bvstone

Add Logging, Triggers and Security to your IBM i (AS/400) FTP Server with FTPTOOL

Posted:

Add Logging, Triggers and Security to your IBM i (AS/400) FTP Server with FTPTOOL

Years ago when we all started using FTP as a method of delivering data from one machine to another a need was created to log transactions and add security.

On the IBM i, the native FTP server did not have many (if any) logging or security features.  Because of our needs, as well as many customer requests, we created FTPTOOL.

FTP Server Logging
The first feature FTPTOOL adds is logging FTP activity from the FTP Server on your IBM i.  This logging can be turned on or off at a global level, and also turned on or off at a User ID level.  This means that if you're only curious about a couple different user's FTP activity you can log only them.  Or, you can choose to log all activity (and then turn off logging for your own or any other User ID).

The layout of the FTP Log file is as following (compliments of the free List File Field Description (LSTFFD) utility):

10/07/15             List File Field Description (LSTFFD)              
07:29:56                                                                
                                                                               
File Name . . . . FTPLOGPF                                                     
  Library . . . .   FTPTOOL                                                    
Format Descr  . .                                                              
Format Name . . . RFTPLOG                                                      
File Type . . . . PF            Unique Keys - N                                
                                                                               
Field Name FMT Start Lngth Dec Key Field Description                           
FLDATE      S      1     8  00     Oper Date                                   
FLTIME      S      9     6  00     Oper Time                                   
FLAPPID     B     15     9  00     Application ID                              
FLOPERID    B     19     9  00     Operation ID                                
FLOPERD     A     23    10         Operation Desc                              
FLUSRID     A     33    10         User ID                                     
FLIPADD     A     43    15         Remote IP Address                           
FLAUTH      A     58   256         Authentication String                       
FLPATH      A    314   256         Path                                        
FLSTATUS    B    570     9  00     Operation Status  
                         

As you can see, there is pretty much all the information available that you would need.  

Even attempts to log on are recorded.  So, if you want to see if people are finding your IBM i and trying to log in through FTP, just make sure logging is turned on and start your detective work.  

Initial connections will be logged under the user ID QTCP with an operation of Connect.  The User ID will be QTCP because when someone first connects to the FTP server, they haven't attempted to log on and there is no associated User ID.  But, you'll also have the IP address of the attempt which can be useful in tracking down malicious behavior.

If someone does attempt to log on just randomly trying User IDs and passwords, those will also be logged. 

Initial FTP Library or Directory at a User Level
One issue with the FTP Server on the IBM i is that the initial location (ie, the library system or the IFS) can only be set at a global level.

With FTPTOOL you have the option to override this at a user level.  This means that the default setting for the FTP server's initial name format (found using the Change FTP Attributes (CHGFTPA) command) is the default for all users.  But, using the FTPTOOL User Maintenance you can override this setting at a User ID level.

First, use the FTPTOOL command to enter the User Maintenance Screen:

Select option 2 (Default Directory) next to the user you want to set up a default FTP directory for and you're presented with the following screen:

We can now enter the IFS path that we want to be the default directory for this user.  

No stopping and starting of the FTP server is required for this change to take affect.  The next time the user logs on to your IBM i using FTP they will automatically start in the directory provided:

Locking Down FTP Commands at a Global or User and Library/Directory Level
If your IBM i is used in production as an FTP server where you allow users to connect and either retrieve and/or drop off files, you most likely will want to contain the users that log on to specific libraries or directories.

FTPTOOL allows this feature and it all starts at the global level using the FTPTOOLDFT command.  This is where we set up the default security settings that will apply to users that are not set up in the FTPTOOL User Maintenance application.

Once these defaults are set, we can go into the FTP application and at a user level (or even deeper, a user/IP address level) allow, disallow, or conditionally allow (depending on the library or directory) each specific FTP command, one by one.

First is to issue the FTPTOOL command so we are in the FTPTOOL User Maintenance screen:

Next, use option 9 next to the user that you want to limit the FTPTOOL commands for.  This will bring you into the FTPTOOL Operation Maintenance Screen.

We decided to limit user BVSTONE (hey, that's me!) so that they can only use GET in /home/bvstone.  We are also going to turn off the ability for them to use the CMD command which is used to run remote commands through the FTP interface.

So, we set up the GET FTP command as type "R" for Restricted, and then set up the restricted path of /home/bvstone.  We also set up the CMD FTP command as type N for Not Allowed.  Any commands not listed here will default to the values in the FTPTOOLDFT command.

Now, when we FTP to our system we can see what's allowed, and what is not:

First we retrieve test.txt from the /home/bvstone directory and all is well.  Next, we try to retrieve the same file from the /tmp directory.  But, because the GET command is limited for user BVSTONE to only the directory /home/bvstone, the request is rejected.  Finally, we attempt to run a command and it is not allowed because we have chosen to not allow user BVSTONE to run a command by blocking the FTP CMD command.

