Stopping Unauthorized Users From FTPing To Your IBM i

January 23, 2013 Hey, Joe

My programmers keep setting up automatic FTP downloads from the network using the wrong user profile. For security reasons, they are only supposed to use a special FTP download user profile, but they keep using their own profiles and I have no way to stop this. How can I lock down FTP so that they can only use an authorized user FTP profile for their client FTP sessions?

–Bob

You can easily use an FTP exit point to prevent unauthorized users from starting an FTP session on your IBM i partition.

An IBM i exit point is a specific point in an operating system function, where control can be passed to a non-operating system program or programs during execution. Exit points provide a way to insert custom written code into the normal processing of a system function. They allow you to temporarily stop a system function and provide additional functionality that is specific to your organization.

In your case, there is an IBM i FTP server exit point that allows you to add custom-written code to the FTP logon process that: 1) views information about an incoming FTP client log-on request; and 2) tells the system whether it should accept or reject that particular log-in request. This exit point is called QIBM_QTMF_SVR_LOGON, and it’s a good fit for your situation. Adding an exit point program to this exit point will allow you to reject FTP logon attempts from unauthorized users.

Here’s how to configure an FTP server exit point program to stop unauthorized users from starting FTP sessions on your system.

1. The name of the exit point you’ll want to use is QIBM_QTMF_SVR_LOGON with the TCPL0100 exit point format. The exit point format is important because there are three exit point formats available for FTP sessions, and the TCPL0100 format is the one you use for allowing or rejecting an FTP logon.

2. You can learn more about the QIBM_QTMF_SVR_LOGIN exit point and retrieve a sample FTP Server Logon exit program from the FTP server logon exit point Web page in the IBM i 6.1 Information Center. The sample programs are written in CL, C, and ILE RPG. Save and open the sample code in an editor. For this example, let’s assume you’re using the sample CL program code.

3. The TCPL0100 exit point format contains a number of parameters for retrieving FTP logon information and for accepting or rejecting a specific user sign-on. If you download the sample code, these parameters will already be in your program. To check for valid users, you’ll be interested in the User Profile input parameter and the Return Code output parameter.

4. Inside your program editor, delete the IBM sample code for changing the current library for the ANONYMOUS user to a public library. These commands will not be needed. This code is roughly the 14 lines before the End Program (ENDPGM) statement.

5. Add the following CL code to the sample code. (Note: your program line numbers will be different from what’s shown here.)

0031.00   DCL        VAR(&USERNAME) TYPE(*CHAR) LEN(10)


0043.00   CHGVAR     VAR(&USERNAME) VALUE(%SST(&USRIN 1 &USRLEN)) 
0044.00 
0045.00   IF         COND(&USERNAME *NE 'auth_user') THEN(DO)
0046.00   CHGVAR     VAR(%BINARY(&RETCDOUT)) VALUE(0)
0047.00   ENDDO
0048.00   ELSE       CMD(DO)
0049.00   CHGVAR     VAR(%BINARY(&RETCDOUT)) VALUE(1)
0050.00   ENDDO
0051.00

Here’s what each code line does:

Line 0031.00 declares a CL parameter that will contain the name of the FTP user attempting to log on (&USERNAME).

Line 0043.00 retrieves the user profile name of the FTP user who is trying to start a session on your IBM i partition. It does this by extracting the user name from the incoming user profile name parameter (&USRIN) starting at position 1 and going to the length of the user profile name parameter (&USRLEN). The name is copied into the &USERNAME CL variable we created in step 0031.00.

Lines 0045.00 through 0050.00 check to see if the incoming user name is an authorized user. If the incoming user doesn’t contain an authorized user name, the code sets the Return Code output parameter (&RETCDOUT) to ‘0’ (reject). If it is equal to an authorized user name, it sets &RETCDOUT to ‘1’ (allow). When the operating system returns control from your exit point program, it checks the return code and either allows (&RETCDOUT = ‘1’) or rejects (&RETCDOUT = ‘0’) the FTP logon request.

Change this code to match whatever program language and user names you want to monitor for. You can add as many other authorized users as necessary to the code.

Compile the program.

6. Set your partition’s exit point to use your newly created FTP logon checking program. On an RPG green screen, view and work with your system’s exit points by running the Work with Registration Information (WRKREGINF) command. You’ll get a screen that looks like the following. Scroll down until you see the QIBM_QTMF_SVR_LOGON exit point with the TCPL0100 exit point format.

(Click graphic to enlarge.)

Put an ‘8’=Work with Exit Program in front of that exit point and press ENTER. This will bring you to the Work with Exit Programs screen for the QIBM_QTMF_SVR_LOGON exit point. Enter a ‘1’=Add under the Opt column and enter the name and library that contains your custom written exit point program under the Exit Program and Library columns. Press ENTER.

(Click graphic to enlarge.)

Doing this will register your custom-written program with the exit point. Test as necessary to make sure your code is working correctly.

After this is done, all FTP logon requests will pass through your exit point program, which will only allow authorized users to start an FTP session on your system.

HTH

–Joe

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot