SECTCP CHANGE LOG 2022-12-27 - Updated SERVDERLOG2: if unaccepted logon, write/update active defense reject record; If numaximum number of violations excced and penalty record expired, set the IP address as EXCLUDED. - Fixed pgm COMPILE. 2022-12-14 - Security sensitive programs do now make sure to be run by a security administrator also being SECTCP owner. 2022-03-19 - Requests of .wav and .mp3 files are now ignored in the HTTP LOG reports. 2022-01-15 - SECTCP now supports user profiles with passwords longer than 10 characters. 2021-03-29 - The installation program now requires a class(*secofr) user profile. - Fixed program WRKIPA. 2021-03-24 - Fixed a number of programs: COMPILE, CVTAOLOG4, FTPLOGSUM3, TGTLOGSUM3, PRGFTPLOG, PRGTGTLOG . 2019-02-03 - SECTCP FTP and TELNET exit programs are now duplicated in library SECTCPDATA. ADDEXITPGM commands now refer to these SECTCPDATA duplicated programs. This was done to prevent FTP and TELNET failures during SECTCP installation. 2019-02-01 - New command HTTPLOGFLT allows to run a user exit point program to filter daily WEB access log entries. 2018-03-14 - Private directories added a feature (*RWX) to restrict FTP operations allowed to a user profile - Minimum OS release is now V5R3M0. 2017-12-27 - Fixed a bug in pgm SERVERREQ: the "Override HOMEDIR with ..." in "Work with User Profiles" was no longer honored. 2017-12-08 - Slightly mofified the way a category (Allowed, Privileged or Excluded) is assigned to a FTP client IP address. 2017-11-30 - Added an IP location description repository file: SECTCPDATA/IPLOC to interface new utility ESECTCP. 2017-11-29 - Provided second level user exits for FTP and TELNET connect validation. See pages: -- http://www.easy400.net/sectcp/html/page08b.htm -- http://www.easy400.net/sectcp/html/telnetUserExitProgram.html 2017-09-10 - Fixed a severe problem (MCH1210) in SERVERLOG2 when system value QMAXSIGN set to *NOMAX. That error was causing the FTP login to bump out. 2017-09-03 - Fixed the following problems: - 5250 screen "Display FTP log history ": F16 (Files received) resulting to CPF4101. - 5250 screen "Display FTP log history ": F16 (Files received) was displaying no records. 2017-07-30 - Updated FTP and TELNET log purge programs (PRGFTPLOG, PRGTGTLOG). 2017-07-22 - Some important changes to exit program SERVERREQ. 2017-07-16 - Rejected FTP request are now logged to a "24 hrs Reject Log" file. Reject reasons are documented along with suggestions for recovering from rejections. A program for displaying this file is available. 2017-07-05 - "Work with allowed domains" now replaced by "Work with allowed directories": - "Public allowed directories" - "Private allowed directories" - Fixed some problems with home directories of validation list users. 2017-06-22 - Provided support for logging on FTP from a validation list instead of using a user profile. See page http://www.easy400.net/sectcp/html/page08.htm . 2017-02-12 - Logs lifetimes now controlled by command SECTCP/LOGPURGE, expired logs now removed by command SECTCP/LOGFIX. 2017-02-08 - More evidence provided to command CVTHTTPLOG. 2016-10-06 - Fixed the way a client IP address is found to be in the range of two excluded IP addresses (module XXXCOMPARE of srvpgm SECTCP/SECTCP). 2016-09-26 - Fixed the case when a FTP client address is not in the allowed list, nor in the privileged list, nor in the excluded list. Before the fix it was accepted, now it is rejected. 2016-09-05 - Fixed bug in module XXXRJTMSG. This bug affected TELNET exit program TGTINIT10. 2016-08-30 - Fixed module CVTAOLOG2. 2016-08-05 - Fixed problems in controlling FTP allowed domains (module SERVERREQ). 2016-07-26 - Fixed problems in recording access data onto the TELNET LOG and displaying LOG HISTORY. 2016-07-13 - Command NFYACSRJT now also checks proper authorities to the message queue. 2016-07-10 - New command NFYACSRJT (Notify Access Rejection) can be used to send to a message queue warning messages for each FTP and/or TELNET access violation. 2016-06-25 - Fixed an error in pgm WRKIPA (bad validation of an IP address range). - Fixed procedure RtvIpaCls() (return IP address class if within a predefined IP address range). 2015-11-17 - Enlarged IP address description in files IPATGT and TGTLOG. 2015-11-10 - Fixed a potential exposure with user ANONYMOUS in pgm SERVERLOG2. 2015-10-18 - Some improvements in "Work with IP Addresses" and "Work with Penalty records". - SECTCP FTP Authorized user profile *ANY can now be used as a default control. 2015-10-13 - Slightly modified the Active Defence process. 2015-07-30 - Solved a security exposure. Program SECTCP/SERVERREQ (used by FTP exit point QIBM_QTMF_SERVER_REQ) was not understanding and therefore not controlling requests for paths including "/.." notations, like /home/GIOVANNI/pdfs/../../ROBERT (which results to /home/ROBERT). FTP sessions started from WEB browsers like Firefox do commonly use such path notations and a result SECTCP was failing its path checks, thus allowing WEB user to access non allowed directories. That was fixed in today SECTCP release. 