Control terminal session access by IP address

Authorizing remote IP address before allowing a terminal session to connect is a great way to control remote access. This can be achieved with an exit program on the Telnet Device Initialization exit point. However, all Telnet connections run under the QSYS user profile so exit point controls can only apply to all users.

To implement source IP access controls by user profile, a much preferred method, you can use an "initial program."

In the INLPGM parameter for each user profile, filter the source IP against an allowed list:

• access the user profile signing on through the RTVJOBA CL command
• code a JOBI0600 call to IBM's QUSRJOBI application program interface (API) to fetch the login source IP. You can find it in position 308
• compare the IP against a control database
• tip: convert the IP address to a 12 digit number if you want to do range comparisons

Once you have your initial program created and fully tested, implement it by recording the program name and library in the INLPGM for each user profile where you want this control added.

NOTE: Our SafeNet/i software firewall product supports IP address filtering on Telnet exit point. Our 2FA product, i2Pass, also includes source IP address filtering.