Securing FTP access using VESOFT software by Adrian Partridge, GAINSBOROUGH SOFTWARE LTD., UK To be published in INTERACT magazine, '98 MPE is a wonderful operating system. Not many platforms can boast that their OS has had a lifespan of 25 years and is still going strong. One of many reasons for this is that HP is willing to listen to its customer base and provide them with the features they need. The latest versions of MPE (5.0 and 5.5) include POSIX extensions and the INTERNET services. These features have enabled the HP3000 to become "an open system," providing interoperability between UNIX and PC platforms. Unfortunately, from a security point of view, "open systems" mean trouble. All the work and money you probably invested in protecting your company information may be compromised because of new methods of access. In most cases it is! ** FTP CLIENT CAN COMPROMISE SECURITY ON YOUR HP3000 ** FTP is a protocol that allows computers of different platforms, to transfer files through a set of common commands. FTP comes as part of the ARPA network services and comprises of two components. The client software, and the server software (FTPMON.ARPA.SYS) which runs on your HP3000, waiting for clients to connect. To connect, all you need is to supply a host IP address and a username. To determine the node name or IP address of your machine, just try any of the following: UNIX #more /etc/hosts #who -R #nodename #uname -n | nslookup MPE :print hosts.net.sys :showvar @IP@ [5.5 MPE only] :xeq uname.hpbin.sys -n MS-DOS >more c:\windows\hosts >netstat -a The username could be any logon the user uses on a daily basis to access the system, so they wouldn't even violate logon security. Alternately, USENET newsgroups available from the INTERNET, contain discussion groups on the HP3000 and system hacking. These often carry messages of unsecured 'factory shipped' logons which many HP3000 users and hackers read. Once the logon has been accepted a 'programmatic session' takes place. Programmatic sessions DO NOT execute UDCs. This means any logon security or application that is invoked via a LOGON UDC is redundant - instant access to your HP3000's filespace! From there users can rename, delete, view, send and put (new or edited) files, to and from their local machine and your host. A FTP user can 'get' any RELEASEd or readable files from anywhere on your system: ftp> prompt ftp> mget /SYS/PUB/* Once the files are in your local directory they can be searched with any of the the following: UNIX #grep -il "!JOB" * MPE :RUN MAIN.PUB.VESOFT,MPEX;INFO="PRINT @;SEARCH=CL'!JOB'" MS-DOS >for %f in (*.*) do find /I "!JOB" %f Any of the above, will display lines in the downloaded files containing the string "!JOB". If you have embedded passwords these are listed too! With this information, an FTP user can target other, more sensitive areas of your machine by trying to log on, or creating JCLs and then SITE STREAMing them. If a user has write access to a file then they can create "Trojan horses". A "Trojan horse" can be made by inserting lines into existing JCLs, programs or command scripts. After all, when was the last time you looked inside a JCL to see if anything has changed! A group with write access gives the user an opportunity to create JCLs, programs or command scripts and save them in that group for execution later! If all this wasn't enough, you will still have the problem of FTP users causing malicious damage by deleting or renaming files! What's Needed To Provide Protection Against FTP Access? ------------------------------------------------------- This article will concentrate on securing the HP3000 against incoming FTP access. All the tools you need are MPEX/3000, SECURITY/3000 and VEAUDIT/3000 available from VESOFT. MPEX/3000 will be used to locate and protect the security of your files. SECURITY/3000 will be used to provide authorization based protection for incoming FTP accessors. VEAUDIT/3000 will be used to report and secure possible loopholes in your existing security, that a would-be violator could abuse. How To Secure FTP Access? ------------------------- Over many years in the HP security business, GAINSBOROUGH SOFTWARE has developed a multistage plan to secure FTP access. Stage #1 - Arming the traps Many sites need to allow FTP access. With SECURITY/3000 we can selectively allow access based on their username and refuse access to others. This stops users trying logons until