New to Cerberus FTP Server and looking to strengthen the security of your FTP server? Here are essential steps you can take to enhance the security of your Cerberus FTP Server:
1. Disabling Unencrypted FTP
Cerberus FTP Server is designed to prioritize security, and by default, FTP listeners are configured to disallow unencrypted FTP connections. However, if you have enabled Unencrypted FTP, it is strongly advised to disable it promptly.
Unencrypted FTP transmissions lack encryption, making them vulnerable to unauthorized access and potential modifications of your data during transit, without your knowledge. To ensure the integrity and confidentiality of your data, we strongly recommend switching to a more secure alternative, such as FTPS, SFTP, or HTTPS, which provides robust encryption mechanisms.
By migrating to these secure protocols, you can safeguard your FTP communications and protect your data from unauthorized interception or tampering.
2. Deploying an SSL Certificate
To ensure the security of personal information submitted by your clients, it is highly recommended to install a valid SSL certificate on your Cerberus FTP Server. By doing so, you establish a secure and encrypted connection, safeguarding sensitive data from unauthorized access.
With a valid SSL certificate in place, your clients can verify the authenticity of the server they are connecting to, enhancing trust and mitigating the risk of potential security threats. Furthermore, this proactive measure eliminates any potential warning messages that users may encounter when connecting to the server, preventing concerns about being unable to verify the server's authenticity.
By deploying an SSL certificate, you create a secure environment for your client's data transfers, ensuring confidentiality and integrity throughout the communication process. Implementing this crucial security measure is an essential step in protecting sensitive information and maintaining a trustworthy FTP server for your clients.
3. Enable Auto-Blocking and DOS Protection
To enhance the security of your FTP or SFTP server, it is essential to address the threat posed by automated bots scouring the web for vulnerable servers. These bots often attempt to guess common usernames and passwords to gain unauthorized access. To mitigate this risk, we recommend enabling auto-blocking using the IP Manager's settings. When enabled, this feature automatically blocks users who repeatedly fail to log into the server after a certain number of unsuccessful attempts.
Additionally, enabling the DoS Protection feature can help safeguard against Denial of Service (DoS) attacks. With this setting enabled, any connection attempt to the server, even without authentication, will be counted towards the auto-blocking mechanism. This proactive approach prevents DoS attacks that aim to overwhelm the server by tying up connections. It is particularly useful in countering services that continuously probe the server with garbage data to exploit vulnerabilities.
Alternatively, you may choose to implement geoblocking measures by whitelisting specific IP addresses that are permitted to access your Cerberus FTP Server. By adopting this approach, only the IP addresses on the whitelist will be allowed to establish a connection, automatically blocking all other IP addresses.
However, it is important to note that utilizing geoblocking may present challenges if your users do not have static IP addresses.
By implementing Auto Blocking, DoS Protection, or geoblocking measures, you can significantly reduce the risk of unauthorized access and enhance the overall security of your FTP or SFTP server.
4. Implement a Robust Password Policy
To bolster the security of user accounts accessing Cerberus, it is crucial to enforce a strong password policy. Consider the following characteristics when establishing your password policy to ensure the use of secure passwords:
- Length Requirement: Set a minimum password length of at least 8 characters. Longer passwords are generally more resilient against brute-force attacks.
- Complexity Requirement: Mandate that passwords include a combination of both letters and numbers. This helps fortify passwords by introducing a mix of character types.
- Special Character Inclusion: Require the presence of at least one special character in passwords. Special characters add an additional layer of complexity to passwords, making them harder to crack.
- Regular Password Expiration: Set passwords to expire and change them every 90 days. Regularly updating passwords mitigates the risk of compromised credentials.
- Password History Restriction: Prevent the reuse of previous passwords by disallowing the reuse of the last 4 passwords. This ensures that users create fresh passwords and prevents the recycling of compromised credentials.
- Strong Password Hash Algorithm: Implement a robust password storage hash format, such as PBKDF2-HMAC-SHA256. This algorithm offers enhanced security by strengthening the encryption of stored passwords.
By implementing a comprehensive password policy, you encourage users to create and maintain secure passwords, reducing the risk of unauthorized access to Cerberus.
Remember, regularly communicate and educate users about the importance of adhering to the password policy to ensure the highest level of account security.
5. Consider enforcing Two-Factor Authentication
In the ever-evolving landscape of cybersecurity, relying solely on passwords is no longer sufficient to protect user accounts. To fortify the security of Cerberus, we strongly recommend considering the enforcement of Two-Factor Authentication (2FA) for your users when utilizing the HTTPS Web Client.
