Preparing for anonymous File Transfer Protocol

To set up your anonymous File Transfer Protocol (FTP), you need to be aware of certain security considerations.

Skill requirements

To set up anonymous FTP, you need the following skills:

• Familiarity with the i5/OS^® character-based interface and commands with multiple parameters and keywords.

• Ability to create libraries, members, and source physical files on your system (you should have at least *SECOFR authority).

• Ability to assign authorities to libraries, files, members, and programs.

• Ability to write, change, compile, and test programs on your system.

Security considerations

The first step in implementing anonymous FTP is to define your anonymous FTP server site policy. This plan defines the FTP site security and determines how to code your exit programs. Because the FTP server will allow anyone to access your data, carefully consider how you want it to be used, and what data must be protected.

Review the following guidelines for your FTP site policy plan:

• Use a firewall between your system and the Internet.

• Use a nonproduction system for your FTP server.

• Do not attach the FTP server to the rest of your company's LANs or WANs.

• Use FTP exit programs to secure access to the FTP server.

• Test FTP exit programs to ensure that they do not contain security loopholes.

• Do not allow anonymous FTP users to have read and write access to the same directory. This permits the anonymous user to be untraceable on the Internet.

• Allow ANONYMOUS access only. Do not allow any other user IDs and do not authenticate passwords.

• Restrict ANONYMOUS access to one public library or directory only. (Where will it be? What will you call it?)

• Place only public access files in the public library or directory.

• Restrict ANONYMOUS users to 'view' and 'retrieve' subcommands only (get, mget). Do not under any circumstances allow ANONYMOUS users to use CL commands.

• Log all access to your FTP server.

• Review FTP server logs daily or weekly for possible attacks.

• Verify that the FTP server registers the correct exit programs once a month.

• Test the FTP server for security holes once a month.

Parent topic: