[TABLE]I am always amazed at how easy it is to establish a Telnet connection with another system. Just open a command box on your PC and enter the TELNET command along with the IP address of the system you want to connect to. On most System i boxes, you'll get the familiar sign-on screen and as long as you have a legitimate user profile and password, you're in business. I recently had an IT manager ask me to connect to their system to do some diagnostic work. They gave me what appeared to be very secure instructions to obtain a sign-on screen from a Web-based applet. I followed their instructions and ended up connecting and getting the work done. When I was finished, on a whim, I tried a direct Telnet connection to their system and got through without a hassle. Their IP address was provided through the Web-based application sign-on process, which was a significant weakness of that in my book, as well.
In earlier tips regarding getting control over IP server functions, I recommended just shutting off the server function if you use it sparingly -- or not at all. Unfortunately, Telnet does not fall into this category. iSeries Access uses Telnet to establish emulation sessions and most other legitimate methods for establishing a terminal session end up going through the Telnet server. So, if you shut off Telnet, you'll be shooting yourself in the foot.
The good news: there are several things you can do to get control over how Telnet sessions are issued on your system. The first big step you can take is to turn of automatic configuration of virtual devices. For terminal sessions, these are the pesky QPADEVnnnn sessions that you may be familiar with already. You do this by updating the system value of QAUTOVRT to zero.
Before you do that, check your system to see if there are active sessions using one of these device names. If so, then y
To continue reading for free, register below or login
To read more you must become a member of Search400.com
ou'll have to contact the users that are coming in with these device names and get their terminal session configurations updated to use a known device name.
Concurrent with this, you will also have to deactivate automatic device configuration. Without taking this step, anyone can configure a new device name by just using it in a new configuration. The first time they sign-on, the system will generate the required device description for them. You can shut this off by updating the system value QAUTOCFG to zero (off).
Once you've made these changes, you should then go through your system and manually removed any QPADEVnnnn devices that have already been created and used on your system. You can view all of these by going to the OS menu named CFGVRT and running option number three or just run the following command:
WRKDEVD DEVD(*VRTDSP)
This will display all of the virtual display devices on your system, just check those with names that start with the QPADEV.
While you're making these changes, it would also be a good idea to check the system value QAUTORMT. This should also be set to zero (off) to help assure a secure system.
Some of your people may rely on automatic device configuration when new devices are attached to your system, and that's probably still OK. But, it doesn't happen every day in most shops, which is a good reason to keep it turned off most of the time. When you need automatic device configuration, you can activate it for a few minutes as needed, and then shut it off again.
If you have specific questions about this topic, email me at rich@kisco.com. All email messages will be answered.
---------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.
