bvstone
Add Logging, Triggers and Security to your IBM i (AS/400) FTP Server with FTPTOOL
Posted: 10/09/2015, 08:40:31
Years ago when we all started using FTP as a method of delivering data from one machine to another a need was created to log transactions and add security.
On the IBM i, the native FTP server did not have many (if any) logging or security features. Because of our needs, as well as many customer requests, we created FTPTOOL.
FTP Server Logging
The first feature FTPTOOL adds is logging FTP activity from the FTP Server on your IBM i. This logging can be turned on or off at a global level, and also turned on or off at a User ID level. This means that if you're only curious about a couple different user's FTP activity you can log only them. Or, you can choose to log all activity (and then turn off logging for your own or any other User ID).
The layout of the FTP Log file is as following (compliments of the free List File Field Description (LSTFFD) utility):
10/07/15 List File Field Description (LSTFFD) |
As you can see, there is pretty much all the information available that you would need.
Even attempts to log on are recorded. So, if you want to see if people are finding your IBM i and trying to log in through FTP, just make sure logging is turned on and start your detective work.
Initial connections will be logged under the user ID QTCP with an operation of Connect. The User ID will be QTCP because when someone first connects to the FTP server, they haven't attempted to log on and there is no associated User ID. But, you'll also have the IP address of the attempt which can be useful in tracking down malicious behavior.
If someone does attempt to log on just randomly trying User IDs and passwords, those will also be logged.
Initial FTP Library or Directory at a User Level
One issue with the FTP Server on the IBM i is that the initial location (ie, the library system or the IFS) can only be set at a global level.
With FTPTOOL you have the option to override this at a user level. This means that the default setting for the FTP server's initial name format (found using the Change FTP Attributes (CHGFTPA) command) is the default for all users. But, using the FTPTOOL User Maintenance you can override this setting at a User ID level.
First, use the FTPTOOL command to enter the User Maintenance Screen:
| 3/31/26 FTP Tools (FTPTOOL) KS113 14:35:03 User Maintenance BVSTONE User ID . . . *ALL Position to . . . Type options, press Enter. 1=Add 2=Default Directory 3=Copy 4=Delete 9=Work with Operations Input Input Output Output Current Return Opt User ID IP Address User ID Password Library Code Log 0 Y 2 BVSTONE QGPL 1 Y TEST QGPL 1 Y Bottom F3=Exit F5=Refresh |
Select option 2 (Default Directory) next to the user you want to set up a default FTP directory for and you're presented with the following screen:
| 3/31/26 FTP Tools (FTPTOOL) KS113 14:41:28 User Maintenance Current Directory BVSTONE Enter a current directory or leave blank to specify to use the current library option. Current Directory: /home/bvstone_____________________________________________ F12=Cancel |
We can now enter the IFS path that we want to be the default directory for this user.
No stopping and starting of the FTP server is required for this change to take affect. The next time the user logs on to your IBM i using FTP they will automatically start in the directory provided:
|
C:\Users\bvsto>ftp rocklee 230 XXXXXX logged on. |
Locking Down FTP Commands at a Global or User and Library/Directory Level
If your IBM i is used in production as an FTP server where you allow users to connect and either retrieve and/or drop off files, you most likely will want to contain the users that log on to specific libraries or directories.
FTPTOOL allows this feature and it all starts at the global level using the FTPTOOLDFT command. This is where we set up the default security settings that will apply to users that are not set up in the FTPTOOL User Maintenance application.
| FTP Tools Defaults (FTPTOOLDFT) Type choices, press Enter. FTPTOOL Library . . . . . . . . FTPTOOL *SAME, Name Connect . . . . . . . . . . . . *YES *SAME, *YES, *NO Make Directory . . . . . . . . . *YES *SAME, *YES, *NO Remove Directory . . . . . . . . *YES *SAME, *YES, *NO Change Directory . . . . . . . . *YES *SAME, *YES, *NO List Directory . . . . . . . . . *YES *SAME, *YES, *NO Delete File . . . . . . . . . . *YES *SAME, *YES, *NO Client Get . . . . . . . . . . . *YES *SAME, *YES, *NO Client Put . . . . . . . . . . . *YES *SAME, *YES, *NO Rename File . . . . . . . . . . *YES *SAME, *YES, *NO Execute Command . . . . . . . . *NO *SAME, *YES, *NO Log Commands . . . . . . . . . . *YES *SAME, *YES, *NO Bottom F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display F24=More keys |
Once these defaults are set, we can go into the FTP application and at a user level (or even deeper, a user/IP address level) allow, disallow, or conditionally allow (depending on the library or directory) each specific FTP command, one by one.
First is to issue the FTPTOOL command so we are in the FTPTOOL User Maintenance screen:
| 3/31/26 FTP Tools (FTPTOOL) KS113 14:52:40 User Maintenance BVSTONE User ID . . . *ALL Position to . . . Type options, press Enter. 1=Add 2=Default Directory 3=Copy 4=Delete 9=Work with Operations Input Input Output Output Current Return Opt User ID IP Address User ID Password Library Code Log 0 Y 9 BVSTONE QGPL 1 Y TEST QGPL 1 Y Bottom F3=Exit F5=Refresh |
Next, use option 9 next to the user that you want to limit the FTPTOOL commands for. This will bring you into the FTPTOOL Operation Maintenance Screen.