they find a username that will allow them access. This stage is accomplished with the use of AIF:PE features of SECURITY/3000. The PE:HELLO trap intercepts all attempts to logon to your HP3000 system. This includes jobs, sessions, FTP and TELNET logons. The PE:HELLO is controlled via the BACKG job - a simple background job that monitors and reports the status of tasks running under it. %BACKG STARTJOB starts the background job %BACKG START,HELLO starts the HELLO trap %HELP BACKG and %SEC HELP HELLO will point you to pages of reference from the online help facility, and provides extra information on these topics. Once started, the PE:HELLO will remain in effect without the BACKG job. The only way of stopping the trap would be a %BACKG STOP,HELLO or a shutdown of the system. %SEC HELP START-UP will provide more information on how to restart BACKG after a system shutdown. Stage #2 - Defining FTP Users To do this, you need to look at who uses FTP and what do they use it for. In most cases file uploading and downloading can be defined into two categories - PRIVATE and PUBLIC. GAINSBOROUGH SOFTWARE LTD's approach is to create FTPPRIV and FTPPUB MPE users and groups for each account you want to allow FTP access. Managers transferring sensitive information from one machine to another will mainly use FTPPRIV, whereas BATCH jobs or the general user logging in would use FTPPUB. :NEWGROUP FTPPRIV;CAP=IA,BA;ACCESS=(R,W,A,L,S,X:GU) :NEWUSER FTPPRIV;HOME=FTPPRIV;CAP=IA,BA,SF,AL :NEWGROUP FTPPUB;CAP=IA,BA;ACCESS=(R,W,A,L,S,X:ANY) :NEWUSER FTPPUB;HOME=FTPPUB;CAP=IA,BA,SF FTPPRIV has 'AL' capability so can access files whose access is also 'AL'. Any files that FTPPRIV needs read access to, should have the group that contains them altered to 'AL' or 'GU,AL'. This ensures that FTP commands such as RENAME and DELETE are controlled. Any files that FTPPRIV downloads to your system should be held in the FTPPRIV group which has 'GU' access ensuring only users with 'AM' of that account, 'SM', or other users in the FTPPRIV group can access. FTPPUB should have no access to any files in that account, unless you have RELEASEd, readable files or groups with write access. The FTPPUB group has 'ANY' access, meaning anyone in that account, or anyone in the system [if account access is 'ANY'], can read those files. Note: FTP users can transfer files and save them as a POSIX filename. The :LISTF command will NOT display either these files OR any directories that FTP users can also create. You MUST use :LISTFILE to see ALL files or %LISTF which also shows all files. %HELP POSIX will display the POSIX naming convention and limitations within MPE when dealing with these files. Stage #3 - Securing Your HP from FTP Access In researching this subject, we found one area that remains grey -- the use of passwords. Most sites implementing FTP use FTP offline -- that is overnight jobs or scripts automatically logon and do file transfers. This means the passwords have to be embedded. This is BAD because a logon to your machine maybe improperly protected on another machine that you have no jurisdiction over. Also the password becomes 'static' i.e. never changed because of the amount of work involved with finding the necessary scripts and changing them. Passwords are also prone to becoming sniffed - any hacker will have a sniffer program, which can be used to intercept FTP traffic and then decipher the password! We have found the best solution is not to use passwords, but prompt for authorization to access the machine via the console operator. The HELLO trap requires configuring before any checking will be performed. The configuration file is called HELLO.DATA.VESOFT and is read every time a logon occurs. There are many different HELLO keywords, but we will only look at $CONFIG, $TIMEOUT and $HELLO. For information on the others try %SEC HELP HELLO. The $CONFIG NETWORK applies rules on what users are allowed to access your system if originated from a network. It has the following syntax: $CONFIG NETWORK [ALLOW | REFUSE | CHECK] [USERSET] The ALLOW parameter allows unconditional access The REFUSE parameter refuses access The CHECK parameter does a number of things: * Checks the user to see if they are a valid SECURITY/3000 user. If there are passwords, or other profile restrictions such as time-of-day or day-of-week, they are applied. * Applies any $FORBIDs matching the incoming FTP users logon, applying more sophisticated logon rules. The USERSET parameter defines the logon user to whom you want the rules applied. This can be any MPE style userset including wildcards, i.e. @.