Recovering Your IBM i Security Configuration

By Rich Loeber

I once worked, many years ago, with a company that had a disaster recovery plan in place and actually tested it once or twice.  The plan called for us to arrive at the recovery center and then, almost immediately, turn security on the recovery box OFF to make things easier during the recovery.  There was no corresponding step later in the recovery to reactivate security, so for the duration of any disaster, the backup system was exposed to security violations.  Now, to give them some credit, this was in the days before networks and the Internet, so their exposure was probably pretty limited.  In today’s world, however, when you have to switch over to a disaster recovery site, you will need to have your security plan in place and built into the recovery process.

To understand how best to do this, you first have to understand what the different security objects and settings are on your system along with how and where they are saved.

System values make up a large component of your security policy implementation.  The system values are all stored in the QSYS library.  They are saved when you run a SAVSYS, the “Entire system” or “System data only” options on the SAVE menu or when you save your entire system using the “Run Backup” (RUNBCKUP) command.  When you get to your recovery site and restore your OS from one of these, your system values will get restored in the process.  Keep in mind that these settings will be restored the way they existed when your SAVSYS was created.

User profiles, including group profiles, are also stored in the QSYS library and are saved when you save the OS.  Since these can change more frequently than the OS, you can also save them using the “Save Security Data” (SAVSECDTA) command.  When you restore your OS, you will get the profiles as they existed when that backup was taken.  If you have saved the the profiles separately, make sure that you restore them again as soon as the OS has been restored so that you get the most current set of passwords available.

Job Descriptions can also have an important affect on how jobs run and how security is enforced on your system.  IBM generally recommends that you create your job descriptions in the QGPL library where they keep theirs, but a job description can be created and stored in any library on your system, especially if you are running any third party software.  When you backup a library using the “Save Library” (SAVLIB) or “Save Object” (SAVOBJ) command, the job descriptions will travel along and will be restored when those libraries are restored.

Finally we get to your resource security setup.  This, by its very nature, is a bit more complicated than the above items, but certainly manageable.  The good news is that a lot of the resource security information is stored directly with the object.  This includes its public authority setting, its object audit setting, the profile of the object’s owner, the primary group and the link, if any, to an authorization list.  So, when you save the objects in your library, you will also be saving these security items.  The two resource security pieces that are not included are the authorization list itself and the private authority configuration.

All authorization lists are stored in the QSYS library.  They are saved when you save your OS and they are also saved when you run the SAVSECDTA command.  As with the user profiles already mentioned, these can change more dynamically than the OS, so having a separate SAVSECDTA is a good idea.  After you restore your OS, make sure to include a restore of your security data to get the most recent versions of your authorization lists.

Private authorities are also stored in the QSYS library and are included as a part of the user profile data.  So, when you save the most recent profile information, you are also saving the most recent private authorities.  When you recover your profiles, you are also recovering the private authorities.  But …. there is a catch.  After your system has been recovered, including the most recent profiles and ALL application libraries, you will also have to run the “Restore Authority” (RSTAUT) command for *ALL users.  This will restore the private authorities to objects and to authorization lists.  This is a step that can be overlooked with dire consequences as far as your security implementation is concerned.

There is more information about all of this in IBM’s Security Manual for the OS.  I recommend you review the manual for more details.

If you have any questions about anything included in this tip, you can reach me at rich at kisco dot com,  All email messages will be answered as quickly as possible.

Setting and Locking Your System Values

By Rich Loeber

When you implement your company’s security policy on your IBM i, often the first thing you do is review your system values.  System values define global, system-wide settings on your IBM i platform.  Many of these system values pertain to how you want to implement system security.  This tip will review how to look at these settings and then, how to lock them in place so that they cannot be changed.

So many of these system values are security related that the OS designers provided an easy way for you to review and work with the security settings.  This is by using the “Work with System Values” command (WRKSYSVAL) with the “System value” (SYSVAL) parameter set to the special value of *SEC.


