Tip

Script kiddie FTP attacks on System i

Rich Loeber
A few weeks ago, I wrote about the dangers of open FTP servers running on your System i. At that time, I advised that FTP was a clear point of potential entry into your system by persons with malicious intentions.

Since then, I've been observing repeated attack attempts on my personal System i in my office and I've identified a particular type of attack that has me worried. It is what's called a "script kiddie" attack, named because the attack is mounted using an FTP script. This means that it can be repeated over and over again on any target. The word "kiddie" is used because it is so easy, even a child could mount the attack.

What is a script kiddie attack?
Typically, a "script Kid" attack will repeatedly attempt to log on to your system using a well-known profile name. The most common profiles used by the kiddies are ADMIN and ADMINISTRATOR, which are very popular profiles in the Unix world. This is good news for System i security folks, because these attacks will generally get nowhere on System i.

More on FTP and System i security:
More tips for securing FTP on your System i

Establish strong OS security to ward off FTP hackers

Implementing FTP and ODBC security on the iSeries 400

However, not all Kids stick with this basic attack form. A particular kind of attack that keeps me on my toes happened a few weeks ago. This was actually the event that prompted me to write this article:

This script kiddie started sign-on attempts through FTP using common first names. Each name made three sign-on attempts, each using a different password. I'm sure the script called for commonly used passwords such as "password," "security," or the same value as the user profile. Scanning through the log of rejects for this attempt, I see a very comprehensive list of first names used, such as ABBY, ABIGAIL, ABRAHAM, ABUSE, ACCOUNTS, ADAM, ADRIAN, ALAN, ALBERT and so on.

On the surface, this attack pattern seems like it would fail miserably as long as you have good password policies in place. And, as far as preventing access to your system, this is a true statement. However, this kind of attack could have a devastating impact on your system by cycling through commonly used profiles and causing them to be disabled by the operating system.

Most System i shops allow for three logon retries when an incorrect password is entered. After the third attempt, the profile is disabled and can only be reactivated by the security officer. You could easily find yourself suddenly inundated with requests to reactivate disabled accounts all over your shop, bringing work on your system to a halt.

Uncommon profile names mean good security
So, how can you defend against this type of attack? For me, on my small test machine, I just shut down the FTP server when I saw the attack start up. But that is not an easy option for most of you.

The best solution is to have profile names that are uncommon. Don't use first names for your profiles. A good solution is to pick profile names based on a combination of first and last name. For those accounts that come with your system from IBM, the infamous Q profiles, make sure that none of them are used for regular production purposes. You should keep these profiles on your system in a disabled state.

Sooner or later, a script kiddie is going to get around to putting QSYSOPR, QUSER and QSECOFR in their list of profile names to try. You should also keep a backup security officer profile available in case QSECOFR gets disabled. Finally, and I've said this many times, never allow a profile to be created on your system using the default password.

If you have any questions about this topic you can reach me at rich@kisco.com. All email messages will be answered as quickly as possible.

---------------------------
ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

This was first published in November 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.