2013-11-21 - Telnet protection. More flexible decision when an IP address is both marked as Excluded and Allowed. 2012-09-26 - In "FTP - Work with User Profiles", the option "initialize session" was removed. 2012-09-24 - Updated exit program SERVERREQ- When request="initialize session", FTP user profile forced to QTCP. 2012-08-24 - Objects type .ico and .js (besides .gif, .jpg, .png and .css) should not be reported in logs. 2011-11-24 - Objects type .png (besides .gif, .jpg and .css) should not be reported in logs. 2011-09-20 - Created PDF SECTCP Guide. 2011-06-05 - Added overrides to pgm COMPILE in order to avoid compile errors due to omonymous file names. 2011-05-25 - Slightly modified pgm SERVERREQ, but no functional changes. 2011-01-24 - Added command WRKIGNURL. It allows to define entries that must be dropped from the HTTP log. 2009-12-16 - Fixed some text in panel group FTPAN. 2009-01-16 - HTML manual made available at http://.../sectcp/start Some minor errors fixed for FTP and HTTP reports. 2008-12-29 - Program CVTAOLOG was added the feature to add records to file SECTCPDATA/ROBOTIPS (IP addresses of robots). Command CVTAOLOG allows to run pgm CVTAOLOG daily from a Job Schedule Entry. 2008-12-03 - A new feature added to Active Defense. It enhances defense against bad logons. Several programs involved (SERVERLOG2, SERVERREQ, etc.) 2008-10-10 - Fixed some programs related to Active Defense: SERVERLOG2, SERVERREQ, SERVERARJ, COMPILE. 2008-10-09 - It is now possible to define a limited number of IP addresses allowed to logon. It is now possible to restrict given user profiles within the initially assigned current directory. 2008-08-25 - Other change to FTP-EXIT-POINT pgm SERVERLOG2. Now a user profile is also allowd to change the initial value of parameter NAMEFMT for the FTP session. 2008-08-22 - Deep change to FTP-EXIT-POINT pgm SERVERLOG, now named SERVERLOG2. It allows the logging user profile to define an initial current library or an initial home directory for the FTP session. 2008-08-06 - Fixed several modules related to HTTP access/error log: CVTAOLOG, CVTAOLOG2, CVTAOLOG3, CVTAOLOG4, DSPWEBLOG, WEBLOGSUM1, WEBLOGSUM2, WEBLOGSUM3, WRKLOGS1, RTVSRLNBR WEBERRSUM1, WEBERRSUM2, WEBERRSUM3, TGTLOGSUM3 2008-08-01 - Fixed pgm CVTAOLOG - was not refreshing the current day (*TODAY) HTTP access and error log. 2008-07-19 - Some fixes over the 2008/07/08 release 2008-07-08 - Local installation files are no longer kept in library QUSRSYS. They are now maintained in library SECTCPDATA. 2007-09-06 - Program WRKDOM - A blank domain is now removed ... ... ... 2003-03-12 - A refresh of library sectcp ("Triple A Secured TCP/IP") has been made available. This refresh contains updates required for OS/400 release V5R2. 2003-01-09 - A refresh version of library sectcp ("Triple A FTP security") has been made available. Stefano Procenzano from TST Systems, Rimini, Italy, found out that the *ANY token for FTP privileged/excluded IP addresses, though mentioned in the documentation, was not really available. As a matter of fact, the implementation was forgotten, but has been added now. 2002-05-27 - You can enjoy running SECTCP through our new WEB browser interface, library WSECTCP. Just walk to our downloads page. 2001-06-22 - 3A Secured TCP Utility is now a single library (sectcp), inclusive of sources. The size of the downloadable file has been reduced to less than 1 Mb. The installation procedure now requires a compilation step. 2000-11-23 - A new release of library sectcp (Triple A Secured TCP) is available. Two fixes have been included: -- FTP exit point. It did not accept any remote command, even when logged user profile was authorized to. -- TELNET exit point. A TCP/IP address containing 0. used to be misunderstood, thus resulting in a possible rejection of the connection (as an example, 195.83.0.72 would have been misinterpreted as 195.83. .72 ) . 1999-12-01 - Source library of utility SECTCP was made available for download. 1999-09-17 - Released the following enhancements: -- Now year 2000 compliant -- "Active Defense" feature added to ftp security: This feature, if enabled, allows to raise defenses against unpredictable ftp attacks. When a client IP address is detected violating your security rules more than a user-established number of times, any further ftp request from this IP address is rejected until the end of its ftp session. In addition, any further logon request from this IP address is rejected for a user-specified number of minutes. Optionally, even "privileged" IP addresses may undergo this control. -- "*any" value now available instead of the IP address for . ftp privileged ip addresses . ftp excluded ip addresses . wsg privileged ip addresses as it was already for telnet ip addresses. This "*any" value may significantly reduce the amount of user specifications to reach the needed level of security. The user profile used to support "anonymous ftp" is automatically checked and reset in order to be always available. -- navigation across menus has been enhanced -- undue dependencies from other libraries have been removed or put under proper control.