FTP Security

File Transfer Protocol (FTP)

File Transfer Protocol (FTP) requires the user to provide a user ID and password (in a secured environment). FTP also verifies that a user profile has authority to any file that is to be transferred. You access this function using the STRTCPFTP or FTP command, or by connecting to the AS/400 FTP Server using another system’s FTP client.

Controlling FTP Access

Be aware that there are security issues that comes with FTP clients who accesses the system. Our object security scheme might not provide detailed enough protection when we allow FTP to our system. For example, when a user has the authority to view a file (*USE authority), the user can also download a copy of the file to a PC or another system. I have added FTP exit programs to restrict the FTP operations that users can perform.
Note: FTP exits are available since V3R2.

FTP provides a remote-command capability. The FTP subcommand is equivalent to having a command line on the system. The FTP Request Validation Exit Program for the server rejects remote-command unless properly authorized.

Another security glitch in FTP is that passwords are not encrypted when they are sent between the client system and the server system. Passwords may be vulnerable through line sniffing.

User can access objects in the IFS (integrated file system) with FTP. We must ensure that our authority scheme for the IFS is adequate.

The system value QMAXSIGN does not apply to FTP. Within FTP, the connections ends after 5 unsuccessful attemps, but the user can just QUIT and re-attempt to sign back on. FTP users have unlimited attempts to break in the system.

FTP Exit Points

There are three exit points provided with the AS/400 FTP that allow you to set the user security and FTP request validation. An exit point is a specific point in TCP/IP where control is passed to an exit program. Exit programs my be written in any HLL supported by the AS/400.

We need to add our exit program to the exit point using the registration facility (WRKREGINF). TCP/IP application checks the registration facility to determine whether exit program is called for the particular exit point.

For security purposes, the TCP/IP application requires the exit program to return a specified operation. This operation tells the TCP/IP application whether or not to continue with the process.

The three exit points are:

QIBM_QTMF_SVR_LOGON (FTP Server Logon)
QIBM_QTMF_CLIENT_REQ (FTP Client Request Validation)
QIBM_QTMF_SERVER_REQ (FTP Server Request Validation)

These exit points are used to add security and validation for FTP. The FTP Client and Server request validation exit points are used to validate FTP subcommands. The Server logon exit point authenticates the user who is trying to logon to FTP server. You can also use this exit point to validate "anonymous" user logons to the FTP server.

FTP Server Logon Exit Program

The purpose of the server logon exit program is to allow or deny the users to log on based on the User Id, Password or Client IP Address. The FTPLOGON program validates the user id who logs on the server. The user must be authorized to the authorization list FTPLOGON, and have at least *USE authority. We are also tracking "anonymous" user id, logging their E-mail address for their password. The FTPLOGON program sends a message to QSYSOPR & QHST with the user id and E-mail address. The program continues but since "ANONYMOUS" is not a valid user id, the FTP fails. We may substitute another user id to replace the ANONYMOUS user id.

The program also validates the Client IP address against all valid IP address found in the Host Table. You may access the Host table entries from the CFGTCP menu. Option 10, Work with TCP/IP host table entries, enables us to add host IP address and their associated host names to the host table. The host table is stored in member HOST of the file QATOCHOST in library QUSRSYS. The Host table must be identical throughout the network. The FTPLOGON program denies any client IP address not found in the host table.

The FTPLOGON program accepts 7 input parameters and returns 4 output parameters. Based on the input parameters, FTPLOGON determines what parameters to validate. FTPLOGON program enables the initial current library to be set by allowing the current library listed in the input parameter to be overriden. FTPLOGON sets the return code output parameter to indicate whether or not to allow the server is to continue logon operation. Different return codes are available to enable alternative ways of processing the logon and initializing the current library.

NOTE: The FTPLOGON program allows the FTP to continue from either an invalid IP address, or users not authorized to FTPLOGON authorization list. Change the program to reject (remove the *@@@@@ comment line) the logon to stop the FTP log on. A special user id ZFTP is used to bypass FTP security.

View FTPLOGON codes.

FTP Request Validation Exit Program

The FTP request validation exit program determines whether to allow or deny permission of FTP operation based either on user id, client IP address, operation being requested, or directory/file/library affected. The FTPRQSVLD program is used for this exit program for both client and server request.

Requested operations are permitted or denied based on the returned "Allow operation" output parameter. For example, the FTP application calls FTPRQSVLD with a request to PUT (write/update) to this file? FTPRQSVLD determines whether the request is accepted and returns the "Allow operation" return code to the FTP application. If it is denied, the FTP application issues a message that state that the operation is rejected.

The exit program may also indicate that the FTP request will always be allowed or always denied for a particular user. When always allowed or always denied is returned, the FTP application will not call the exit program again for the same request during the user session.

The FTPRQSVLD program accepts 7 input parameters and returns 1 output parameter. Based on the input parameter, FTPRQSVLD can determine what type of FTP operation is being requested, For operation containing name of library or file name, FTPRQSVLD allows the operation if the library requested is a "Test" type library. For "Production" type library, the FTP request is rejected. FTP request requiring execution of CL commands are all rejected.

View FTPRQSVLD codes.

Back to AS/400 Journal

This page hosted by Get your own Free Home Page