Two-factor authentication adds an additional layer of security by requiring users to provide both a password and a secondary verification method, such as a mobile phone or another secure device, to receive a 2FA token. This means that even if a hacker manages to crack or obtain a user's password, they would still need the unique 2FA code generated on the user's mobile device to successfully authenticate.
When Two-Factor Authentication is enabled in your environment, users attempting to log in to the Web Client will be prompted to enter their password and the corresponding 2FA code generated on their mobile device. This extra layer of protection significantly reduces the risk of unauthorized access, as an attacker would need physical possession of the user's device to complete the authentication process.
By implementing Two-Factor Authentication, you enhance the security posture of your FTP server, mitigating the potential impact of compromised passwords and providing users with an added level of confidence in their account security. Make use of this effective security measure to safeguard sensitive data and ensure the integrity of your server.
6. Configure Advanced Security Options
In both SFTP and FTPS protocols, encryption ciphers play a crucial role in safeguarding data during transmission. These ciphers utilize complex algorithms that transform the original data into encrypted form using a key. To maximize the security of your environment, it is essential to disable outdated and vulnerable ciphers, such as 3DES, and instead utilize stronger ciphers like AES with your Cerberus FTP Server for secure file transfers.
Additionally, HMAC algorithms are employed to verify the integrity of the transmitted data. Similar to encryption ciphers, it is recommended to disable older hash/MAC algorithms like MD5 or SHA-1, and instead, opt for robust algorithms within the SHA-2 family. This ensures that the integrity of your data remains intact throughout the transmission process.
By configuring advanced security options, including the use of stronger encryption ciphers and HMAC algorithms, you fortify the security of your Cerberus FTP Server. This proactive measure reduces the risk of data compromise and aligns your server with current best practices for secure file transfers. Stay ahead of potential vulnerabilities by prioritizing strong encryption and integrity verification algorithms within your FTP server configuration.
When using SFTP, it is crucial to prioritize secure and up-to-date protocols. It is recommended to avoid deprecated Key Exchange protocols, specifically diffie-hellman-group1-sha1, and diffie-hellman-group-exchange-sha1. These protocols are considered less secure and may pose potential vulnerabilities. If necessary to support older clients, prefer the use of diffie-hellman-group14-sha1; otherwise, avoid all the sha1 family of key exchanges.
Similarly, it is important to steer clear of weak Cipher Algorithms, such as 3des-CBC, as they may lack sufficient security for data transmission. It is advisable to opt for stronger and more secure Cipher Algorithms (such as the AES-GCM, ChaCha20-Poly1305, or AES-CTR based ciphers) to ensure the confidentiality of your data. Additionally, avoid weak Message Authentication Algorithms (MAC), such as hmac-md5, which may have known vulnerabilities and compromise the integrity of your SFTP connections.
By avoiding deprecated Key Exchange protocols, weak Cipher Algorithms, and weak Message Authentication Algorithms, you can enhance the overall security of your SFTP communications and safeguard your data effectively.
6a. Secure Government and HIPAA Data: FIPS 140-2 Validated Encryption Ciphers
When handling government or HIPAA (Health Insurance Portability and Accountability Act) data, it is crucial to adhere to stringent security standards. To ensure the highest level of encryption security for your Cerberus FTP Server, it is strongly recommended to exclusively utilize FIPS 140-2 validated encryption ciphers.
FIPS 140-2 refers to a set of encryption specifications established by the National Institute of Standards and Technology (NIST). By enabling FIPS 140-2 mode, you restrict the Cerberus FTP Server to employing only ciphers certified as FIPS 140-2 compliant. This mode guarantees that all encrypted connections exclusively utilize certified and compliant ciphers, providing the utmost security for your sensitive data.
Furthermore, adopting the FIPS 140-2 encryption mode is particularly important for achieving HIPAA compliance in your file transfer system. As HIPAA requires robust security measures for protecting sensitive health information, utilizing FIPS 140-2 validated encryption ciphers demonstrates your commitment to maintaining the highest security standards.
By enabling FIPS 140-2 mode and employing validated encryption ciphers, you enhance the protection of government and HIPAA data within your Cerberus FTP Server. Embracing these stringent security practices ensures that your encrypted connections adhere to the most rigorous encryption standards, instilling confidence in the confidentiality and integrity of your data transfers.
6b. Prioritize TLS v1.3 and TLS v1.2 over SSL v3.0, TLS v1.0, and TLS v1.1
For a secure environment, we recommend only enabling TLS v1.3 and TLS v1.2 (if necessary).
