The Protocols page allows you to control individual settings that affect the security, functionality, and compatibility of the different secure file transfer protocols.
FTP/S Settings
FTP and FTPS Settings on the Protocols page of the Server Manager
Passive Port Range
These settings control passive FTP options.
Start | First port in the port range to use for passive connections. |
End | Last port to use for passive connections before wrapping back around to the Start port. |
Randomize Passive Ports | A security option that when enabled causes the server to choose a cryptographically random, unused passive port from the passive port range. When this option is disabled the server selects a passive port from the passive port range incrementally. |
Deny FXP Transfers | File eXchange Protocol (FXP) is a method of data transfer that uses the FTP protocol to transfer data from one remote server to another (inter-server) without routing this data through the client’s connection. Conventional FTP involves a single server and a single client; all data transmission is done between these two. In the FXP session, a client maintains a standard FTP connection to two servers and can direct either server to connect to the other to initiate a data transfer. |
Deny Reserved Ports | Do not allow passive or active port requests below port 1024. |
Advanced FTP/S Settings
FTP Directory Listing Time Format
This setting determines the time zone format for the file list returned in response to the LIST and NLST commands. Most clients expect dates and times to be UTC format.
Universal Time (UTC) | The default, send file date/time in UTC format. |
Local Time | Send file date/time in local time. |
Advertise FTP MLST/MLSD | Allow the FTP server to advertise to clients that it supports the MLST/MLSD command (recommended). |
Retrieve Owner/Group information for file listings | Includes the owner and group of each file in response to the LIST and NLST command. NOTE: This will slow down file listings. Note: This setting also will apply to SFTP. |
FTP MDTM Time Format
The FTP command, MODIFICATION TIME (MDTM), can be used to determine when a file in the server file system was last modified. This command has existed in many FTP servers for many years, as an adjunct to the REST command for STREAM mode. As a result, this command is widely available.
This command is also frequently used in a non-standard fashion to set file modification times. Cerberus supports both the standard MDTM command for retrieving file times and the non-standard use for setting the date/time on a file.
NOTE: Setting dates and times requires FTP client support. There is often a setting that has to be enabled in many FTP clients before an uploaded or downloaded file will have its date/time set. Consult your FTP client documentation on how to enable this setting. Cerberus automatically supports setting a file date/time without any additional configuration.
Universal Time (UTC) | Most FTP clients expect the MDTM command to process date/time values in UTC format and this is the default. Selecting this option will cause Cerberus to interpret and send dates in UTC format. |
Local Time | Interpret and send dates in local time (not RFC compliant). |
Set Modification Time | When clients attempt to use the non-standard MDTM extension to set a date/time for a file, this setting determines whether the file modification time will be set. |
Set Access Time | When clients attempt to use the non-standard MDTM extension to set a date/time for a file, this setting determines whether the file access time will be set. |
FTP Compression
Allow MODE Z Compression | The default, send file date/time in UTC format. |
Disable Compression on Local Network | The benefits of compression on the local network can often time be outweighed by the time it takes to compress that data. It is recommended that compression be disabled for local network connections. (recommended) |
FTP Miscellaneous
These are FTP settings that don’t fit anywhere else.
Allow FTP Renames to Overwrite Existing Files | When this option is enabled an FTP client can issue a rename command and overwrite an existing file. |
Allow FTP TLS Upgrade | The FTP server will advertise and allow clients to upgrade plain FTP connections to encrypted FTP connections (FTPES) when this option is enabled (recommended). |
Use Optimized File Sending | Uses the built-in Windows API for potentially faster file sending on Windows Server machines. This option only applies to plain FTP transfers. It provides no benefit for encrypted file transfers. |
No Exclusive Upload File Lock (FTP/S and HTTP/S) | With the box checked, the server will open files for upload in non-exclusive mode during file transfer. This allows other processes to open the same file for read-only access and be able to read from the file as it is being uploaded. Unchecked, it may not allow files from being accessed while the file is being transferred. |
SSH SFTP Settings
SFTP Settings on the Protocols page of the Server Manager
SSH SFTP Settings
Ignore SSH Window Size | Some SFTP clients do not correctly request an increase in the SSH channel window size. Enabling this option will allow those connections to continue even after exceeding the available channel window space. |
Require Encryption on SFTP | Although most clients won’t request an unencrypted connection, the SSH protocol does allow it. Check this option to disallow nonencrypted SSH connections. This option should always be enabled for production servers. |
Mask Server Identification | If this option is checked, the server will use a generic identification string for the welcome message during SSH connections. The server will also omit the server header for HTTP/S connections. |
Use Legacy Handles for SFTP | Accommodates very old SFTP client software. There is a text string that SFTP uses between the client and server to keep track of what file or directory an operation is working on. Cerberus used to use the full path to the file or directory as the unique string to keep track of that operation (it only needs to be unique to the connection). However, there's technically a limit to how large of a string can be for that handle. File paths can be arbitrarily large so Cerberus switched to a GUID string instead. This switch was added to revert to the old behavior in case old software is being used and it does not like using GUID. Using the GUID ensures it really is a unique string, and doesn't exceed the largest possible string. |
No Exclusive Upload File Lock | If this option is checked, the server will open files for upload in non-exclusive mode during file transfer. This allows other processes to open the same file for read-only access and be able to read from the file as it is being uploaded. |
Require Strict Kex Extension |
When enabled, the "Require Strict Kex Extension" setting ensures that SSH clients must support and use the "Key Exchange (KEX) Extension" during the key exchange phase of the SSH connection. |
Retrieve Owner/Group information for file listings |
Note: This setting is located in the 'FTP/S' > 'Advanced FTP/S' protocol settings. |
SSH Security Defaults
Active Key Exchange | The SSH key exchange algorithms that the server will advertise as supported to SSH clients. |
Active SSH SFTP ciphers | The cipher algorithms advertised by Cerberus to clients during secure connection negotiation for SSH2 SFTP. You can select the algorithms you want advertised using this list. A full Cerberus FTP Server Windows Service restart is necessary for changes to this list to take effect. |
Active MAC | The HMAC algorithms advertised by Cerberus to clients during secure connection negotiation for SSH2 SFTP. You can select the algorithms you want advertised using this list. A full Cerberus FTP Server Windows Service restart is necessary for changes to this list to take effect. |
HTTP/S Settings
The HTTP/S Settings tab on the Protocols page of the Server Manager
Public Domain Name | Only used for sending out Account Request email notifications and password reset emails. It needs to be the public address (the domain name that users would go to access the HTTPS web client) |
Client Domain Allow List | In versions 11.0 and 10.0.17 of Cerberus FTP Server, we fixed a security issue in which password reset is vulnerable to HTTP host header attacks, which allowed malicious password reset emails. Administrators must now configure an “allow list” of acceptable domains, hostnames, or IP addresses that can be accepted from the host header. Any domains not on the "allow list" will not be allowed to reset passwords or create public shares. |
Temporary Files Folder | Folder on the Cerberus server where zip files are temporarily stored before being downloaded. |
Optional Headers to Include | Allows the administrator to determine if the listed HTTP headers should be sent to clients for HTTP/S web client connections. |
Comments
0 comments
Article is closed for comments.