@ $TIMEOUT and $CONFIG TIMEOUT are keywords used in conjunction with the CHECK parameter. If the CHECK parameter is used, the BACKG job MUST be active. If the BACKG job is NOT active the incoming session, by default, will 'hang' for 120 seconds and then allowed access. The $TIMEOUT keyword allows us to decide on the length of the 'hang' and the $CONFIG TIMEOUT allows us to ALLOW the session access or REFUSE it. The approach that GAINSBOROUGH SOFTWARE has adopted is to REFUSE access to everyone (@.@). Subsequent $CONFIG commands will then act as exceptions to the REFUSE rule thus granting them access - This method ensures that only configured users can access your machine. The following commands are what we would add to HELLO.DATA.VESOFT file: (* FTP SECURITY RULES *) $CONFIG NETWORK REFUSE @.@ $CONFIG NETWORK CHECK FTPPRIV.@,FTPPRIV $CONFIG NETWORK CHECK FTPPUB.@,FTPPUB As mentioned previously, we have found its better to refuse everyone and then selectively allow access. We have also used the CHECK option, which means that the users must first be allowed access by SECURITY/3000. If the BACKG job is not active we recommend refusing access also. (* $CONFIG NETWORK CHECK RULES *) $TIMEOUT 60 $CONFIG TIMEOUT REFUSE @.@ To add a SECURITY/3000 user profile for the FTP user of your account, do the following: %SEC ADD FTPPRIV.[account];NOPASS %SEC ADD FTPPUB.[account];NOPASS There should be one of each profile per account, from which you wish users to have FTP access. If a user logs on as an FTP user that you have not defined, they will again be refused access. To setup the authorization routine, add the followings to your SECURCON.DATA.VESOFT file: $FORBID "UPS(PRINTOPREPLY('Allow FTPPRIV logon [Y|N] > '))<>'Y'" "Error: Access refused by console operator" FTPPRIV.@ The restriction is applied to FTPPRIV logons ONLY, as they are the ones that have access to any file in that account. Once a logon is intercepted by the PE:HELLO a console request is made. If the request is not answered in 60 seconds ($TIMEOUT) or is :REPLYed with a 'N' the logon is refused. A feature often requested for HP's FTP is the ability to setup up username mapping. This is method of intercepting a username and mapping it to a defined logon. VESOFT already have this facility with the $HELLO keyword: $HELLO FTPPRIV FTPPRIV.[account],FTPPRIV $HELLO FTPPUB FTPPUB.[account],FTPPUB These commands, once added to your HELLO.DATA file will enforce username mapping. When a FTP user is asked to supply a username they can now enter FTPPRIV or FTPPUB. These will be expanded by PE:HELLO to a proper logon string. Another advantage of abbreviated logons is the emulation they provide to other (UNIX) platforms with single username logons. Stage #4 - Securing your HP from SITE STREAM access It is essential that all JCLs are properly protected. The best way of doing this is keep all JCLs into a JCL group that has 'GU' access except for eXecute i.e. :NEWGROUP JCL;ACCESS=(R,W,A,L,S:GU;X:ANY) %RENAME @.@(NOT ISMSG AND ISASCII AND CODE=0 AND FSEARCHEXP( " CL '!JOB';MAX=1") > 0, =.JCL The RENAME moves any JCLs into the JCL group. JCLs are a target for illegal access to your machine, as they often contain embedded passwords and lockwords. Putting them into our protected group makes them streamable by anyone but readable and writeable only by 'AM' of that account, 'SM', or users logging into the JCL group. Note: It is highly recommended that JCLs DO NOT contain password or lockword information. Products such as STREAMX/3000 (component of SECURITY/3000) enforce batch security without the need for embedded passwords, %SEC HELP BATCH has further information. To restrict SITE STREAM access we have the $CONFIG NETJOB PE:HELLO keyword. It has the following syntax: $CONFIG NETJOB [ALLOW | REFUSE] [USERSET] The following commands are what we would add to the HELLO.DATA.VESOFT file: (* SITE STREAM RESTRICTIONS *) $CONFIG NETJOB REFUSE @.@ $CONFIG NETJOB ALLOW FTPPUB.@,FTPPUB Similar to the restrictions we have for FTP access itself, we are simply allowing SITE STREAM usage for jobs that log on as our FTPPUB.