Why do you see these messages?
Cerberus is constantly ensuring that our software conforms to the latest security standards. As such, when you update or upgrade Cerberus, especially if you go from one major release to another, we may notify you that some of your settings carried over from your older version no longer conform to the latest recommended standards. Below is a list of possible messages you may see and what settings to change to remove the alerts.
Possible system messages
System Messages
"We recommend disabling TLS 1.0/1.1 for SSL-based SOAP (Remote) connections"
- What does this mean: TLS 1.0 and TLS 1.1 are now considered insecure, so TLS 1.2 should now be used for all connections.
- Impact: No impact on customers as this is internal to Cerberus. The only impact would be if you plan to use our SOAP API for Cerberus server administration and you are connecting to it from third party software. If that is the case check what TLS protocols are supported.
- Solution: Navigate to 'Server Manager' > 'Remote' > 'SOAP TLS Settings'. Uncheck TLS 1.0 and 1.1 and 'Update'.
"Server is configured to allow the weak 3DES/ RC4 encryption cipher with SSL. 3DES/ RC4 should be disabled"
and/or
"HIPAA non-compliance: Your current SSL settings allow encryption that is less than 128-bits"
- What does this mean: Ciphers that are now considered 'weak' and insecure are being permitted.
- Impact: Most modern clients are compatible with newer ciphers. This would only impact old clients and our recommendation would be for you to have your customers upgrade their clients.
- Solution:
- Navigate to Server Manager > Security > Advanced TLS > SSL Cipher String
Replace the string in the text box with this one and 'Update'
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!CAMELLIA - Navigate to 'Server Manager' > 'Protocols' > 'SSH SFTP' > 'SSH Security Defaults'.
Press the '128-bit Min' button and 'Update'. This will bring you up to 128-bit standard as required.
- Navigate to Server Manager > Security > Advanced TLS > SSL Cipher String
"The vulnerable SSLv3.0 protocol is enabled but should be disabled"
- What does this mean: SSLv3.0 is considered insecure, so TLS 1.2 should now be used for all connections.
- Impact: Most modern clients are compatible with the newer protocols. This would only impact old clients and our recommendation would be for you to have your customers upgrade their clients as having SSLv3.0 turned on is a security risk.
- Solution: Navigate to 'Server Manager' > 'Security' > 'Advanced TLS'. Turn off SSLv3.0 and 'Update'
"[SOAP] Server is configured to allow the weak 3DES/ RC4 encryption cipher with SSL. 3DES/ RC4 should be disabled"
- What does this mean: Ciphers that are now considered 'weak' and insecure are being permitted.
- Impact: No impact on customers as this is internal to Cerberus. The only impact would be if you plan to use our SOAP API for Cerberus server administration and you are connecting to it from third party software. If that is the case check what cipher algorithms the software connecting to the API supports.
- Solution:
- Navigate to 'Server Manager' > 'Remote' > 'SOAP TLS Settings' > 'SOAP SSL Cipher String'
Replace the string in the text box with this one and 'Update'
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!CAMELLIA
- Navigate to 'Server Manager' > 'Remote' > 'SOAP TLS Settings' > 'SOAP SSL Cipher String'
"FXP Support is enabled and could leave the server vulnerable to an FTP bounce or passive mode hijacking exploit"
and/or
"Recommend disabling FXP support in the Advanced Page of Server Manager"
- What does this mean: File eXchange Protocol (FXP or FXSP) is a method of data transfer which uses FTP to transfer data from one remote server to another (inter-server) without routing this data through the client's connection. Conventional FTP involves a single server and a single client; all data transmission is done between these two.
- Impact: Enabling FXP support can make a server vulnerable to an exploit known as FTP bounce. As a result of this, Cerberus FTP Server has FXP disabled by default and we strongly recommend against using it. Some sites restrict IP addresses to trusted sites to limit this risk. If you have it on, it's likely due to needing it in the past.
- Solution: Navigate to 'Server Manager' > 'Protocols' > 'FTP and FTPS' > 'FTP/S Settings', check the 'Deny FXP Transfers' box and 'Update'
"Set Remote Password"
- What does this mean: This is just an advisory warning as this setting is optional.
- Impact: You'll want to set this password if you want to use the browser based remote server administration feature as you will need to set a password in order to access it.
- Solution: Navigate to 'Server Manager' > 'Remote'. Right-click the 'admin' user (or whatever username is set at 'The primary administration account') to set the password.
"Password Policy is weak"
- What does this mean: This is just an advisory warning. We have made the recommended minimum password policy stricter in more recent versions of Cerberus and we recommend increasing your password standards for security.
- Impact: If you change this it affects NEWLY set passwords for new and existing users only.
- Solution: Navigate to 'User Manager' > 'Policy' > 'Password Complexity Requirements'. Change the password requirements and press 'Update'
Comments
0 comments
Please sign in to leave a comment.