Just getting started with Cerberus FTP? Do you need to secure your FTP server? Here are some steps that you can take to secure your FTP server to help ensure that your data and users are protected.
Note: Any sub-optimal security settings found in your environment will also be shown on the Summary page in the Cerberus FTP Admin GUI as well. In particular, these warnings can be found under the Security Overview, System Messages, and the Vulnerability Assessment sections.
1. Unencrypted FTP
By default, Cerberus FTP will configure FTP listeners to not allow unencrypted FTP connections. If you have enabled unencrypted FTP in your environment, we strongly recommend that you disable it as soon as possible as your transmissions are not encrypted and your data can easily be modified in transit without your knowledge. Instead, we suggest switching to a more secure alternative, such as FTPS, SFTP, or HTTPS.
2. Install an SSL Certificate
If your clients are submitting any personal information (e.g. documents, photos, etc.), consider adding a valid SSL certificate on your Cerberus FTP Server to keep that information safe. With a valid SSL certificate in place, your clients will be able to verify that the server they are connecting to is legitimate. Furthermore, this will also help prevent users from encountering any potential warning messages about being “unable to verify the server” when connecting.
3. Enable Auto-Blocking and DOS Protection
There are millions of automated bots scouring the web for FTP or SFTP servers. When they find one, these bots will often try to guess common usernames and passwords to gain access. To help prevent bots from accessing your server, we recommend enabling Auto Blocking from the IP Manager. If the auto-blocking policy is enabled, a user that continually fails to log into the server will be blocked from trying after a certain number of failed attempts.
Furthermore, if the Enable DoS Protection setting is enabled, then any attempt to connect to the server will be counted towards auto-blocking even if the connection doesn’t attempt to authenticate. This can help prevent DoS attacks that try to tie up connections and overwhelm the server. DoS Protection can also be useful for services continuously probing the server with garbage data attempting to find vulnerabilities.
Alternatively, another method that you can consider is to whitelist only specified IP addresses to access your server. This means that only the IP addresses on this whitelist will be allowed to connect your Cerberus FTP Server. All other IP addresses will automatically be blocked from connecting. However, if you choose to go the whitelist route, please note that issues can arise if your users do not use static IP’s.
4. Create a strong password policy.
Consider implementing a password policy with the following characteristics to ensure secure passwords are being utilized by your users that are accessing the Cerberus FTP Server:
- Passwords should be at least 8 characters in length
- Passwords should require both number and letter characters
- Password should include at least one special character
- Passwords should be set to change every 90 days.
- Don’t allow the last 4 passwords to be re-used.
- Make sure that a strong algorithm is being used for your password storage hash format, such as PBKDF2-HMAC-SHA256.
5. Consider enforcing Two-Factor Authentication.
In today's world, a determined hacker can crack any password by brute force alone. If you are using the HTTPS Web Client, we encourage you to enforce Two-Factor Authentication for your users to minimize the chances of breaches from occurring.
Two-Factor authentication will help keep your accounts more secure by requiring both a password along with a smartphone or another secure device (to receive the 2FA token) before users are able to successfully login to their Cerberus FTP user account. To elaborate, when a user attempts to login and Two-Factor Authentication is enabled in your environment, the user will need to enter their password along with a unique 2FA code that is generated on their mobile device (usually a smartphone). This provides a second layer of protection when accessing the Web Client. Even if someone steals or guesses their password correctly, this particular user won't be able to successfully authenticate without this unique 2FA code on their mobile device.
6. Configure Advanced Security Options
Encryption ciphers are used in both SFTP and FTPS protocols to protect data in transmission. These ciphers involve a complex algorithm which takes the original data and, along with the key, produces the encrypted data to transmit. To help ensure that your environment is as secure as possible, we recommend disabling any older and outdated ciphers (e.g. 3DES) and only use stronger ciphers (e.g. AES) with your Cerberus FTP Server for your secure file transfer needs.
One other thing to note is that HMAC algorithms are used to verify the integrity of the transmission. Again, just as in the case with encryption ciphers, we recommend disabling older hash/MAC algorithms, like MD5 or SHA-1, and sticking with strong algorithms in the SHA-2 family.
6a. Working with government or HIPAA data? Use only FIPS 140-2 validated encryption ciphers.
FIPS 140-2 is a set of encryption specifications set by the National Institute of Standards and Technology (NIST). Enabling FIPS 140-2 mode limits the Cerberus FTP Server to only use ciphers certified to be FIPS 140-2 compliant and ensures that only certified and compliant ciphers are used for encrypted connections. ensures the highest level of security for encrypted connections. Also, FIPS 140-2 encryption mode is strongly recommended for a HIPAA compliant file transfer system.
