Day: July 27, 2021

Anonymizing the IBM i FTP Banner

Part of securing any system is not waving a big red flag showing the architecture of the server you’re trying to protect.

There are quite a few websites on the Internet used for cataloging the results of port scans. They’ve been on my radar for years because reports of cataloged police body cameras and license plate readers, and not to mention “nanny cams”, made the headlines over a decade ago. This was when the Internet of Things was a fairly hot buzz term. In reality it’s turned into the Internet of Unprotected Things. Back then I got to thinking about IBM i security and what could be exposed by these types of web crawlers.

The biggest culprit is FTP.

Many IBM i shops allow Network Address Translation rules through their firewalls directly to their IBM i. And the FTP server on IBM i is easily identifiable by its banner comprised of the subsystem name (QTCP) and the host name of the system. QTCP is inherently tied to the IBM i operating system which makes it a great term to find IBM i systems in the wild. And as such, here are about 1750 IBM i systems that have been cataloged in the United States alone:

 

While ideally, I would always recommend to front-end your IBM i with an intermediary server to protect it a bit better, what I’m going to show you is how to change the default FTP banner.

That will at least stop waving one big red flag to allow attackers to identify the IBM i operating system.

Do a WRKMSGF MSGF(QTCP/QTCPMSGF) and put a 12 next to it to work with message descriptions. Find MSGID TCP120D. This is your default FTP banner for the system. If you put a 2 next to it you’ll see the following as its message text:

‘220- &1 at &2.’

220 is the default welcome message for any new user connecting to the FTP server. Parameter &1 is the subsystem QTCP and &2 is the host name of the IBM i partition.

What I like to do is leave the 220 and then change the text, removing the parameters that identify the server and instead put something arbitrary in their places.

You can edit it in place, but the shorthand way to do the entire procedure is this:

CHGMSGD MSGID(TCP120D) MSGF(QTCP/QTCPMSGF) MSG(‘220-whatever you want right here’)

So one of our servers …

Advanced Security Testing: Planning Strategically and Determining End Goals

As I have mentioned many times, there is no such thing as exhaustive testing and one of the main principles of testing is QA shows defects are absent from the cases run not that no bugs exist. However, without proper testing and analysis, we can be certain we have no protection from attacks. What is imperative is that we perform as much testing and validation as possible within the constrains of our business processing and activities. Importantly, the protocols discussed in this series of articles show due diligence and attention to the issues involved which by being prioritized help ensure security is in place as verified by the testing.

Security is considered a specialist role, and while it is getting more visible on the IBMi side it still isn’t the first area infosec teams are concerned with.

 

Part of this is due to the securable nature of the system. However, as we know, the box doesn’t ship secure. We need to have the correct system values and authority limitations in place. Further, like every interface, the IFS is a vulnerability. So we first have to analyze the context of our systems. Ironically, PC systems with less critical data are frequently more tested as the security risks are well known, while the I with the mission imperative might be overlooked. Determining the testing effort needs to be based on the importance of the components. Lastly, security needs to baked into our systems, patching after the fact will never be as reliable as the innate settings.

Once we have aligned effort with the context of the system importance we look at our actual objectives.

 

This is an area where the difference between information assurance and actual testing is important to understand. To be clear; information assurance is, “measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentially, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.” [NISTIR 7298]. Whereas Security Testing is, “A process used to determine that the security features of a system are implemented as designed and that they are adequate for a proposed application environment.” [MDA1]. What does this mean in the real world? IA (aka Information Assurance) are the rules that pertain to everything in our environment, the specifications, and requirements we work from, and what we base our designs and …