IBM i

  • 1.  IBM i Malware Prevention - Low Hanging Fruit

    Posted Tue May 18, 2021 07:42 AM
    Just because it's low-hanging, doesn't mean it gets picked.

    Most of my day revolves around security; either by doing assessments or by doing remediation services. This year, recoveries have gone to the top of the list.

    In 2020, everything went sideways with a massive increase in worldwide malware. If you throw a bunch of something at a wall, some things stick. With malware up approximately 1000% from 2019 to 2020, you're going to see much more things stick if that wall isn't protected properly simply from the sheer amount of stuff thrown at it. I've been consulted by many private companies as well as county, state and federal government entities and agencies to recover data and review breaches after they've happened. And every single one of them could've been either prevented or significantly reduced. These are some low-hanging fruit that absolutely NEEDS to get done in our community:

    1. Only share what you must (no root (/) directory shares, nor any shares to /QIBM, /QOpenSys, /QSYS.LIB).
    2. Properly protect what you share (*public *exclude on any custom directories, and reduce the amount of users with *ALLOBJ special authorities).
    3. Take regular, comprehensive backups.
    This is malware risk reduction 101. We don't need expensive software. We don't need to spend a bunch of money. Just a little elbow grease is all.

    ------------------------------
    Steve Pitcher
    ------------------------------


  • 2.  RE: IBM i Malware Prevention - Low Hanging Fruit

    Posted Wed May 19, 2021 05:04 AM
    Thanks for sharing this, Steve!

    Indeed the IBM i community must up the security level - which as you demonstrate is not difficult. The threats are increaing rapidly and we face issues not seen before, so we can't continue as usual, but have to focus more on security.

    Our platform is not secure - but very securable!

    Best regards,
    Christian

    ------------------------------
    Christian Jorgensen | IT System Administrator
    Network of Music Partners A/S
    ------------------------------



  • 3.  RE: IBM i Malware Prevention - Low Hanging Fruit

    Posted Wed May 19, 2021 07:40 AM
    Great advice!  We monitor diligently for the creation of any shares on the root directory.  We accept creating a share on the root as your letter of resignation.
    My boss asked about creating a share on the root perhaps only accessible from some special IP address, etc to do virus scanning.  I pretty much said no way.
    We're looking at commercial solutions for this but you pay more for one lpar of IBM i than we pay for such solutions for every one of our Windows based servers and clients.
    Has anyone ported an open source virus scanning, anti malware solution?

    ------------------------------
    Robert Berendt
    ------------------------------



  • 4.  RE: IBM i Malware Prevention - Low Hanging Fruit

    Posted Wed May 19, 2021 07:56 AM
    At our company we created a web application to access the ifs so no folder is shared anymore.

    Also we have a kind of chroot on the application to configure a different "root" for user so they only access the folders we want.

    You can also zip, unzip and email the selected files.

    For us is the best way to avoid malware.

    ------------------------------
    Juan Manuel Alcudia Peñas
    CD-Invest
    ------------------------------



  • 5.  RE: IBM i Malware Prevention - Low Hanging Fruit

    Posted Wed May 19, 2021 10:41 AM
    Sound advice Steve

    ------------------------------
    Jack Woehr
    ------------------------------



  • 6.  RE: IBM i Malware Prevention - Low Hanging Fruit

    Posted Thu May 20, 2021 10:49 AM

    Our IBM i partition root directories are not mapped.

    We do not share our partition root directories.

    Our user directories are all public *exclude.

    We have no IBM Netserver shares  

    We do not have Netserver guest profiles.

    We use Kerberos SSO via EIM.

    NO user has IOSYSCFG authority.



    ------------------------------
    Michael Mayer
    ------------------------------



  • 7.  RE: IBM i Malware Prevention - Low Hanging Fruit

    Posted Thu May 20, 2021 10:50 AM

    Our IBM i partition root directories are not mapped.

    We do not share our partition root directories.

    Our user directories are all public *exclude.

    We have no IBM Netserver shares  

    We do not have Netserver guest profiles.

    We use Kerberos SSO via EIM.

    NO user has IOSYSCFG authority.



    ------------------------------
    Michael Mayer
    ------------------------------