More Tips for Securing IBM i FTP

By Rich Loeber

A few weeks ago, I published a tip about the security exposure that FTP represents on your IBM i platform. That tip has generated some interesting feedback along with some ideas from readers on how they address the issue. This tip features some additional ideas for you to protect yourself from FTP abusers.

First and foremost is this. If you don't use FTP, or you only use it on rare occasions, then don't leave the FTP server active on your system. You can check to see if the FTP server function is active on your system by running the following command:

WRKACTJOB SBS(QSYSWRK) JOB(QTFT*)

Look for jobs listed named QTFTPnnnnn. If FTP is active, you will find several of these jobs shown. To turn the FTP server off, run the ENDTCPSVR command specifying the *FTP server option. Most systems come from IBM with the FTP server set to start automatically whenever TCP/IP is started. You can change this by running the Change FTP Attributes (CHGFTPA) command. Prompt it with the F4 key and check the first parameter. If it is set to *YES, then FTP is going to start automatically at every IPL. Changing this to *NO will stop this from happening.

In our shop, we use FTP enough during the course of the day that we keep the FTP server up and active. But, we have job scheduler entries in the system to turn it off at the end of the day and then restart it every morning. That way, for 24 hours of possible exposure, 16 of those hours are completely protected. On the rare occasion when we need FTP during off hours, it is a simple matter to log in and start it again manually.

If the FTP server is inactive, then it cannot be misused.

The other good way to protect yourself from FTP abuse is through the implementation of exit point programs. The FTP server has an exit point that can be used to filter incoming requests. This is also true of the Telnet server, another point of possible abuse. One reader of my last tip suggested implementing the freeware SECTCP utility written by the former IBMer Giovanni B. Perotti. This utility is available for free download, after a simple registration process, from the following website:

http://www.easy400.net/easy400p/downloads.html#d09

I have downloaded and reviewed this code, but have not implemented since I have my own exit point software already active. But, the reader swears by the code and Mr. Perotti certainly has a terrific reputation in the IBM i family of users. So, if you've been thinking about implementing exit point controls, this might be any easy entry point for getting started. The source code is all included with the download and, in fact, everything needs to be compiled in order to install the software. The user instructions on getting started all appear to be fairly simple.

Also, if you don't want the bother of maintaining your own exit point code, there are quite a few very good products available from reputable IBM i software developers today. FTP and Telnet controls are just the tip of the iceberg where exit programming for security is concerned. I, of course, recommend my own product: SafeNet/i.

If you have any questions about this topic you can reach me at rich at kisco.com, I'll try to answer any questions you may have. All email messages will be answered.