Script kiddie FTP attacks on System i

Rich Loeber

Since then, I've been observing repeated attack attempts on my personal System i in my office and I've identified a particular type of attack that has me worried. It is what's called a "script kiddie" attack, named because the attack is mounted using an FTP script. This means that it can be repeated over and over again on any target. The word "kiddie" is used because it is so easy, even a child could mount the attack.

What is a script kiddie attack?
Typically, a "script Kid" attack will repeatedly attempt to log on to your system using a well-known profile name. The most common profiles used by the kiddies are ADMIN and ADMINISTRATOR, which are very popular profiles in the Unix world. This is good news for System i security folks, because these attacks will generally get nowhere on System i.

More on FTP and System i security: More tips for securing FTP on your System i Establish strong OS security to ward off FTP hackers Implementing FTP and ODBC security on the iSeries 400

However, not all Kids stick with this basic attack form. A particular kind of attack that keeps me on my toes happened a few weeks ago. This was actually the event that prompted me to write this article:

This script kiddie started sign-on attempts through FTP using common first names. Each name made three sign-on attempts, each using a different password. I'm sure the script called for commonly used passwords such as "password," "security," or the same value as the user profile. Scanning through the log of rejects for this attempt, I see a very comprehensive list of first names used, such as ABBY, ABIGAIL, ABRAHAM, ABUSE, ACCOUNTS, ADAM, ADRIAN, ALAN, ALBERT and so on.

On the surface, this attack pattern seems like it would fail miserably as long as you have good password policies in place. And, as far as preventing access to your system, this is a true statement. However, this kind of attack could have a devastating impact on your system by cycling through commonly used profiles and causing them to be disabled by the operating system.

Most System i shops allow for three logon retries when an incorrect password is entered. After the third attempt, the profile is disabled and can only be reactivated by the security officer. You could easily find yourself suddenly inundated with requests to reactivate disabled accounts all over your shop, bringing work on your system to a halt.

Uncommon profile names mean good security
So, how can you defend against this type of attack? For me, on my small test machine, I just shut down the FTP server when I saw the attack start up. But that is not an easy option for most of you.

The best solution is to have profile names that are uncommon. Don't use first names for your profiles. A good solution is to pick profile names based on a combination of first and last name. For those accounts that come with your system from IBM, the infamous Q profiles, make sure that none of them are used for regular production purposes. You should keep these profiles on your system in a disabled state.

Sooner or later, a script kiddie is going to get around to putting QSYSOPR, QUSER and QSECOFR in their list of profile names to try. You should also keep a backup security officer profile available in case QSECOFR gets disabled. Finally, and I've said this many times, never allow a profile to be created on your system using the default password.

If you have any questions about this topic you can reach me at rich@kisco.com. All email messages will be answered as quickly as possible.

---------------------------
ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT iSeries system and application security Is your AS/400 secure?: How a hacker could get valuable information from your system System i security report round-up A guide to System i security, part 2: Landing and establishing access Creating a System i database security policy: Implementation Creating a System i database security policy: First steps Overriding the timeout interval on specific terminals Deleting iSeries audit logs Moving to security level 40 Enhancements in the intrusion detection system for i5/OS V6R1 Six common System i security lapses iSeries security tips Is your AS/400 secure?: How a hacker could get valuable information from your system System i security report round-up A guide to System i security, part 2: Landing and establishing access Creating a System i database security policy: Implementation A guide to System i security: Descending into the heart of darkness of IT security Creating a System i database security policy: First steps Enhancements in the intrusion detection system for i5/OS V6R1 Six common System i security lapses Working with exit programs in i5/OS V6 New password-control security features for i5/OS V6R1 RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.