New FTP Security tool FT4i

Security is something we should all look at closely, if you are not then you should be. The threat environment is increasing and we are seeing a lot more vulnerabilities identified for the IBM i platform every week! Securing your system is something that needs to be done ASAP, its not a question of if your network will be probed but when and we are seeing our own network being probed constantly.

We are all big users of FTP today for transferring files between our IBM i systems and the internet or local servers, the FTP client is usually unrestricted as well which means anyone with access to a command line can transfer files around with ease. A savvy user could setup their own FTP Server on their device (plenty of free ones available), run the FTP client to that system and transfer files without any trace of that activity being recorded. The truth is we need that level of freedom in most instances just to do our jobs, where people have restricted the access it causes a lot of pain and delays which affects the users ability to perform their duties.

Logging activity

The IBM FTP environment provides no logging for the Client or Server processes, that means you cannot determine what any user did while using these facilities. The new FT4i product provides this much needed logging, not just for normal FTP SFTP as well. Every action taken by the user can be logged and reviewed at any time, because the data is stored in a database file we can also use the AAG/NG4i product to add monitors that can notify you when suspicious activity is occurring. The PHP interface above allows the adding and removing of the exit points that are required for FTP monitoring and management, we also provide options via the 5250 configuration screen to set these options and start securing your FTP services.

Logging of IBM i FTP Transactions
SFTP Logging

Logging is only one of the useful features provided by FT4i, you can restrict the IP ranges that are allowed to access your FTP server or those that the FTP client can reach out to. You can state what users are allowed to use which services and when 9-5 Mon – Fri etc. You can determine what actions they can carry out and what directories/libraries they can access (basically providing a chroot environment so they can only access specific files and locations). There are a lot of features to help you lock down the FTP Server and Client command to a level that suits your requirements, or you can simply leave everything open and let the logging capabilities provide the check and balances. You will notice from the above that the logging provided by syslog is not as refined as the logging provided by IBM i logging. You will need to play with the syslog. settings to decide what logging is carried out.

Users connected to your Server

At any time you can review the PHP interface and see who is actually connected to your IBM i. This can be useful when you have a lot of users connecting to your system and want to see who has what sessions open.

Connected users (SFTP and FTP)

PHP interface

FT4i comes with a PHP based interface that can be run on any web server that supports PHP, the installation is a simple unzip of the content to your web server. Internally we use a VM based webserver but it can just as easily run on a RPi or the IBM i supplied web server and can be up an running in a few minutes. The web interface is provided to allow a modern interface over the FT4i running on the IBM i, it is not a prerequisite to install FT4i as all of the configuration and views can be carried out on the IBM i via a 5250 session. It comes with a number of advantages over the 5250 interface, one of the main advantages is not being stuck to a 80 – 132 character width. The interface provides access to all of the features available via the 5250 interface plus a lot more.

Securing access

The main purpose of FT4i is to secure access to both the FTP Client (command line) and FTP Server, this is managed in a number of ways.

  • User based restrictions
  • IP based Restrictions

On the user side we also separate the Client and Server settings, this allows you to restrict who can carry out operations using either a command line client or a remote FTP server connection using something like Filezilla etc. The limitations that can be added to each individual user can determine when they can connect, where they can connect from (IP address) what they can do when they are connected etc. Here are the configuration pages for the user side.

Server Options

Client Options

IP based restrictions are provided to allow access from specific IP addresses or segment Plus the ability to restrict specific IP addresses or segments. This can be useful to maybe set you local LAN as an acceptable IP segment but restrict from the DMZ IP that is open to the outside world etc. Here is a sample of the IP address settings available in the PHP interface,

Accept from the local LAN
Reject All others plus DMZ in local LAN

The user definitions can be set using the default settings or individually determined so you have lots of flexibility when it comes to setting the user access you need. A PHP page and a 5250 interface is provided to allow these settings to be updated, the following is the PHP page for the default Server settings.

Default Server settings

Securing you IBM i should be a top priority, FT4i is provided to allow you to locked down and log activity for probably one of the most likely points of attack on the IBM i, its always started on every system even if its not needed. The Client side is not able to be stopped without changing the command name etc so locking it down is an important step. Remember most data theft is as a result of internal access from authorized users, they have access to all of the data and programs on the system required to do their job, taking the database of customers and contacts from your organization and using it at their next job can be done with a few key strokes and without proper logging and security you will probably never know it happened.

The product will use subscription pricing as do our other products so contact us today and see just how cost effective we have made securing the FTP services on your IBM i. As always a demo of the product can be provided on request.

Chris..

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.