FTP Triggers
Another very popular feature of FTPTOOL is the option to call a command or program when a specific user runs a specific FTP command.  This is again done from the FTPTOOL operation maintenance.  

Let's assume that every time user BVSTONE performed a PUT on our system we wanted to alert QSYSOPR.  We simply go into the operation maintenance for user BVSTONE, add the FTP command we want to set the trigger up for (in this case, PUT) and set it's use (allowed, or restricted to certain library(ies) or directory(ies).  Then, use option 10 to work with the commands to trigger:

Selecting option 10 next to an operation will take use to the FTPTOOL Command Maintenance screen.

The command that we entered is as follows:

SNDMSG MSG('User &U performed action &O for file &F from IP address &I.') TOUSR(*SYSOPR)

You'll notice that we have some replacement variables in the command.  

  • &U will be replaced with the User ID
  • &O will be replaced with the operation
  • &F will be replaced with the fully qualified file name
  • &I will be replaced with the IP address 

So, if we issue a PUT for a file to our IBM i, we now see that QSYSOPR has the following message:

             

So, as you can see, FTPTOOL will not only help lock down your IBM i FTP server, but it can also add some neat automation possibilities which are customizable down to the user id level!                   

The official FTPTOOL documentation can be found at http://docs.bvstools.com/home/ftptool/docs.           

FTPTOOL can be downloaded from https://www.bvstools.com/ftptool.html and with all of our software, free demos are available.                        


Last edited 10/09/2015 at 09:01:57



Latest Posts:

Update for Google WorkSpace Accounts (2024): Google Dropping Support for Update for Google WorkSpace Accounts (2024): Google Dropping Support for "Less Secure Apps" May 30th, 2022. What Does This Mean for Your IBM i Email?
Posted by January 19, 2024
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
Sales By State Report in QuickBooks Online Sales By State Report in QuickBooks Online
Posted by January 13, 2024
QuickBooks >> QuickBooks Online
How to Whitelist GreenTools for G Suite (G4G) For Your Organization How to Whitelist GreenTools for G Suite (G4G) For Your Organization
Posted by November 5, 2023
BVSTools >> BVSTools Software Discussion >> GreenTools for G Suite (Google Apps) (G4G) Specific Discussion
QuickBooks Online Releases QuickBooks Online Releases "New Invoices!"... and It's Terrible!
Posted by October 8, 2023
QuickBooks >> QuickBooks Online
Admin/4i - What is it? Admin/4i - What is it?
Posted by September 30, 2023
Vendor Corner >> MSD Information Technology
BVSTools Releases Send Job Log to BVSTools (SNDLOG2BVS) Command BVSTools Releases Send Job Log to BVSTools (SNDLOG2BVS) Command
Posted by August 28, 2023
BVSTools >> BVSTools Announcements
MAILTOOL Now Allows Email Redirection for Development and Testing MAILTOOL Now Allows Email Redirection for Development and Testing
Posted by May 27, 2023
BVSTools >> BVSTools Announcements >> eMail Tool (MAILTOOL) Specific Announcements
GreenTools for Microsoft Apps (G4MS) Now Supports Footers When Sending Email GreenTools for Microsoft Apps (G4MS) Now Supports Footers When Sending Email
Posted by March 29, 2023
BVSTools >> BVSTools Announcements >> GreenTools for Microsoft Apps (G4MS) Specific Announcements
QuickBooks Online - Subtotals and Discounts Frustration QuickBooks Online - Subtotals and Discounts Frustration
Posted by March 16, 2023
QuickBooks >> QuickBooks Online
Making the Switch From QuickBooks Desktop to QuickBooks Online - No Picnic Making the Switch From QuickBooks Desktop to QuickBooks Online - No Picnic
Posted by March 16, 2023
QuickBooks >> QuickBooks Online
BVSTools Software Verified on V7R5 and Power10 BVSTools Software Verified on V7R5 and Power10
Posted by December 9, 2022
BVSTools >> BVSTools Announcements
Microsoft Office 365 Servers and Random Errors Issue Microsoft Office 365 Servers and Random Errors Issue
Posted by November 14, 2022
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
Sending/Resending Emails Using a MIME File with MAILTOOL Sending/Resending Emails Using a MIME File with MAILTOOL
Posted by November 8, 2022
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
Sending an HTML Email on Your IBM i Using MAILTOOL Sending an HTML Email on Your IBM i Using MAILTOOL
Posted by November 1, 2022
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
Transferring License Keys from One System to Another Transferring License Keys from One System to Another
Posted by October 31, 2022
BVSTools >> BVSTools Software Discussion

Reply




© Copyright 1983-2020 BVSTools
GreenBoard(v3) Powered by the eRPG SDK, MAILTOOL Plus!, GreenTools for Google Apps, jQuery, jQuery UI, BlockUI, CKEditor and running on the IBM i (AKA AS/400, iSeries, System i).