[account]. Note: The STREAM command is performed by the programmatic session - this means that any UDCs are NOT cataloged. For this reason, any UDC based STREAM substitute will not be used. Stage #5 - Filespace Protection Once your FTP'd user has logged on and gone through the logon security, that user can still violate your system because they have direct access to your MPE filespace. From here they can manage files and move through your accounts. The current version of FTP on the HP3000 will allow you to get and put 'flat' files wherever the user has read or write access. Development is underway to allow FTP to get and put non 'flat' files such as databases, KSAM files - the data core of most businesses!!! This stage is accomplished by using the MPEX/3000 and VEAUDIT/3000 software. The first thing to check is what files a user has access to: %LISTF @.@.@(ISRELEASED),SEC RELEASEd files are BAD. RELEASEing a file means that any user anywhere can do anything to that file - read, append, purge, etc. You should ensure all files that are RELEASEd are 'safe' files and %SECURE any that are not. %VEAUDIT HELP RELEASE gives a detailed report on why you should have few - if any - released files on your system. %LISTF @.@.@ (ACCESSIBLE("R")),SEC This command will display a complete list of files that the user can Read. These files can be retrieved to a users PC and then searched for important information, program lockwords or logon passwords inside of JCLs! These can be used to violate your machine from a normal logon. To use this command you must be logged on as the incoming FTP user. %LISTF @.@.@ (ISPROG AND ACCESSIBLE("X")),SEC HP's FTP client program (FTPA.ARPA.SYS) allows the user to execute MPE commands by prefixing them with a ':' prompt. This enables users to do :HELP, which informs them how to do :RUN or :LISTUSER, etc, to further compromise your systems security. Remember, most sites with external security solutions, often prefer it's passwords to normal MPE's. FTP does not run this software if its UDC based, allowing any unprotected MPE users as easy targets for incoming FTP logons! The use of unprotected users is not an issue when the PE:HELLO trap is active. However, the ability to :RUN a program is definitely an issue. To limit your exposure in the situation, minimize the number of programs accessible to the user displayed in this :LISTF. Remember, an FTP'd user could :RUN MPEX.PUB. VESOFT and issue the commands documented in this article! %VEAUDIT LISTGROUP @(SECWANY) This will produce a list of groups where an FTP user can 'PUT' files. These files can contain anything and do anything once executed! %VEAUDIT HELP ALTGROUP will produce help on how to better secure these groups, and protect the files contained therein. :RUN VEAUDIT.PUB.VESOFT This will produced a detailed report on possible loopholes on your system. It is important that any current security weaknesses be corrected, therefore reducing the risk of violation. Stage #6 - Controlling FTP users Using the username and $FORBID SECURCON.DATA keyword we can apply these additional security measures: $FORBID "JSCOUNT('FTPPUB.@')>3" "Error: FTPPUB user limit reached" FTPPUB.@ This would impose a limit of three FTPPUB accessors only. For FTP users that have logged onto your machine, there is another way of selecting them. All FTP users run the program FTPSRVR.ARPA.SYS. With a selection criteria of 'ONLINE&ACCESSING=FTPSRVR.ARPA.SYS' we can use any MPEX userset based command on incoming FTP sessions i.e. %LISTJOB ONLINE&ACCESSING=FTPSRVR.ARPA.SYS -- lists any FTP programmatic sessions logged onto you system. %ABORTJOB ONLINE&ACCESSING=FTPSRVR.ARPA.SYS -- aborts any FTP programmatic sessions - thus breaking the connection between client and server. %ALARM 'JSCOUNT("ONLINE&ACCESSING=FTPSRVR.ARPA.SYS")>0',& "There are FTP users logged onto your system";CHECKEVERY=15 -- a 15 minute alarm notify you of FTP activity. In addition to the existing security measures you have in place, you can limit the FTP user so that logons can only occur on particular days at particular times. To do this alter your FTPPUB.[account] SECURITY/3000 profile i.e. %SEC CHANGE FTPPUB.[account];DAYS=MON-FRI;TIME=9AM-5PM This change restricts FTPPUB to logging on during normal working hours. As you can see, the subject of FTP access to HP3000s is not a trivial one. However, you can run a secure FTP environment with a little thought and effort, to prevent your HP3000 being a truly "open" open system! I would like to thank Paul Strike and Kevin O'Neil, whose initial concerns prompted me to write this article.