I tell you this based on personal experience with my own System i. In a recent seven day period, I identified more than 1,500 attempts to sign-on to my system from unauthorized people. All of these were malicious hacking attempts. When I did a Trace Route on many of these, they pointed back to source IP addresses in The Netherlands, China, Colombia, Russia and other parts unknown. Some attempts would not even trace back successfully.
I initially thought that nobody would bother my system since it is just a numbered address with no DNS entry to make it easy to find. But this is clearly not the case. Some hackers use automated attack programs to just cycle through entire IP address ranges. And these are the folks who regularly stop in at my system.
Based on my personal observation, the method being used is to break-in using the same user profile, usually ADMINISTRATOR, and trying a different password every few seconds. They will often cycle through and retry the same password more than once. I've observed one break-in artist try this 850 times in a row over a period of several hours.
I know all this about my system because I monitor all network traffic and track it using exit point software. We have our system configured to only permit FTP access from a trusted IP address; the list is necessarily very small. This protects our system from malicious remote access via FTP. Also, if a hacker were to get past this check (which they haven't so far), our system has no default passwords. So, trying to cycle through known System i profiles and default passwords will also end up in failure.
How to protect your system from FTP attackers
First, make sure that you don't have any default passwords set up on your system. Use the Analyze Default Passwords (ANZDFTPWD) command from the SECTOOLS menu for this. Start by running it with the *NONE option for the ACTION parameter just to get a listing. Then, when you've reviewed the list, make sure that the profile with default passwords have their passwords reset to either a different, unique password or are set to *NONE. Note: setting the profile to *DISABLED will not help you with FTP access.
Next, implement some sort of IP packet testing to only accept FTP connections from trusted IP addresses. You can do this like we do using an exit program attached to the FTP sign-on server. If you have a fairly recent version of the OS, you can alternatively use the IP packet filtering capabilities in iSeries Navigator. This will let you allow known IP addresses, or address ranges, to access your system while keeping everyone else out.
When setting this up, make sure you keep an active connection to your system while you are testing so that you don't accidentally shoot yourself in the foot and lock out all access to your system. Remember, the IP packet filtering will apply to all users connecting to your system, not just FTP users, so this will be a bigger job than you may think starting out.
If you have any questions about this topic you can reach me at (firstname.lastname@example.org), I'll try to answer any questions you may have. All email messages will be answered.
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.
This was first published in July 2007