More tips for securing FTP on your System i

Rich Loeber

An inactive FTP server cannot be misused

First and foremost, if you don't use FTP, or you only use it on rare occasions, then don't leave the FTP server active on your system. You can check to see if the FTP server function is active on your system by running the following command:

WRKACTJOB SBS(QSYSWRK)

More on System i security: Why implement System i security anyway?  Telnet connections: Are yours secure?

Page down the displayed list of jobs looking for jobs named QTFTPnnnnn. If FTP is active, you will find four or five (or more) of these jobs running. To turn the FTP server off, run the ENDTCPSVR command specifying the *FTP server option. Most systems come from IBM with the FTP server set to start automatically whenever TCP/IP is started. You can change this by running the Change FTP Attributes (CHGFTPA) command. Prompt it with the F4 key and check the first parameter. If it is set to *YES, then FTP is going to start automatically at every IPL. Changing this to *NO will stop this from happening.

In our shop, we use FTP enough during the course of the day that we keep the FTP server up and active. But we have job scheduler entries in the system to turn it off at the end of the day and restart it every morning. With these settings, 16 of the possible 24 hours of exposure per day are completely protected. On the rare occasion when we need FTP during off hours, it is a simple matter to log in and start it again manually.

Exit point software and System i security

The other good way to protect yourself from FTP abuse is through the implementation of exit point programs. The FTP server has an exit point that can be used to filter incoming requests. This is also true of the Telnet server, another point of possible abuse. One reader of my last tip suggested implementing the freeware SECTCP utility written by the former IBMer Giovanni B. Perotti. This utility is available for free download from Easy400.net after a simple registration process, from the following website:

I have downloaded and reviewed this code, but have not implemented since I have my own exit point software already active. But the reader who suggested the software swears by the code. Additionally, Mr. Perotti has a terrific reputation in the System i family of users. So, if you've been thinking about implementing exit point controls, this might be any easy entry point for getting started.

The source code is all included with the download. In fact, everything needs to be compiled in order to install the software. The user instructions on getting started all appear to be fairly simple.

Also, if you don't want the bother of maintaining your own exit point code, there are quite a few very good products currently available from reputable System i software developers. FTP and Telnet controls are just the tip of the iceberg where exit programming for security is concerned.

If you have any questions about this topic you can reach me at rich@kisco.com. I'll try to answer any questions you may have. All e-mail messages will be answered.

---------------------------
ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT iSeries security tips Recovering your AS/400 security configuration System values on i: Setting them up and locking i down A guide to System i security, Part 3: Digging in to the System i security environment Is your AS/400 secure?: How a hacker could get valuable information from your system System i security report round-up A guide to System i security, part 2: Landing and establishing access Creating a System i database security policy: Implementation A guide to System i security: Descending into the heart of darkness of IT security Creating a System i database security policy: First steps Enhancements in the intrusion detection system for i5/OS V6R1 FTP How to FTP without knowing the file name IFS folder error Creating the correct member type in a source physical file via FTP File transfer DTF "hooks" SAVF FTP on AS400 LAN: 504 Binary image transfer required for save files Listing contents of multiple FTP directories on AS/400 Transferring data via FTP on AS/400 systems System i security: Watch for hackers using FTP System i FTP: Fast guide to Redbooks and articles System i crash course: FTP System i security software Raz-Lee announces SSL support System i security and auditing software announced System i security software gets upgrade RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.