Securing TCP/IP and Host Servers

By Dan Riehl

Unless you have changed your network server startup defaults, a lot of network servers are starting on your system that you have no earthly need to run. Running servers that are not needed opens up additional network pathways to your system that results in increased vulnerability.

For example, why turn your IBM i into a mail server by starting POP3 and/or SMTP when your system will never process any e-mail? But, unless you have changed the IBM defaults, your system is running the servers to process email.

The IBM shipped defaults will automatically start a large number of servers when you start the Host servers and TCP/IP servers.

Here is a list of the servers that are set to automatically start in IBM i 6.1.
Central Server, Database Server, Database SSL Server, Data Queue Server, DRDA-DDM Server TCP/IP, File Server, File Server SSL, FTP Server, IBM Help Server, Tivoli Directory Server, i5/OS NetServer, Management Central Server, Network Print Server, On Demand Server, Remote Command Server, Server Port Mapper, Signon Server, SMTP(Simple Mail Transfer Protocol) Server, TELNET server, Transfer Function Server TCP/IP, Virtual Print Server.

Along with the servers that are automatically started, numerous server related clients and daemons are set to start when particular servers start.

Information on each IBM i 6.1 server, including server names, associated jobs and auto-start settings can be found here at the IBM i 6.1 Information Center.

Stark Terror when Starting and Ending TCP/IP servers

The IBM supplied default values when starting a TCP/IP server will cause all TCP/IP servers to attempt to start. That is one of the main problems we have in controlling the start of these servers. A well-meaning IT Staff member types "STRTCPSVR" and presses ENTER… All the TCP/IP servers will attempt to start. The STRTCPSVR(Start TCP/IP Server) command's default value of SERVER(*ALL) is not appropriate. It runs the command as shown here.

STRTCPSVR SERVER(*ALL)

I urge that you change the CL command default value for the STRTCPSVR command's SERVER parameter from the value *ALL to the value *AUTOSTART. You can change the command default using the command:

CHGCMDDFT CMD(STRTCPSVR) NEWDFT('SERVER(*AUTOSTART)')

A similar, and even more terrorizing command is ENDTCPSVR(End TCP/IP Server). It also has the default value of SERVER(*ALL). So, simply typing ENDTCPSVR followed by the ENTER key, will bring down all of the TCP/IP servers including the TELNET server… which will kill all the interactive jobs at all the workstations that are using TELNET.

ENDTCPSVR SERVER(*ALL)

In this case, I strongly urge you to change the command default to some server that you do not use. In this example, I change the ENDTCPSVR's SERVER default value to end only the POP(Post Office Protocol) mail server. This is a server I do not use. If you use POP, select an unused server for the command's SERVER default value.

CHGCMDDFT CMD(ENDTCPSVR) NEWDFT('SERVER(*POP)')

Where is the Server Start-Up Configuration Stored?

The startup information for the servers is stored in an IBM supplied database file. The server startup file is QUSRSYS/QATOCSTART. You can use DFU or some other database editor tool to view and maintain your server auto-start defaults. You can also manipulate the contents of this file with SQL, RPG, COBOL or other facilty or program.

Example of using DFU (UPDDTA) to edit/view/update settings in the file QUSRSYS/QATOCSTART

For servers that you want to change the "Auto Start" setting, simply change the value from *YES to *NO, or *NO to *YES.

 WORK WITH DATA IN A FILE                       Mode . . . . :   CHANGE 
 Format . . . . :   QTOCSTRT                    File . . . . :   QATOCSTART 
                                     
 Server:             *FTP            
 SVR TYP:            T               
 Auto Start:         *YES    
 Library of Program: QTCP                
 Program to Call:    QTMFJOBS            
 External Start CMD: QSYS/STRTCPSVR SERVER(*FTP) 
                              
 External End CMD:   QSYS/ENDTCPSVR SERVER(*FTP)
                                      
 Reserved:           ____________________________

What about New Servers - Like the IBM HELP Server?

When you install a new i/OS release there will normally be some new servers. Some of these new servers will automatically start. In V5R4, IBM added the IBM Help Server. This new server ships with a default of AUTOSTART(*YES). So, after an upgrade to V5R4, you'll see some new server jobs, QIBMHELP(The help server start program) which launches a web service and starts Eclipse with the command STRECLIPSE.

In order to keep this server from starting automatically, change the associated IBMHELP server record in the QUSRSYS/QATOCSTART file to Auto-Start *NO.

Note: If a STRTCPSVR *ALL is done, this server will still attempt to start, as will all TCP/IP Servers.

A few notes about the IBM Help Server

At IBM i 6.1 and 7.1 you can end the server with the command ENDTCPSVR(*IBMHELP).

But, at version V5R4, IBM recommends that you shut it down from qshell using the following QSH script:

/QIBM/ProdData/OS400/Eclipse/EclipseStop

For more information on starting and stopping the IBM HELP server see the IBM Help Server Support document 410286503.

About the Author

Dan performs IBM i security assessments and provides security consulting, remediation, forensic evaluations, and other customized security services for his clients. He also provides training in all aspects of IBM i security and other technical areas through The 400 School, Inc.

Dan Riehl on LinkedIn