× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. WEB400
  3. August 2009

Re: protecting your public-facing, web-enabled IBM i from hackers

I've had several customers run web apps for customers and their in-house apps on a single partition server. These are small companies with no tech staff, no network admin, and basically "lights out" systems-no one monitors except me. In 10 years none has been taken down or infiltrated (that we can detect). One has had multiple hacks of Win stuff, spammers taking over Exchange, etc, but that network was reworked & firewalled.
All web, ftp traffic is tunnelled to the i, and firewall is set to not allow anything originating from the outside except email tunnelled to a Exchange server.

The i takes many script attacks every day-all end up in the Apache error log. The scripts are win, unix, php stuff.

The apps do not take credit cards-we would not pass a PCI audit.
Customers (with signed contracts) log on to a RPGLE/cgi app & place & review orders, run reports, reprint stmts, sign up for events, etc. They are not using OS400 security.
Briefly:
Remote access direct to the network or i is by vpn only with strong keys, . No ftp to the i except from specific ip(exit pgms). Never remote telnet. No remote pc (pc-anywhere) allowed in the network. Many of the recommendations of the old redbook Protecting Your AS400 from Harm on the Internet were implemented. system is at Security level 50. Audit journal on & monitored. Every once in a while I turn on a comm trace - nothing yet. No easy profiles on system, & chg pwd every 30 days, hard pwd rules. All tcp servers not used turned off. No guest profiles for anything. Strong antivirus, spyware detection on network. Web app accepts nothing direct into sql (sql injection) without editing. Web app access a single lib & single main folder in IFS and it is locked down. There is nothing fancy in web app, it's html4, almost no javascript or ajax. Reasonably up to date with ptfs and the new security group, tcp group, http, database, etc.
I am bluntly honest with the owners about their risk. They are ok with that. This is not for financial institutions, high profile companies, government or education, or anyone with a budget to provide a better infrastructure.
Read the redbook Configure Your System For Common Criteria Security, and Experts Guide to OS/400 & i5/OS Security by Woodbury & Botz, also Hacking iSeries by Carmel, and an older book - Know Your Enemy (The Honeynet Project) an interesting view of who hackers are...probably out of date but it's a start.
Certainly with all the reading material, I have not implemented many things, but where I can I do.
I fear keyboard loggers on pc's more than web hackers..
Jim Franz
----- Original Message ----- From: <elehti@xxxxxxxxxxxxxxxxxx>
To: <web400@xxxxxxxxxxxx>
Sent: Friday, August 14, 2009 3:39 PM
Subject: [WEB400] protecting your public-facing,web-enabled IBM i from hackers


My question to all of you who have public-facing, web-enabled IBM I
machines running your core applications.
How do you secure this machine against possible hacking attempts from
outsiders?

If your website has web apps like self-service for your customers and
suppliers, allowing people to view/change data that resides on your
system, how do you protect your machine?
Or do you keep your system off the internet, and web-enable a secondary
file-server machine instead?

I am aware that thousands of banks and credit unions running their
[censored] core banking applications on the IBM I use a "middleware web
server" that acts as a conduit between the bank customer web page and
the System I, thus enabling banking customers to transact their banking
business without needing a different IBM user profile for each bank
customer. The RPGIV programs running on the System I send and receive
customer-specific information via data queues out to the middleware web
server.

--
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.