, and best practices for network security monitoring, including monitoring protocols and analyzing network traffic. 

“UNIX Systems Programming: Communication, Concurrency, and Threads” by Kay A. Robbins and Steven Robbins: This book covers various Unix-based system programming concepts, including inter-process communication (IPC) and networking protocols, including rwho. It provides a comprehensive understanding of Unix systems programming for developers and system administrators. 

Weakness and Vulnerabilities

• Lack of authentication and encryption: The rwho protocol does not provide any built-in authentication or encryption mechanisms, which makes it susceptible to unauthorized access and eavesdropping. This can potentially result in information disclosure or tampering, as the protocol does not verify the identity of the sender or protect the integrity of the transmitted data. 

• Lack of access control: The rwho protocol does not have granular access control mechanisms, which means that any user on the network can potentially query and retrieve information from the rwho service. This can lead to unauthorized access to system information and user data. 

• Lack of confidentiality: The rwho protocol transmits information about system usage and user activity in clear text, which can be intercepted and monitored by malicious actors. This can result in the disclosure of sensitive information, such as user login names, terminal names, and idle times, which can be exploited for malicious purposes. 

• Lack of integrity checking: The rwho protocol does not provide mechanisms for verifying the integrity of the received data. This means that malicious actors could potentially tamper with the information exchanged via rwho, leading to inaccurate or misleading system status reports. 

• Limited scalability: The rwho protocol relies on broadcasting or multicasting to share system information across the network, which may not scale well in large networks. This can result in increased network overhead, congestion, and potential performance issues. 

• Lack of modern security features: The rwho protocol was designed in the early days of Unix-based systems and lacks modern security features such as encryption, authentication, and access control. This makes it vulnerable to various attacks, including spoofing, tampering, and information disclosure. 

• Potential for spoofing attacks: The rwho protocol relies on trust based on IP addresses, which can be easily spoofed. This opens the possibility for attackers to impersonate legitimate systems and send false or malicious information via rwho, leading to inaccurate system status reports and misleading system monitoring. 

• Limited logging and auditing: The rwho protocol does not provide comprehensive logging and auditing mechanisms, which can make it difficult to track and investigate potential security incidents or misuse of the rwho service. 

• Compatibility and interoperability issues: The rwho protocol may not be widely supported or used in modern networks, which can lead to compatibility and interoperability issues when trying to integrate rwho with other network monitoring or management tools.


To mitigate the weaknesses and vulnerabilities of the rwho protocol, following measures must be taken: 

1. Disable or secure the rwho service: If the rwho service is not needed in your environment, consider disabling it altogether to eliminate potential risks associated with its use. If the service is necessary, ensure that it is properly configured with appropriate security measures, such as enabling authentication and encryption. 

2. Implement authentication and encryption mechanisms: Use authentication mechanisms, such as password authentication or public key authentication, to verify the identity of the sender and prevent unauthorized access. Implement encryption, such as TLS/SSL, to protect the confidentiality and integrity of data transmitted over the network. 

3. Restrict access to the rwho service: Limit access to the rwho service based on network segments or IP addresses to only trusted hosts. This can help prevent unauthorized access to the service and reduce the potential for spoofing attacks. 

4. Monitor for unauthorized access and suspicious activity: Implement monitoring and logging mechanisms to track and audit the usage of the rwho service for any signs of potential misuse or unauthorized access. Regularly review logs and alerts for any suspicious activity and take appropriate actions in response. 

5. Keep systems and network infrastructure up to date: Regularly apply security patches, updates, and hardening measures to the underlying operating systems and network infrastructure to mitigate known vulnerabilities and weaknesses. This includes keeping all relevant software and firmware up to date, including the rwho service itself. 

6. Implement additional security measures: Consider implementing additional security measures, such as firewalls, intrusion detection systems, and security monitoring tools, to provide an additional layer of defense against potential attacks targeting the rwho protocol. 

7. Consider alternative protocols: If the vulnerabilities and weaknesses of the rwho protocol are of significant concern, consider using alternative protocols that provide more robust security features, such as SNMP (Simple Network Management Protocol) or modern network monitoring and management tools that offer more advanced security capabilities. 


In conclusion, while the rwho protocol has been a useful tool for system monitoring and status reporting in Unix-like environments, it is not without its vulnerabilities and weaknesses. These vulnerabilities could potentially be exploited by malicious actors to gain unauthorized access, spoof information, or launch attacks. However, with careful implementation of security measures, such as authentication, encryption, access restrictions, monitoring, and regular updates, the risks associated with the rwho protocol can be mitigated. 

It is crucial to assess the risks and vulnerabilities in your specific environment and take proactive steps to secure the rwho protocol or consider alternative protocols that provide more robust security features. By following best practices, staying vigilant, and keeping up to date with the latest security updates, you can significantly reduce the risks associated with the rwho protocol and ensure the integrity and confidentiality of your system monitoring and reporting activities. 

Remember, security is an ongoing process that requires continuous effort and attention. By prioritizing security measures and taking necessary precautions, you can effectively protect your system and network from potential vulnerabilities and keep your environment secure. Stay informed, stay proactive, and make security a top priority when using the rwho protocol or any other network service in your environment. 

Other Services

Ready to secure?

Let's get in touch