Setting the OUTPUT parameter to *PRINT will produce a listing of the security system values for you.  Or, you can just run the command with the OUTPUT parameter blank and the system will bring the security system values up for you to review.  A similar review function is available from IBM i Access, but the security functions are spread out over several different selection tabs (at least on my version) and you have to go several places to find everything that is available from the single *SEC review ability of the WRKSYSVAL command.

When working with the values interactively, you can review the current setting using option 5 or you can change the value using option 2.  The list of system values displayed shows the name of the value and a text description.  Often, this is not enough information for you to determine exactly what you’re looking at.  When I find myself in this situation, I put a 5 next to it, then position the cursor over the current value displayed and press the HELP (or F1) key.  The help text that comes with this command is quite comprehensive and very helpful.

Changing any of your security system values should not be done on a whim.  Planning and preparation are the watchwords for this process.  It is all too easy to shoot yourself in the foot by making a security change on the fly and then losing, for example, the ability to log into your system.  All security changes should be researched in advance to determine the exact impact on your system.  If you’re not sure, do the work to find out rather than just trying it out without knowing the impact.

Once you have your security system values set along with the other system value (and there are loads of them), it is a good idea to lock them in place.  On too many systems, there are just too many users with all object (*ALLOBJ) and security administrator (*SECADM) permissions in their user profiles.  By locking the system values, this will prevent casual changes to the system values and thereby preserve the security policies that you’ve designed and implemented.

To lock your system values in place, you can use the System Service Tools.  To lock the settings, start up the System Service Tools from a display session using the Start System Service Tools (STRSST) command.  You will need to supply your service tools user ID and password to complete the start of the tools.  Once completed, choose option #7 from the menu (Work with system security).  Then, from the next screen, use option 2 to lock the security system values in place.

Once these are locked in place, you can only unlock them to make changes by first going back into the System Service Tools and unlocking them from the same screen where you locked them.  The unlock option is done by entering option 1.  These settings can also be manipulated during IPL time by running the Dedicated System Tools (DST).  Once locked, even users with *SECADM or *ALLOBJ cannot make capricious changes to the security system values so your security policy decisions will remain in force without worry.

If you have any questions about anything included in this tip, you can reach me at rich at,  All email messages will be answered as quickly as possible.

IBM i Security Basics – Implementation

By Rich Loeber

In my last blog, I wrote about how to create a security policy for your IBM i.  This time, I’ll take a broad overview look at how to best implement your policy on your IBM i.

Some of your security policy will be implemented globally through the setup of your IBM i system values.  Much has already been written about this and is generally available from this website and others.  I do not want to duplicate that.

What is unique to each application, however, is the object level security setup that protects your basic data and programming elements.  This is what I want to explore here by reviewing a few key practices that, over time, will simplify your security administration task.

The first of these key practices is implementing your object level security based on group profiles.  Security can be implemented by individual profiles or by groups.  Each user profile on your system can be assigned to a single group along with up to fourteen supplemental groups.  A group profile is nothing more than an additional profile that is defined to your system but is set up so that it cannot be used for logon purposes.  Its only purpose is to control object access.  Once a group profile has been created, you can then add individual profiles to the group by placing the group profile in the GRPPRF (Group profile) field or in the SUPGRPPRF (Supplemental group).  With group profiles implemented, you no longer have to create object access rules for each profile, just for the group profile.  By reference, the rules for the group will then apply to each individual user profile that is included in the group.

With your security policy document, check it to identify the specific groups that you are going to need and get them set up on your system.  Then, code the individual users into each group.  When people leave the company, you will not have the issue of having to get all of your security setup modified.  Plus, adding a new user profile will be greatly simplified by not having to maintain an extensive set of individual object accesses.  When you are all set up, you can generate listings for each group using the DSPUSRPRF (Display User Profile) command with the *GRPMBR option.

