More tips for securing FTP on your System i

An inactive FTP server cannot be misused

First and foremost, if you don't use FTP, or you only use it on rare occasions, then don't leave the FTP server active on your system. You can check to see if the FTP server function is active on your system by running the following command:

WRKACTJOB SBS(QSYSWRK)

Page down the displayed list of jobs looking for jobs named QTFTPnnnnn. If FTP is active, you will find four or five (or more) of these jobs running. To turn the FTP server off, run the ENDTCPSVR command specifying the *FTP server option. Most systems come from IBM with the FTP server set to start automatically whenever TCP/IP is started. You can change this by running the Change FTP Attributes (CHGFTPA) command. Prompt it with the F4 key and check the first parameter. If it is set to *YES, then FTP is going to start automatically at every IPL. Changing this to *NO will stop this from happening.

In our shop, we use FTP enough during the course of the day that we keep the FTP server up and active. But we have job scheduler entries in the system to turn it off at the end of the day and restart it every morning. With these settings, 16 of the possible 24 hours of exposure per day are completely protected. On the rare occasion when we need FTP during off hours, it is a simple matter to log in and start it again manually.

Exit point software and System i security

The other good way to protect y

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries security tips Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users Tracking System i program object changes Recovering your AS/400 security configuration System values on i: Setting them up and locking i down A guide to System i security, Part 3: Digging in to the System i security environment FTP Simplify the process of converting a spool file from iSeries into an Excel spreadsheet Generically send a text file from the IFS via FTP Automate Client Access to find files on Windows scheduler SAVF by FTP on AS/400 -- error "source file not found" Use a virtual directory to move a .bmp file from the IFS to a remote server to run a software package Transferring binary files to IFS from a PC via FTP FTP from AS/400 to PC folder How to FTP without knowing the file name IFS folder error Creating the correct member type in a source physical file via FTP System i security software Raz-Lee announces SSL support System i security and auditing software announced System i security software gets upgrade

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ourself from FTP abuse is through the implementation of exit point programs. The FTP server has an exit point that can be used to filter incoming requests. This is also true of the Telnet server, another point of possible abuse. One reader of my last tip suggested implementing the freeware SECTCP utility written by the former IBMer Giovanni B. Perotti. This utility is available for free download from Easy400.net after a simple registration process, from the following website:

I have downloaded and reviewed this code, but have not implemented since I have my own exit point software already active. But the reader who suggested the software swears by the code. Additionally, Mr. Perotti has a terrific reputation in the System i family of users. So, if you've been thinking about implementing exit point controls, this might be any easy entry point for getting started.

The source code is all included with the download. In fact, everything needs to be compiled in order to install the software. The user instructions on getting started all appear to be fairly simple.

Also, if you don't want the bother of maintaining your own exit point code, there are quite a few very good products currently available from reputable System i software developers. FTP and Telnet controls are just the tip of the iceberg where exit programming for security is concerned.

If you have any questions about this topic you can reach me at rich@kisco.com. I'll try to answer any questions you may have. All e-mail messages will be answered.

---------------------------
ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.