Midrange Programmer

Security involves more than simply keeping your virus definitions and PTF levels up to date. Sometimes you have to take a more proactive stance and take measures to control access manually. This issue explains how you can control access to a host of OS/400 services and gives you an example using FTP. Also this week, we have discovered that IBM doesn't always use rigid analysis in solving OS/400 problems. Sometimes they just take the "what the heck, let's see if this fixes it" approach, like the rest of us!

Viruses and worms are not the only things that can create havoc on your iSeries. Unintentional actions by curious users can also create problems for you, sometimes with disastrous results. Intentional actions carried out through holes in your own security can also leave you vulnerable to a loss of data and information as well as to the possibility of program or data corruption. Leaving TCP/IP services such as FTP open and available to all can make your iSeries a sitting duck. Here's one quick and easy method you can use to lock down the FTP server on your system.

There is a fairly unknown feature in iSeries Navigator called Application Administration. (I say that Application Administration is fairly unknown because IBM chose to hide it behind a right-click context menu in iSeries Navigator, which makes it difficult to find.) Application Administration is a GUI-based access control manager for a wide variety of applications and services on your iSeries and client PCs. By using this tool, you can control access to the most often used, as well as to several little used, functions and features of the iSeries.

As you can see, you can control, at the system level, which FTP services and commands your users to have access to. By selecting the Default Access box, next to the service and command you want to work with, you are granting access to that function to all users on your system. Deselecting an item in the "All Object Access" box column prevents users who have *ALLOBJ authority in their user profile from using these services. If you want to restrict access at the user or group profile level, right-click the service and select the Customization menu item. When you do, you will be presented with a configuration panel.

Although it's not a fool-proof method for locking down FTP, it's at least one more tool you can add to your arsenal. Explore and play around a little bit with Application Administration and see what else you can find to help you maintain a more secure system.

Trojan.Abaxo is an interesting, very specific virus that takes the form of a Trojan horse and sends banking details to a remote server for collection.

Backdoor.Surdux is yet another Internet Relay Chat (IRC) Trojan that allows its author to gain remote control of your PC.

Trojan.Linux.Zab is, despite its name, a Windows virus that compromises the security of your PC by using Port 22 (the SSH daemon port) to send benign data to its author. This is more of an annoyance than a real threat.

PWSteal.Lemir.E--All you people playing the online game Legend of Mir 2 at work are going to get into trouble from this Trojan horse if you don't keep your virus definitions up to date. This Trojan attempts to steal your Legend of Mir2 password and e-mail it to the virus author.

Backdoor.Hazzer is a virus attempts to execute several malicious little commands, such as deleting DOS on your PC.

Backdoor.Peeper is a backdoor virus that listens on Port 5180 for commands to be executed on your unsuspecting PC.

Many times you read about a virus or Trojan horse that listens on a specific port on your PC, and you are warned to check that port to see if it is open. The only trouble is that, most of the time, the folks telling you to check those ports never bother telling you how to check them.

So how do you tell which ports are open? On your PC, click the Windows Start button. On the Run menu item, enter CMD on Windows 2000 and XP systems; enter Command on Windows 98 and Millennium Edition systems. Then click the OK box.

Next, type in the DOS command NETSTAT –a. This will display all open ports on your system.

On the iSeries, you can achieve the same results using the NETSTAT command from an OS/400 command line and then selecting option 3 from the resulting menu.

IBM continues to recommend that you apply the latest cumulative packages, which came out on September 9 for V5R2 customers. The latest HIPER package was just released last week on September 16, so if you're not current on that one, you would be wise to grab it and load it. The Database Group PTF has not been updated since mid-August, so if you've applied one in the last few weeks, you're probably okay for the foreseeable future. For complete details on this week's recommended fixes, go to IBM's iSeries and AS/400 Technical Support site.

PTF number MF31082 fixes a problem with address validations that is caused whenever an iSeries DHCP server receives a large response from a DNS server during an "A-type" verification.

I wanted to point out this PTF because I got a kick out of IBM's response to it. Here's the response, in its entirety: "We have increased stack storage size in several locations. One of these locations was in all likelihood the location that resulted in the system crash. We have also added additional code checks to prevent exceeding storage size in some code paths."

Who knew that IBM programmers took the shotgun approach to programming just like the rest of us poor peons? They are not sure what caused the problem, but they think that increasing storage sizes everywhere will surely fix the problem. Well, gotta give them credit for trying.