The other key practice that I want to discuss today with your security implementation is the use of Authorization Lists for object security.  An individual object can be controlled by entering profile information directly associated with the object or by reference to an Authorization List.  When you store your profile access rules directly with the object, then you cannot make updates to these rules when your object is in use.  Using Authorization Lists, however, removes this obstacle and saves you from a lot of late night sessions.

Also, with an Authorization List, you can create a single security configuration that can then be applied to multiple objects on your system.  At the individual object level, just reference the Authorization List and the rules created in the list will apply to the object.  From your security policy, you will find general rules that apply within an application.  These can easily be assign to an Authorization List.

But, you ask, what about exceptions?  Every security policy is going to have exceptions and you can deal with them as they arise.  I try to discourage them by asking that a clear business case be made for each exception.  The response, “well, it would just be a lot easier” is no longer acceptable.  Those kind of exceptions these days can easily lead to banner headlines that will be embarrassing to you and to your company.

If you have any questions about anything included in this tip, you can reach me at rich at,  All email messages will be answered as quickly as possible.

IBM i Security Basics – Policy

By Rich Loeber,

If you are a security officer for your IBM i, then securing databases on your IBM System i is your primary responsibility.  Good security starts with a clearly defined policy.  This tip will help focus on how you can create this policy.

Before you start creating a security policy, you will have to get your user community involved.  A security policy created and implemented without end user participation is destined to always be a problem.  If your end users, however, are asked to participate and buy into the policy, then the results will be a much smoother implementation.  If you find resistance to participation in policy creation, get management on your side.  Whatever you do, don’t create the policy on your own as an IT project.

The first decision you need to make when formulating your security policy is what your overarching objectives are going to be.  You have two choices at this point:

  • You can decide that your policy will be very strict
  • You can decide that your policy will be relaxed

With a strict policy, access to every object in your system will be determined and enforced at the operating system level.  Each user’s specific requirements will be analyzed and then encoded in the security implementation provided by the IBM i OS.  With a more relaxed approach, you can decide that users will have broader access to objects on your system with strict access rules only for certain pre-defined data assets.  In actual practice, most IBM i shops adopt the second approach, but your auditors will love you if you go for the first one.

Once you’ve made this decision to your general approach, then proceed to make a list of the applications on your system.  For each application, you will need to define the owner of the application.  This will be the person who will have to make final security decisions.

Within each application, you should then list the data assets created and used by the application with a note on each one as to it security status.  Some applications will need little or no security while others will have very strict requirements.  Make sure that your users are in full agreement about the nature of each data asset and its security requirements.

When deciding on the security requirements for each asset, there are three things to consider:

  • Is this information that should be restricted from all employees?
  • Is this information that is critical to the way you do business?  Does it give your organization a competitive advantage in the marketplace?
  • Is this information crucial to your day to day operations?

Obviously, payroll falls into the first category and is the classic data type for this consideration.  But, you may have other data assets that also come into play.  Included in this would be any data assets that record credit card information, banking information or any other personal identity information for your employees or your customers.

An example of the second data type would be a Customer Master database or a Contact database.  These are compiled databases that clearly help you to do business and that you do not want falling into the hands of competitors.

Finally, an example of the last type of data asset might be your month to date sales database or your current accounts receivable.  These are management tools that are needed to maintain your day to day business operation.

With each of these assets defined, you can then describe the type of security that you want in place.  When you are all done with each application, have a final review and signoff by the user (or owner) for each application.  Only after this legwork has been done can you consider how to best implement the security requirements.  More on that step soon.

If you have any questions about anything included in this tip, you can reach me at rich at,  All email messages will be answered as quickly as possible.

Are You An Accidental Security Officer?

By Rich Loeber

How can you be a more effective security officer given that you probably are in the job completely by accident?  This tip will explore this idea and provide some suggestions for you.

