ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaiq_5.4.0.1/rzaiqseccontrolaccess.htm

120 lines
8.6 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Control File Transfer Protocol access" />
<meta name="abstract" content="If you are using File Transfer Protocol (FTP), you need to control users to protect your data and network. This topic offers tips and security considerations." />
<meta name="description" content="If you are using File Transfer Protocol (FTP), you need to control users to protect your data and network. This topic offers tips and security considerations." />
<meta name="DC.Relation" scheme="URI" content="rzaiqrzaiqimplement.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiqlepi.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiqftpanon.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiqftpbatch.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiqreferenceexit.htm" />
<meta name="DC.Relation" scheme="URI" content="http://www.redbooks.ibm.com/abstracts/sg244929.html" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2004, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2004, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaiqseccontrolaccess" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Control File Transfer Protocol access</title>
</head>
<body id="rzaiqseccontrolaccess"><a name="rzaiqseccontrolaccess"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Control File Transfer Protocol access</h1>
<div><p>If you are using File Transfer Protocol (FTP), you need to control
users to protect your data and network. This topic offers tips and security
considerations.</p>
<p>If you want to allow FTP clients to access your system, be aware of the
following security concerns:</p>
<ul><li>Your object authority scheme might not provide detailed enough protection
when you allow FTP on your system. For example, when a user has the authority
to view a file (*USE authority), the user can also copy the file to a PC or
to another system. You might want to protect some files from being copied
to another system. </li>
<li>You can use FTP exit programs to restrict the FTP operations that users
can perform. You can use the FTP Request Validation Exit to control what operations
you allow. For example, you can reject GET requests for specific database
files.</li>
<li>You can use the Server logon exit point to authenticate users who log
on to the FTP server. Configure anonymous FTP describes how to use exit programs
to set up support for anonymous FTP on your system.</li>
<li>Unless you use Transport Layer Security (TLS) or Secure Socket Layer (SSL),
FTP passwords are not encrypted when they are sent between the client system
and the server system. Depending on your connection methods, your system might
be vulnerable to password theft through line sniffing.</li>
<li>If the QMAXSGNACN system value is set to 1, the QMAXSIGN system value
applies to TELNET but not to FTP. If QMAXSGNACN is set to 2 or 3 (values which
disable the profile if the maximum sign on count is reached), FTP logon attempts
are counted. In this case, a hacker can mount a denial of service attack through
FTP by repeatedly attempting to log on with an incorrect password until the
user profile is disabled.</li>
<li>For each unsuccessful attempt, the system writes message CPF2234 to the
QHST log. You can write a program to monitor the QHST log for the message.
If the program detects repeated attempts, it can end the FTP servers.</li>
<li>You can use the Inactivity timeout (INACTTIMO) parameter on the FTP configuration
to reduce the exposure when a user leaves an FTP session unattended. Be sure
to read the documentation or online help to understand how the INACTTIMO parameter
and the connection timer (for server startup) work together. <div class="note"><span class="notetitle">Note:</span> The QINACTITV
system value does not affect FTP sessions.</div>
</li>
<li>When you use FTP batch support, the program must send both the user ID
and the password to the server system. Either the user ID and password must
be coded in the program, or the program must retrieve them from a file. Both
these options for storing passwords and user IDs represent a potential security
exposure. If you use FTP batch, you must ensure that you use object security
to protect the user ID and password information. You should also use a single
user ID that has limited authority on the target system. It should have only
enough authority to perform the function that you want, such as file transfer.</li>
<li>FTP provides remote-command capability, just as advanced program-to-program
communications (APPC) and iSeries™ Access for Windows<sup>®</sup> do. The RCMD (Remote Command)
FTP-server subcommand is the equivalent of having a command line on the system.
Before you allow FTP, you must ensure that your object security scheme is
adequate. You can also use the FTP exit program to limit or reject attempts
to use the RCMD subcommand. FTP exit programs describes this exit point and
provides sample programs.</li>
<li>A user can access objects in the integrated file system with FTP. Therefore,
you need to ensure that your authority scheme for the integrated file system
is adequate when you run the FTP server on your system.</li>
<li>A popular hacker activity is to set up an unsuspecting site as a repository
for information. Sometimes, the information might be illegal or pornographic.
If a hacker gains access to your site through FTP, the hacker uploads this
undesirable information to your iSeries. The hacker then informs other
hackers of your FTP address. They in turn access your iSeries with FTP and download the undesirable
information. <p>You can use the FTP exit programs to help protect against
this type of attack. For example, you might direct all requests to upload
information to a directory that is write-only. This defeats the hacker's objective
because the hacker's friends will not be able to download the information
in the directory.</p>
</li>
</ul>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiqrzaiqimplement.htm" title="You can protect your data by securing File Transfer Protocol (FTP) with Secure Sockets Layer (SSL), monitoring FTP users, and managing user access to FTP functions.">Secure File Transfer Protocol</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzaiqftpanon.htm" title="Anonymous File Transfer Protocol (FTP) enables remote users to use the FTP server without an assigned user ID and password.">Configure anonymous File Transfer Protocol</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="rzaiqlepi.htm" title="You can control the authentication of users to a TCP/IP application server with the TCP/IP Application Server Logon exit point.">Server logon exit point</a></div>
<div><a href="rzaiqftpbatch.htm" title="This topic provides examples of how to run File Transfer Protocol (FTP) in an unattended mode.">Run File Transfer Protocol in unattended mode using a batch job</a></div>
<div><a href="rzaiqreferenceexit.htm" title="You can use File Transfer Protocol (FTP) exit programs to secure FTP. The FTP server communicates with each exit program through a specific exit point. This topic includes parameter descriptions and code examples.">File Transfer Protocol exit programs</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="http://www.redbooks.ibm.com/abstracts/sg244929.html" target="_blank">AS/400 Internet Security: Protecting Your AS/400 from HARM in the Internet</a></div>
</div>
</div>
</body>
</html>