Who’s Connected to your IBM i?

By Rich Loeber

Have you ever wondered who is connected to your system with a network connection? In these days of interconnected systems, this should be a concern for all IBM i security officers. Even if you have fully deployed firewalls and exit point security, the answer to the above question might contain some surprises.

The good news is that the IBM i OS has an interactive utility that can answer this question for you simply and easily.

If you are comfortable with the 5250 terminal interface, just run the following command:

NETSTAT OPTION(*CNN)

A display will come up that shows all of the IP4 TCP/IP connections to your system that are currently active. Page down several panels until you see an IP address showing up in the left hand “Remote Address” column.

Scroll around and check to see if there are any IP addresses that you don’t recognize. If you see any for 127.0.0.1, these are probably tied to your use of IBM Navigator for i. The listing under the “Remote Port” and “Local Port” column will give you an idea of what the connection is doing on your system.

If you are more comfortable with using IBM’s Navigator for i interface, start the utility and select “Network”, “TCP/IP Configuration”, “IPv4″ and finally “IPv4 Connections” to get the same information as the NETSTAT command above. This interface has the added bonus of allowing you to generate listings or a CSV download version of what you are looking at.

If you see an IP address that you are not familiar with, both interfaces give you the option of stopping the connection. On our test system, I often like to look up the IP address to see who “owns” it. There are several options for tracing an IP address; one such is:

https://www.iplocation.net

In the above case, the IP address listed at 35.165.168.89 traces back to an Amazon server. That’s not much help in zeroing in on an individual, but it lets you know what might be going on. In the case of our server, this does not concern us as the SMTP server is locked up tight.

If you find connections that are suspicious, it is imperative that they be investigated. Check your exit point implementation to make sure that you have source IP address controls in place. Connection attempts will show up with the NETSTAT command before they are denied by your exit point implementation. If your exit point does not give you source IP address controls or you don’t have exit points implemented yet, consider Kisco’s SafeNet/i – http://www.kisco.com/safenet – to implement them.

Kisco’s iEventMonitor software – http://www.kisco.com/iem – can be configured to issue alerts when unfamiliar IP addresses are detected. It lets you define the IP addresses that you trust and any others that connect will result in an alert being issued. It even offers you an exit point so that you can take your own actions when an untrusted IP address is detected. We have implemented our own user exit program to terminate unknown IP address connections using the ENDTCPCNN command.

If you have questions about details of this tip, feel free to contact me directly by email: rich at kisco.com.

Comments are closed.