Computer Security, as a specialty, is still fairly new.  Chances are, you did not get into this field by taking it as a major in college or going to a technical school and specializing in the field.  As I look back over my career, I can recall lots of people who ended up working in various segments of IT who came from some of the wildest original intentions.  One guy I worked with came from a background as a pitcher for the Pittsburgh Pirates followed by a long career as a plant manager for a chemical plant.  Another started out in college to be a psychiatrist.  For my part, I never even went to college but got started in IT right out of high school working as an input/output control clerk.  I suspect that we are all “accidental” security officers.

So, how do you become an effective security officer considering that your training and education probably did not prepare you for it?  It’s a very good question to ask yourself.

I recently published a couple of tips about how to learn the security officer position.  I encourage you to check these two articles out, Learning To Be A Security Officer and Learning …. Part 2, as a starting point.  But, for today’s consideration, you need to do some introspection before heading out to become a better security officer.

A lot depends on what you did prepare for in your career.  If you prepared to become a programmer, then you probably don’t need to concentrate on the programming aspects of the security officer function.  In fact, you may have a tendency to stick with these tasks because they are most familiar to you and you are very comfortable with them.  It is a fact of human nature that we tend to go where we are appreciated and where we can demonstrate competency.  So, if you find yourself hanging around where you already know how things work …. it is time to move out.

To become an effective security officer, you need to back fill the areas of learning that you never prepared for in the first place.  This is where the introspection comes in.  For my part, I started out as an application programmer.  When I got to the whole area of security, it was a new arena for me and I found that communications and networking were my weakest spots.  I still have trouble fully understanding how TCP/IP works and how to really secure it so that it is foolproof (if that is even possible).  Worse, the people who do know how TCP/IP works all appear to speak a foreign language that is liberally peppered with three and four character acronyms that I’m supposed to know the meaning of.

Once you’ve identified your “weak” area or areas, then you need to identify resources that can help you to understand concepts and strengthen your security consciousness.  I always try to start by finding a peer or an associate who knows that stuff and pick their brain.  Then, I see if they can give me recommendations on reading materials, websites and publications that can help.

I also have to confess to you that I am still a reader of technical manuals and IBM Redbooks.  Having them all on-line is a real benefit these days and when I have spare time, I will often go browsing in the manuals library to find what’s new and see things that I haven’t read before.  I know that the manuals can be pretty dry reading, but they really do contain the manufacturer’s explanation of how things are supposed to work.

I’d love to hear from you if anything here strikes a chord with you.  Do you have an unusual story of how you ended up as an accidental security officer?  Send it in.  You can reach me at rich at kisco dot com,  All email messages will be answered as quickly as possible.

How Much Security Is Too Much?

By Rich Loeber

Last time, I posed the question “Just how much security is enough security for your IBM i?”  This tip will explore the contrary thought of “Just how much security is too much?”.  Is there a point where security is just too much for your installation?

First, we need to admit that all security involves overhead expense.  If you are running security software features in the operating system, they take some computing resources to perform access validation routines.  When you run additional security validation, such as exit point processing, that adds more processing overhead.  When you require users to regularly change their passwords, that requires time every so often on the part of every user on the system to reset their password to a new value.  When someone has a problem during the normal course of their business day that ends up being related to security, this is additional overhead not only on the part of the end user but also by your support staff.  No matter how you look at it, good security costs money.

But, is there a point where you have too much security and the benefits are outweighed by the security protection deployed?  I think the answer is a clear yes, in certain circumstances.

Some time ago, I did a consulting gig for a large company located in North America.  This company had a very aggressive security implementation for outside vendors.  And, they apparently use a lot of outside vendors who need access to their network.  They had a complicated VPN installed which required a remote token generator be shipped to me.  When the token arrived, it included indecipherable instructions on how to gain access which ultimately did not work.  It was a long and drawn out process, but it ended up taking me three days and countless hours of trial and error with various members of their support desk team to get access to their system just to get started on a project that was behind schedule at the outset.  Once I got into their IBM i processor, I found that my profile had not been properly set up and there was a further delay in getting started.