We decided to limit user BVSTONE (hey, that's me!) so that they can only use GET in /home/bvstone. We are also going to turn off the ability for them to use the CMD command which is used to run remote commands through the FTP interface.
| 3/31/26 FTP Tools (FTPTOOL) KS113 14:55:39 Operation Maintenance BVSTONE User ID . . . BVSTONE IP Address . . . Type options, press Enter. 1=Add 3=Copy 4=Delete 9=Work with Paths 10=Work with Commands Opt User ID Oper A Restricted Path BVSTONE BVSTONE GET R /HOME/BVSTONE BVSTONE CMD N Bottom F3=Exit F5=Refresh |
So, we set up the GET FTP command as type "R" for Restricted, and then set up the restricted path of /home/bvstone. We also set up the CMD FTP command as type N for Not Allowed. Any commands not listed here will default to the values in the FTPTOOLDFT command.
Now, when we FTP to our system we can see what's allowed, and what is not:
| 230 BVSTONE logged on. ftp> ls 200 PORT subcommand request successful. 125 List started. .vscode/ startNode.sh test.sh .bashrc .profile .bash_history && .258159.json .258159.json.hdr builds/ cert.json core.20260130.094525.173271.0001.dmp 250 List completed. ftp: 164 bytes received in 0.01Seconds 23.43Kbytes/sec. ftp> get test.sh 200 PORT subcommand request successful. 150 Retrieving file /home/bvstone/test.sh 226 File transfer completed successfully. ftp: 38 bytes received in 0.00Seconds 38.00Kbytes/sec. ftp> get /tmp/test.pdf 200 PORT subcommand request successful. 550 Request rejected. ftp> |
First we retrieve test.txt from the /home/bvstone directory and all is well. Next, we try to retrieve the same file from the /tmp directory. But, because the GET command is limited for user BVSTONE to only the directory /home/bvstone, the request is rejected. Finally, we attempt to run a command and it is not allowed because we have chosen to not allow user BVSTONE to run a command by blocking the FTP CMD command.
FTP Triggers
Another very popular feature of FTPTOOL is the option to call a command or program when a specific user runs a specific FTP command. This is again done from the FTPTOOL operation maintenance.
Let's assume that every time user BVSTONE performed a PUT on our system we wanted to alert QSYSOPR. We simply go into the operation maintenance for user BVSTONE, add the FTP command we want to set the trigger up for (in this case, PUT) and set it's use (allowed, or restricted to certain library(ies) or directory(ies). Then, use option 10 to work with the commands to trigger:
| 3/31/26 FTP Tools (FTPTOOL) KS113 14:58:33 Operation Maintenance BVSTONE User ID . . . BVSTONE IP Address . . . Type options, press Enter. 1=Add 3=Copy 4=Delete 9=Work with Paths 10=Work with Commands Opt User ID Oper A Restricted Path BVSTONE BVSTONE GET R /HOME/BVSTONE 10 BVSTONE PUT Y BVSTONE CMD N Bottom F3=Exit F5=Refresh |
Selecting option 10 next to an operation will take use to the FTPTOOL Command Maintenance screen.
The command that we entered is as follows:
SNDMSG MSG('User &U performed action &O for file &F from IP address &I.') TOUSR(*SYSOPR)
You'll notice that we have some replacement variables in the command.
- &U will be replaced with the User ID
- &O will be replaced with the operation
- &F will be replaced with the fully qualified file name
- &I will be replaced with the IP address
So, if we issue a PUT for a file to our IBM i, we now see that QSYSOPR has the following message:
| Display Messages System: KS113 Queue . . . . . : QSYSOPR Program . . . . : *DSPMSG Library . . . : QSYS Library . . . : Severity . . . : 99 Delivery . . . : *HOLD Type reply (if required), press Enter. From . . . : BVSTONE 03/31/26 15:03:17 User BVSTONE performed action PUT for file /home/bvstone/test.sh from IP address 10.200.2.114. Bottom F3=Exit F11=Remove a message F12=Cancel F13=Remove all F16=Remove all except unanswered F24=More keys |
So, as you can see, FTPTOOL will not only help lock down your IBM i FTP server, but it can also add some neat automation possibilities which are customizable down to the user id level!
The official FTPTOOL documentation can be found at http://docs.bvstools.com/home/ftptool/docs.
FTPTOOL can be downloaded from https://www.bvstools.com/ftptool.html and with all of our software, free demos are available.
Last edited 03/31/2026 at 15:03:58
Reply
© Copyright 1983-2025 BVSTools
GreenBoard(v3) Powered by the eRPG SDK, MAILTOOL Plus!, GreenTools for Google Apps, jQuery, jQuery UI, BlockUI, TinyMCE and running on the IBM i (AKA AS/400, iSeries, System i).