Anonymizing the IBM i FTP Banner

Part of securing any system is not waving a big red flag showing the architecture of the server you’re trying to protect.

There are quite a few websites on the Internet used for cataloging the results of port scans. They’ve been on my radar for years because reports of cataloged police body cameras and license plate readers, and not to mention “nanny cams”, made the headlines over a decade ago. This was when the Internet of Things was a fairly hot buzz term. In reality it’s turned into the Internet of Unprotected Things. Back then I got to thinking about IBM i security and what could be exposed by these types of web crawlers.

The biggest culprit is FTP.

Many IBM i shops allow Network Address Translation rules through their firewalls directly to their IBM i. And the FTP server on IBM i is easily identifiable by its banner comprised of the subsystem name (QTCP) and the host name of the system. QTCP is inherently tied to the IBM i operating system which makes it a great term to find IBM i systems in the wild. And as such, here are about 1750 IBM i systems that have been cataloged in the United States alone:

 

While ideally, I would always recommend to front-end your IBM i with an intermediary server to protect it a bit better, what I’m going to show you is how to change the default FTP banner.

That will at least stop waving one big red flag to allow attackers to identify the IBM i operating system.

Do a WRKMSGF MSGF(QTCP/QTCPMSGF) and put a 12 next to it to work with message descriptions. Find MSGID TCP120D. This is your default FTP banner for the system. If you put a 2 next to it you’ll see the following as its message text:

‘220- &1 at &2.’

220 is the default welcome message for any new user connecting to the FTP server. Parameter &1 is the subsystem QTCP and &2 is the host name of the IBM i partition.

What I like to do is leave the 220 and then change the text, removing the parameters that identify the server and instead put something arbitrary in their places.

You can edit it in place, but the shorthand way to do the entire procedure is this:

CHGMSGD MSGID(TCP120D) MSGF(QTCP/QTCPMSGF) MSG(‘220-whatever you want right here’)

So one of our servers called LV426 would now look like this instead:
220-LV426
220 Connection will close if idle more than 5 minutes.

No QTCP and no default hostname. I’m just identifying the server. This server name is arbitrary anyway…it’s a reference to the film Alien. You can’t tell what it’s for, what the architecture is or any other identifiable pieces of information about it that would aid an attacker. It’s just a working FTP server. That’s it.

This won’t keep your system from being cataloged and eventually targeted. However, it will keep the architecture from being identified and giving an attacker a set of blueprints to start banging on the doors.

More from this month:

Leave a Comment

Your email address will not be published. Required fields are marked *