In this case, the costs associated with the security implementation became excessive.  I was on the clock for this entire experience and the customer ended up paying dearly for this wasted time.  For this customer, I’d conclude that too much security was in place or that the security deployed was insufficiently funded.  The whole point was to provide a secure signon to their IBM i from a remote location, but the number of layers needed to get through was just too much.

When is there too much security?  One check is to see if normal business transactions are regularly stopped due to security checking.  If people in your organization can’t get their normal day-to-day work done due to security hurdles, then maybe there is too much security in place and a review of your setup is in order.

Another check is to see if your support costs are on budget or running way over.  If you’re spending significantly more money on support and that can be traced to security issues, that’s another red flag that something is quite wrong in your security environment.

I know that some of you security officers out there are going to cringe at this, but security is always a compromise between operating efficiency and data integrity.  You need to have a good balance, tempered by an honest assessment of what you’re protecting.

If you have any questions about this topic you can reach me at rich at,  All email messages will be answered as quickly as possible.

How Much Security Is Enough?

By Rich Loeber

Just how much security is enough security for your IBM i?  This tip will explore this question and, hopefully, get you thinking about your own environment.

In the good old days, enough security meant that you had a lock on the computer room door and you actually used it.  Keeping people out of the computer room was all that was necessary.  Then along came CRTs and cabling started reaching outside the computer room environs and security became more of an issue.  Someone came up with the idea of requiring a CRT user to log into the system using a user identifier and a password.  With that little invention, things seemed to get back under control.  But, before long, along came PCs followed closely by client/server applications and then the Internet.  Now what do we do?

For many shops, a strict reliance on the user profile and password is still the watchword of the day.  But, is that enough given today’s technology?  I think not.  The problem with today’s networked environment is that you can never be absolutely certain who is at the other end of the line.

But, what is enough?  The concept of the Firewall has captured the hearts of many security officers to address this issue.  In fact, for many companies, the firewall is the be-all and end-all of their security plan.  “We’ve got a firewall in place!” …. case closed.  But, is that enough along with your user profile/password implementation?  Again, I think not.  Multiple studies of computer break-ins and data compromises reveal that fully half of all such incidents are inside jobs committed within the boundaries of the firewall “protection”.

What you really need is a multifaceted approach to security.  You need passwords, a firewall, and more.  In the old days, if the bad guy could get into the computer room, he could do some damage.  But, if you had multiple doors with multiple locks, it would take him longer to break in and you’d have a much better chance of catching him in the process.  In a way, today’s environment needs to be thought of in this same way.  Relying on a single security defense is just not enough today.  You have to deploy multiple defense strategies to be successful.

For your IBM i installation, this should include all of the security tools that are at your disposal.  It means implementing object security based on a coherent company-wide policy.  It means strictly limiting those profiles that have all object authority.  It means implementing exit point security with object level controls there as well.  It means controlling which IP addresses you are going to trust and allow access into your system.  It means having a good user profile and password maintenance plan in place with regular rotation of passwords.  It means quickly rescinding access rights for people who leave or change job assignments.  And the list goes on and on.

I suppose that it is a true statement that no computer system is 100% secure.  But, if you build enough fences that have to be climbed and add enough doors that have to be unlocked, the result will be as secure a system as is possible.  What you don’t want to do is make it easy, which unfortunately is all too common in today’s IT shops.

If you have any questions about this topic you can reach me at rich at,  All email messages will be answered as quickly as possible.

Watch Out For FTP “Script Kids”

By Rich Loeber

Some time ago, I wrote about the dangers of having an open FTP server running on your IBM i.  At that time, I advised that FTP was a clear point of potential entry into your system by persons with malicious intentions.

Since then, I’ve been observing repeated attack attempts on my personal IBM i in my office and I’ve identified a particular type of attack that has me worried.  It is what is called a “Script Kid” attack.  It is called this because the attack is mounted using an FTP script so it can be repeated over and over again on any target.  The word “Kid” is used because it is so easy, even a child could mount the attack.