TLS v1.3 is the latest available and most secure version of TLS and is highly recommended for clients to implement. TLS v1.3 sets the new standard for highly secure websites and has become the most widely used version of TLS. It incorporates the most recent advancements in the TLS protocol, as defined in IETF RFC 8446.
TLS v1.2, the predecessor to TLS v1.3, remains a robust and secure version of TLS. It is widely adopted and considered the current industry standard for secure communication. TLS v1.2 utilizes the TLS protocol defined in IETF RFC 5246.
Released in 2006, TLS v1.1 addressed security issues present in TLS v1.0. It eliminated the need for numerous workarounds employed by clients and servers in TLS v1.0. TLS v1.1 represents a significant improvement over TLS v1.0 and is considered more secure. Further details about the TLS v1.1 protocol can be found in IETF RFC 4346.
TLS v1.0, introduced in 1999 and published as IETF RFC 2246, is still in common use. However, it bears similarities to SSL v3.0 and requires workarounds to ensure secure communication for all cipher suites. TLS v1.0 also lacks support for modern cipher suites that offer enhanced security and efficiency.
SSL v3.0, despite being the latest SSL version available, is strongly discouraged due to its obsolescence and security vulnerabilities. Since SSL is a predecessor of TLS, it is advisable for clients to prioritize the use of the latest TLS protocol whenever possible. The only scenario where SSL v3.0 should be considered is if the network is strictly controlled, and connections from legacy services that cannot or will not upgrade must be permitted.
6c. Choosing Encryption Algorithms
In Cerberus FTP, administrators have the flexibility to define preferred algorithms during the handshake using advanced security settings in the Server Manager. This allows for the selection of encryption with AEM-GCM and ChaChaPoly algorithms, in addition to specifying the desired encryption strength. By default, Cerberus FTP Server requires a minimum of 128-bit encryption.
128-bit encryption represents a highly secure method employed in modern encryption algorithms and technologies. It is widely regarded as logically unbreakable and serves as the minimum encryption level for HIPAA compliance. For even stronger protection, 256-bit encryption offers a higher level of security. Choosing 256-bit encryption ensures the highest available encryption strength, keeping your data exceptionally safe. As technology advances, the industry standard is expected to shift towards 256-bit encryption for secure socket layer protection.
It is important to note that if your Cerberus FTP Server is configured for 256-bit encryption, the FTP client being used must also support this encryption strength to establish a successful connection. While 256-bit encryption enhances data security, it may reduce compatibility with certain clients and require extra bandwidth and computing resources on both the client and server.
6d. Prefer TLS ciphers that support Perfect Forward Secrecy
Keep in mind that it is possible to configure your Cerberus FTP Server to use key agreement methods that provide Perfect Forward Secrecy. Perfect Forward Secrecy is a protocol feature that enables secure conversations that are not dependent on the server’s private key.
What is the benefit of using TLS ciphers that support Perfect Forward Secrecy?
If your Cerberus FTP server private key is compromised for some reason, using TLS 1.2 and earlier ciphers that support Perfect Forward Secrecy (PFS) will prevent attackers from getting a chance to decrypt sniffed sessions. That is the case because the key agreement that the server public/private key pair uses does not participate in the encipherment/decipherment processes. Instead, this key agreement is only used for digital signing and signature verification purposes only.
If you want to configure your Cerberus FTP Server to only accept secure connections with PFS, select either the 128-bit or 256-bit Perfect Forward Secrecy configurations from the security profiles (under the Server Manager>Security>Advanced tab). Once the profile is selected and saved, the security settings of your environment will be immediately modified to match the selected profile.
Note: This option only applies to TLS 1.2 and earlier; in TLS 1.3 PFS is built-in and mandatory.
7. Other Best Practices
To ensure the continued security and optimal performance of your Cerberus FTP Server, it is essential to follow these additional best practices:
Keep Cerberus Up-to-Date:
Always stay vigilant and update your server promptly whenever a new version becomes available. By keeping Cerberus FTP Server up-to-date, you protect yourself against potential security vulnerabilities that may exist in older releases. You can configure Cerberus FTP Server to automatically check for updates on a daily, weekly, or monthly basis.
Additionally, you can manually check for updates by selecting Help > Check for Updates within the Admin GUI console. For the latest information on new releases and offers, you can also subscribe to our mailing list and receive our newsletter.
By adhering to these best practices and maintaining an up-to-date Cerberus FTP Server, you ensure that your server benefits from the latest security enhancements, bug fixes, and performance optimizations. Stay proactive in safeguarding your FTP environment by prioritizing regular updates and staying informed about new releases and important announcements.