IBM i Global

 View Only
Expand all | Collapse all

Auditting IPs accessing IBMi via port 446

  • 1.  Auditting IPs accessing IBMi via port 446

    Posted Mon November 06, 2023 12:16 AM

    Hello team,

    Is there any way to generate an audit report of IPs accessing IBMi via port 446. Your views would be appreciated.

    Thank you



    ------------------------------
    Thomas Varkey
    ------------------------------


  • 2.  RE: Auditting IPs accessing IBMi via port 446

    IBM Champion
    Posted Mon November 06, 2023 12:37 AM

    Thomas, I'm not sure about the audit services, but one could easily write a CL that looped every 30 seconds or so and did an SQL query to NETSTAT_INFO view  something like

    SELECT CONNECTION_TYPE, REMOTE_ADDRESS, PROTOCOL, TCP_STATE FROM QSYS2.NETSTAT_INFO
  WHERE LOCAL_PORT = 446;


    ------------------------------
    Jack Woehr
    IBM Champion 2021 - 2023
    IBM Qiskit Advocate
    ------------------------------

    Original Message


  • 3.  RE: Auditting IPs accessing IBMi via port 446

    IBM Champion
    Posted Mon November 06, 2023 07:33 AM

    NETSTAT_INFO is good.  But if you want to know who is doing it and from what job, try the following:

    select *
    from qsys2.netstat_job_info
    where -- REMOTE_ADDRESS='10.14.8.56' and
        local_port in('446')
    and authorization_name is not null
    and authorization_name <> 'QTCP'
    order by local_port, remote_address
    ;



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------

    Original Message


  • 4.  RE: Auditting IPs accessing IBMi via port 446

    Posted Tue November 07, 2023 03:47 AM

    Thank you Jack



    ------------------------------
    Thomas Varkey
    ------------------------------

    Original Message


  • 5.  RE: Auditting IPs accessing IBMi via port 446

    Posted Tue November 07, 2023 03:48 AM

    Thank you Jack



    ------------------------------
    Thomas Varkey
    ------------------------------

    Original Message


  • 6.  RE: Auditting IPs accessing IBMi via port 446

    IBM Champion
    Posted Mon November 06, 2023 07:55 AM

    If you don't just want a current snapshot but would rather take over a certain time period then you will need to run a comm trace.

    WRKLIND                                              
    STRCMNTRC CFGOBJ(LANLINSYS) CFGTYPE(*LIN) MAXSTG(32M)

    wait

    ENDCMNTRC CFGOBJ(LANLINSYS) CFGTYPE(*LIN)

    PRTCMNTRC CFGOBJ(LANLINSYS) CFGTYPE(*LIN) OUTPUT(*PRINT)  
              OUTFILE(ROB/COMMTRACE) FMTTCP(*YES) SLTPORT(446)

    Change the port

    There's an *OUTFILE option but the SCDATA field looks encoded and I didn't want to take the time to figure that out. 

    When done

    DLTCMNTRC CFGOBJ(LANLINSYS) CFGTYPE(*LIN)



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------

    Original Message


  • 7.  RE: Auditting IPs accessing IBMi via port 446

    Posted Tue November 07, 2023 03:52 AM

    Thank you Robert



    ------------------------------
    Thomas Varkey
    ------------------------------

    Original Message


  • 8.  RE: Auditting IPs accessing IBMi via port 446

    IBM Champion
    Posted Tue November 07, 2023 02:35 AM

    Hi Thomas, 

    Not sure if IDS coulkd help you ...

    The intrusion detection and prevention system (IDS) notifies you of attempts to hack into, disrupt, or deny service to the system. IDS also monitors for potential extrusions, where your system might be used as the source of the attack. 

    https://www.ibm.com/docs/en/i/7.4?topic=security-intrusion-detection



    ------------------------------
    Fernando Plaza
    IBM i System Administrator
    CD INVEST
    MADRID
    ------------------------------

    Original Message


  • 9.  RE: Auditting IPs accessing IBMi via port 446

    Posted Tue November 07, 2023 08:35 AM

    Port 446 is the DRDA port, QRWTLSTN is the job that is listening on that port, so a couple of ways I can think of:

    1) exit program

    2) look thru history log :  DSPLOG msgid(CPI3E34) job(QRWT*)



    ------------------------------
    Bryan Dietz
    ------------------------------

    Original Message


  • 10.  RE: Auditting IPs accessing IBMi via port 446

    IBM Champion
    Posted Tue November 07, 2023 08:56 AM

    That's a good catch Bryan.  Based on that, this is another way of capturing that.

    select * 
    FROM TABLE (QSYS2.HISTORY_LOG_INFO(START_TIME => CURRENT DATE - 2 days
                  )) AS X
    Where message_id='CPI3E34'
      and from_job_name like 'QRWT%'
    ORDER BY ORDINAL_POSITION desc;



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------

    Original Message


  • 11.  RE: Auditting IPs accessing IBMi via port 446

    Posted Tue November 07, 2023 09:13 AM

    thanks Rob,

    to carry this one more step  I use the following to find DRDA and ODBC like connections.