Typically, a “Script Kid” attack will repeatedly attempt to log on to your system using a well known profile name.  Fortunately for IBM i security officers, the most common profiles used by the Kids are ADMIN and ADMINISTRATOR which are very popular profiles in the Unix world.  Good news for us as these attacks will generally get nowhere on the IBM i.

However, not all Kids stick with this basic attack form.  One that worries me a lot happened a few weeks ago and is the event that prompts this writing today.

This Script Kid started signon attempts through FTP using common first names.  Each name made 3 signon attempts, each using a different password.  I’m sure the script called for commonly used passwords such as “password”, “security” or the same value as the user profile.  Scanning through the log of rejects for this attempt, I see a very comprehensive list of first names used such as ABBY, ABIGAIL, ABRAHAM, ABUSE, ACCOUNTS, ADAM, ADRIAN, ALAN, ALBERT and so on.

On the surface, this attack pattern seems like it would fail miserably as long as you have good password policies in place.  And, as far as preventing access to your system, this is a true statement.  However, this kind of attack could have a devastating impact on your system by cycling through commonly used profiles and causing them to be disabled by the operating system.  Most IBM i shops allow for three logon retries when an incorrect password is entered.  After the third attempt, the profile is disabled and can only be reactivated by a security officer.  You could easily find yourself suddenly inundated with requests to reactivate disabled accounts all over your shop, bringing work on your system to a halt.  (For password resets, our iResetMe software can help.)

So, how can you defend against this type of attack?  For me, on my small test machine, I just shut down the FTP server when I saw the attack start up.  But that is not an easy option for most of you.  In my shop, I intentionally set up a phony profile on the system with the user profile of “ADMIN”.  I set it up to disable on the first bad password attempt and I designed the profile in such a way that it could not be used to gain access regardless of whether it resulted in a successful logon or not.  Then, I had our system monitoring software (we use our own SNDWEET for this), watch for messages in the QSYSMSG message queue.  When I am texted that the ADMIN profile has been disabled, then I know that an attack is under way.

The best solution is to have profile names that are uncommon.  Don’t use first names for your profiles.  A good solution is to pick profile names based on a combination of first and last name.  For those accounts that come with your system from IBM, the infamous Q profiles, make sure that none of them are used for regular production purposes.  You should keep these profiles on your system in a disabled state.  Sooner or later, a Script Kid is going to get around to putting QSYSOPR, QUSER and QSECOFR in their list of profile names to try.  You should also keep a backup security officer profile available in case QSECOFR gets disabled.  Finally, and I’ve said this many times before, never allow a profile to be created on your system using the default password.

If you have any questions about this topic you can reach me at rich at,  All email messages will be answered as quickly as possible.

Learning To Be A Security Officer – Part 2

By Rich Loeber

In a recent post I started a description of how you can learn the job of being a security officer in the IBM i world of computing.  This post will continue that thought by talking about how you can effectively use a security consultant, and learn from them in the process.

In the first post I talked about the need to read and to stay current with technology.  In addition to what I mentioned in that post, I also want to recommend to you the book “Inside Internet Security: What Hackers Don’t Want You To Know” by Jeff Crume.  I found a used copy at  It is a real eye opener for those of you who have only been thinking about the IBM i side of the security question.  The book is a little dated, but still contains a lot of good information that is clearly presented without a lot of acronymic netspeak that can be so confusing.

But today I want to talk about using a consultant.  The classic definition of a consultant is “someone who borrows your watch to tell you what time it is”, and to a certain degree, this is true.  But a good consultant will explain to you every aspect of your situation.

The best way I know of to tell you about using a consultant is to describe a situation from my past.  I had been working for 20+ years as a programmer, systems analyst and IT manager when I started consulting for a local direct marketing company.  I was there for about 6 months trying to address the multitude of issues that this fast growing company was experiencing.  The owner decided to bring in an expert and found a guy for $2000 per day (plus expenses, a fortune at that time) to spend a day with us.  We cleared our slates, got several key people together and followed the expert around for the day as he walked through the entire operation.  What an eye opener that was.  In one day, we identified every issue that needed to be fixed, quite a long list.  We turned this into a roadmap of sorts and started knocking items off.  That one day visit ended up changing the entire course of the company for the next 10 years.  It was more than worth the investment.

