Discovering Who’s Using SSH – Securing the Connection to IBM i

Before you limit which profiles can use SSH, you may want to determine who’s already using it so you can either allow the access or make the conscious choice to prevent it. There’s no specific audit journal entry type for SSH access, but I’ve discovered that you can determine SSH access by examining either the GS entries (generated by specifying either *SECURITY or *SECSCKD in QAUDLVL) or the JS entries (generated by specifying *JOBDTA or *JOBBAS in QAUDLVL). I’m providing an example using the GS entries since it’s more likely you already have the GS entries. (More organizations have *SECURITY as a value in QAUDLVL than *JOBDTA or *JOBBAS.)

First, retrieve the GS entries:

Then get a list of entries including the timestamp, user, and IP address fields:

Whether you use the GS or JS entries, you’ll notice that there are multiple entries for a single connection. (The best way to understand this is to make an SSH connection yourself and look at the audit entries generated.) Unfortunately, the timestamp, user, and IP address are really the only useful information the audit journal provides for SSH, whether you are looking at the JS or GS entries. Obviously, actions taken, such as the creation or deletion of objects, will generate their respective audit journal entries, but examining the CD (Command) audit journal entries will not yield the commands entered via SSH. The only way to log the activity that occurs via SSH is to enable syslog. Enabling syslog is not what you’d call straightforward on IBM i. Here’s a link to an IBM Support document that describes the process: https://www.ibm.com/support/pages/syslog-syslogd-pase-ibm-i

SNMP

The other server I need to mention is Simple Network Management Protocol, better known as SNMP. This is the TCP/IP protocol that allows you to manage devices throughout your network, of which IBM i may be one. The problem with this protocol is that intruders can use it to map out your network, and the first two versions of this protocol make that quite easy to do. IBM i 7.5 builds on the enhancements in IBM i 7.4 to only allow SNMPv3. If you use SNMP in your network or you specifically want to prevent the SNMP agent from running on your system, see https://www.ibm.com/docs/en/i/7.5?topic=snmp-controlling-access for more details and recommendations.

Leave a comment

Your email address will not be published. Required fields are marked *