Since then, I've been observing repeated attack attempts on my personal System i in my office and I've identified a particular type of attack that has me worried. It is what's called a "script kiddie" attack, named because the attack is mounted using an FTP script. This means that it can be repeated over and over again on any target. The word "kiddie" is used because it is so easy, even a child could mount the attack.
What is a script kiddie attack?
Typically, a "script Kid" attack will repeatedly attempt to log on to your system using a well-known profile name. The most common profiles used by the kiddies are ADMIN and ADMINISTRATOR, which are very popular profiles in the Unix world. This is good news for System i security folks, because these attacks will generally get nowhere on System i.
However, not all Kids stick with this basic attack form. A particular kind of attack that keeps me on my toes happened a few weeks ago. This was actually the event that prompted me to write this article:
This script kiddie started sign-on attempts through FTP using common first names. Each name made three sign-on attempts, each using a different password. I'm sure the script called for commonly used passwords such as "password," "security," or the same value as the user profile. Scanning through the log of rejects for this attempt, I see a very comprehensive list of first names used, such as ABBY, ABIGAIL, ABRAHAM, ABUSE, ACCOUNTS, ADAM, ADRIAN, ALAN, ALBERT and so on.
On the surface, this attack pattern seems like it would fail miserably as long as you have good password policies in place. And, as far as preventing access to your system, this is a true statement. However, this kind of attack could have a devastating impact on your system by cycling through commonly used profiles and causing them to be disabled by the operating system.
Most System i shops allow for three logon retries when an incorrect password is entered. After the third attempt, the profile is disabled and can only be reactivated by the security officer. You could easily find yourself suddenly inundated with requests to reactivate disabled accounts all over your shop, bringing work on your system to a halt.
Uncommon profile names mean good security
So, how can you defend against this type of attack? For me, on my small test machine, I just shut down the FTP server when I saw the attack start up. But that is not an easy option for most of you.
The best solution is to have profile names that are uncommon. Don't use first names for your profiles. A good solution is to pick profile names based on a combination of first and last name. For those accounts that come with your system from IBM, the infamous Q profiles, make sure that none of them are used for regular production purposes. You should keep these profiles on your system in a disabled state.
Sooner or later, a script kiddie is going to get around to putting QSYSOPR, QUSER and QSECOFR in their list of profile names to try. You should also keep a backup security officer profile available in case QSECOFR gets disabled. Finally, and I've said this many times, never allow a profile to be created on your system using the default password.
If you have any questions about this topic you can reach me at firstname.lastname@example.org. All email messages will be answered as quickly as possible.
ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.
This was first published in November 2007