    -- category: bryandietz
    -- description: history log-find user from QZDASOINIT-QRWTSRVR
    SELECT Message_Timestamp
           ,From_User
           ,From_Job
           ,Message_Id
           ,MESSAGE_TEXT
        FROM TABLE(Qsys2.History_Log_Info(
       Start_Time => current_timestamp - 1 day,   -- pick your time frame
        End_Time =>  current_timestamp
        )) i
        WHERE  Message_Id in ('CPIAD09','CPI3E34')
           --  AND        MESSAGE_TEXT LIKE '%YOUR_USER%'  -- if needing to "audit" for a single user

    ;

    at one point, I sub stringed(or maybe LOCATE_in_STRING) out the IP address, but I cannot locate the example



    ------------------------------
    Bryan Dietz
    ------------------------------

    Original Message


  • 12.  RE: Auditting IPs accessing IBMi via port 446

    IBM Champion
    Posted Tue November 07, 2023 09:27 AM

    Bryan,

    The IP address would be easier to find if you search MESSAGE_TOKENS instead of MESSAGE_TEXT as it would be in a fixed position in tokens. (as would YOUR_USER).  Then again, this may only apply if you're looking for a single message id, or two with identical tokens.  Adding the CASE would probably work...

    Clean this up and you're in

    select trim(substring(message_tokens, 7515)) as IP_address, x.* 
    FROM TABLE (QSYS2.HISTORY_LOG_INFO(START_TIME => CURRENT DATE - 2 days
                  )) AS X
    Where message_id='CPI3E34'
      and from_job_name like 'QRWT%'
    ORDER BY ORDINAL_POSITION desc;



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------

    Original Message


  • 13.  RE: Auditting IPs accessing IBMi via port 446

    Posted Tue November 07, 2023 11:50 AM

    For more examples, see :
    History of connections to IBM i  https://www.ibm.com/support/pages/node/6212238



    ------------------------------
    Alexander Marquis
    ------------------------------

    Original Message


  • 14.  RE: Auditting IPs accessing IBMi via port 446

    Posted Tue November 07, 2023 04:33 PM

    I had looked at the tokens field but did not look to be easier.

    I ended up doing this to get the IP address out of the message_text field

       ,TRIM(SUBSTR(Message_Text,(LOCATE_IN_STRING(Message_Text, 'client'1)+7),   -- start of IP
                                 (LOCATE_IN_STRING(Message_Text, ' connected'1) -
                                 (LOCATE_IN_STRING(Message_Text, 'client '1)+7)           -- end of IP address
                                 ))) AS IP_addr

    seems to work on several different servers we have.  Returns the IP address or host name (if a local connection)



    ------------------------------
    Bryan Dietz
    ------------------------------

    Original Message


  • 15.  RE: Auditting IPs accessing IBMi via port 446

    Posted Tue November 07, 2023 10:20 AM

    Hi Thomas, 

    So you want to see who is trying to use DDM/DRDA without TLS to connect to your system?

    • NETSTAT_INFO works if the connection attempt is successful and the connection happens to be active at the time when NETSTAT_INFO is polled. But your requirement is event-driven, and NETSTAT_INFO is state-driven. It is not an ideal match, and you could miss short-lived connections, as well as connection attempts that fail during authentication.
    • The IDS really is good only for specific attack patterns and cannot monitor for something like "show me all the connection attempts to this port".
    • Comms tracing is event-driven, so is a better fit. It works fine if you just want to check every now and then for debugging purposes. It's not really intended as an always-on functionality, and you'd have to roll your own reporting. That may or may not suffice for your requirements. 
    • If this is a recurring requirement, a better option is to use a commercial exit point solution with integrated reporting. Exit points are event-driven by nature; you would be able to obtain both the source IP address and the authenticated user profile; and you could easily automate reporting.

    Full disclaimer: I work for Fortra, and we offer such a solution (Exit Point Manager). 

    Hope this helps!

    Kurt



    ------------------------------
    Kurt Thomas
    ------------------------------

    Original Message


  • 16.  RE: Auditting IPs accessing IBMi via port 446

    Posted Wed November 08, 2023 05:34 AM
    Edited by Göran Nilsson Wed November 08, 2023 08:06 AM

    Hello Thomas,

    You could also query SYSTOOLS.AUDIT_JOURNAL_SK which returns accepted/rejected socket connections on any port.


    Regards,
    Göran Nilsson



    ------------------------------
    Göran Nilsson
    ------------------------------

    Original Message