A few weeks ago, I published a tip about System i security and the exposure that FTP enables. That tip has generated...
some interesting feedback, along with some ideas from readers on how they address the issue. This tip features some additional ideas on protecting yourself from FTP abusers.
An inactive FTP server cannot be misused
First and foremost, if you don't use FTP, or you only use it on rare occasions, then don't leave the FTP server active on your system. You can check to see if the FTP server function is active on your system by running the following command:
Page down the displayed list of jobs looking for jobs named QTFTPnnnnn. If FTP is active, you will find four or five (or more) of these jobs running. To turn the FTP server off, run the ENDTCPSVR command specifying the *FTP server option. Most systems come from IBM with the FTP server set to start automatically whenever TCP/IP is started. You can change this by running the Change FTP Attributes (CHGFTPA) command. Prompt it with the F4 key and check the first parameter. If it is set to *YES, then FTP is going to start automatically at every IPL. Changing this to *NO will stop this from happening.
In our shop, we use FTP enough during the course of the day that we keep the FTP server up and active. But we have job scheduler entries in the system to turn it off at the end of the day and restart it every morning. With these settings, 16 of the possible 24 hours of exposure per day are completely protected. On the rare occasion when we need FTP during off hours, it is a simple matter to log in and start it again manually.
Exit point software and System i security
The other good way to protect yourself from FTP abuse is through the implementation of exit point programs. The FTP server has an exit point that can be used to filter incoming requests. This is also true of the Telnet server, another point of possible abuse. One reader of my last tip suggested implementing the freeware SECTCP utility written by the former IBMer Giovanni B. Perotti. This utility is available for free download from Easy400.net after a simple registration process, from the following website:
I have downloaded and reviewed this code, but have not implemented since I have my own exit point software already active. But the reader who suggested the software swears by the code. Additionally, Mr. Perotti has a terrific reputation in the System i family of users. So, if you've been thinking about implementing exit point controls, this might be any easy entry point for getting started.
The source code is all included with the download. In fact, everything needs to be compiled in order to install the software. The user instructions on getting started all appear to be fairly simple.
Also, if you don't want the bother of maintaining your own exit point code, there are quite a few very good products currently available from reputable System i software developers. FTP and Telnet controls are just the tip of the iceberg where exit programming for security is concerned.
If you have any questions about this topic you can reach me at firstname.lastname@example.org. I'll try to answer any questions you may have. All e-mail messages will be answered.
About the author
Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.
Why implement System i security anyway?
Telnet connections: Are yours secure?