A security consultant should be able to do this same thing for you.  But you need to use the consultant effectively.  This starts by selecting a qualified person.  Develop a list of people from reliable sources.  Then check references to make sure that you’re getting what you need.  Once this is done and a date has been set, make sure that you have everyone needed completely available.  When the consultant arrives, the clock will be ticking and if you’re off doing something else, it will be a waste of time and your company’s money.  Clear the decks completely.  Don’t even take phone calls or check your email or texts.

While the consultant is with you, be completely honest with them.  If you hide things because you’re embarrassed by them, then your feedback from the consultant will be incorrectly skewed.  Go through everything that you’re doing and take copious notes on what the consultant has to say.  You’ll be amazed, if your consultant is good, at what you find out and you will learn to do a better job in the process.

After the consultant leaves, don’t just go on with business as ususal.  Make a list of the areas that the consultant brought up that need attention.  Then, develop an action plan to get each item on the list addressed.  And, make sure you have the right attitude as you go through this exercise.  The objective is not for you to come out looking good (which is often the case when reacting to an audit), but to address security exposures and get them closed.  Most consultants appreciate followup, so don’t be afraid to get back in touch with the consultant with questions and clarifications after the initial consultation.

That day we spent with the consultant completely changed my understanding of how a direct mail company should operate and it has stayed with me.  Your investment in a security consultant will do the same for you and for your company.  Consultants are expensive, but the alternative of having security exposures, could not only be costly but devastating to your company.

If you have any questions about this topic you can reach me at rich at,  All email messages will be answered as quickly as possible.

Hacking Report For Our IBM i – 2013 in Review

By Rich Loeber

In January of 2013 year, we issued our first Hacking Report for our IBM i system.  At that time, I promised to publish additional reports of what we are seeing on this test server.  This is our final report for the 2013 and I want to wrap of this one year experiment with our fourth quarter results and some observations about the entire year.

During the final three month period for 2013 we observed a hacking results that were remarkably consistent with the three previous quarters.  The bulk of hacking attempts mounted against our test server were once again in the area of FTP Signon and Telnet Signon.

Once again, someone knocked on the door of our test server 14 times a day trying to gain access.  This attack rate was remarkably consistent for the entire year.

Some interesting things to note ….

Thanks to our SafeNet/i exit point control software, we successfully thwarted 847 attempts to gain access via FTP and another 428 attempts to get a Telnet signon session during the final quarter of the year.   For the year, we was almost 4000 FTP hack attempts and just under 2000 Telnet tries.  The take home lesson is that you absolutely must take life on the Internet seriously.  Our server is small potatoes and does not have any high value assets on it, but hackers are there knocking at the door on a regular basis anyway.  I think it is just because it is there and they have been unsuccessful.

Brute force FTP attacks continued during the final quarter.  Once again, the profile named ADMINSTRA was the most popular one used.  In fact, this was true for each quarter during the year.  Other profile names used included ADMIN, REMOTE, SCANNER, SYS, BACKUPEXEC and WWW-DATA.  Once again, and this was consistent during the whole year, none of the typical Q profiles were attempted.

We also continue to see certain IP addresses with repeated access attempts.  The leading violator for the final quarter traced back to The RIPE network in The Netherlands.  The next two highest both traced back to the Asia Pacific Network Information Center in Australia.

For the full year, our server posted close to 1 million network transactions.  This is nothing in today’s computing environment, some of our customer’s servers can record that level of activity in just a few minutes.  But, taken as a whole for the year, 0.5% of those network access attempts were not authorized by us.  Hackers, you have to take them seriously.  Failure to do so will get you in the headlines as the next Target.

This will conclude our year of tracking hacker activity on our server.  If you have questions about details of the report, feel free to contact me directly by email (rich at