6b. Don’t use SSL v3.0, TLS v1.0, or TLS v1.1
TLS v1.2 is the latest available and most secure version of TLS and is recommended for clients to implement. Furthermore, TLS v1.2 is considered the new norm for highly secure websites and is the most used version of TLS. TLS v1.2 also uses the latest available TLS protocol as defined in IETF RFC 5246.
TLS v1.1 is the second version of TLS and was released in 2006. TLS v1.1 fixes some security problems in TLS v1.0, such as removing the need for many of the workarounds built into clients and servers. Furthermore, many deployed clients and servers of TLS v1.0 do not implement these workarounds, so TLS v1.1 is a good improvement over TLS v1.0 and considered more secure. More information about the TLS v1.1 protocol can be found in IETF RFC 4346.
TLS v1.0 was released as the first version of the TLS protocol in 1999 and published as IETF RFC 2246. Although usage of TLS v1.0 is fairly common, TLS v1.0 is very similar to SSL v3.0 and requires workarounds in both the client and server to work securely for all cipher suites. TLS v1.0 is also unable to use modern cipher suites that offer greater security and efficiency.
SSL v3.0 protocol is strongly not recommended because it is considered obsolete and insecure. Although SSL v3.0 is the latest available SSL version, SSL is a predecessor of TLS so it is recommended that clients use the latest available TLS protocol instead of SSL when possible. Furthermore, the only scenario where SSL v3.0 should be considered as an option is if the network is very tightly controlled and connections from these legacy services (that won’t or can’t upgrade) have to be allowed.
6c. 128-bit encryption vs 256-bit encryption
Cerberus FTP allows the administrator to specify the algorithms that should be chosen during the handshake via the advanced security settings in the Server Manager. Therefore, it is possible to require the Cerberus FTP Server to use either 128-bit or 256-bit encryption as the default. By default, Cerberus FTP Server is configured to require a minimum 128-bit encryption as the default.
128-bit encryption is one of the most secure encryption methods used in modern encryption algorithms and technologies. Furthermore, 128-bit encryption is considered to be logically unbreakable and it is also the minimum required encryption level for HIPAA compliance. 256-bit encryption, on the other hand, is considerably stronger than 128-bit and delivers an even higher level of protection. Therefore, you should consider using 256-bit encryption if you are looking for the highest available encryption strength to keep your data safe. Furthermore, as technology continues to progress, it is expected that the industry standard will likely shift to 256-bit encryption for secure sockets layer protection.
Note: Please keep in mind that if your Cerberus FTP Server is configured to use 256-bit encryption, the corresponding FTP client that is being used will need to support 256-bit encryption as well in order to be able to successfully establish a connection. Therefore, while using 256-bit encryption will improve the encryption strength and safety of your data, it will also reduce compatibility with clients as well.
6d. Prefer TLS ciphers that support Perfect Forward Secrecy
Keep in mind that it is possible to configure your Cerberus FTP Server to use key agreement methods that provide Perfect Forward Secrecy. Perfect Forward Secrecy is a protocol feature that enables secure conversations that are not dependent on the server’s private key.
What is the benefit of using TLS ciphers that support Perfect Forward Secrecy?
If your Cerberus FTP Server private key is compromised for some reason, using TLS ciphers that support Perfect Forward Secrecy will prevent attackers from getting a chance to decrypt sniffed sessions. That is the case because the key agreement that the server public/private key pair uses does not participate in encipherment/decipherment processes. Instead, this key agreement is only used for digital signing and signature verification purposes only.
If you would like to configure your Cerberus FTP Server to only accept secure connections with Perfect Forward Secrecy, select either the 128-bit or 256-bit Perfect Forward Secrecy configurations from the security profiles (under the Server Manager>Security>Advanced tab). Once the profile is selected and saved, the security settings of your environment will be immediately modified to match the selected profile.
7. Other Best Practices
Keep Cerberus FTP up-to-date. You should always make sure to update your server whenever a new version is publicly available.
Keep yourself protected against any security vulnerabilities (that might exist in older releases) by regularly keeping your Cerberus FTP Server up-to-date. Cerberus FTP Server can be configured to check for updates on a daily, weekly, or monthly cadence. Also, administrators can manually check for updates by selecting Help>Check for Updates from within the Cerberus FTP Admin GUI console. Finally, you can also subscribe to our mailing list if you are interested in receiving our newsletter, which will contain new release information and offers for Cerberus FTP Server.