Skip to main content

Understanding System Messages

Ian Butteriss
  • Updated

Why do you see these messages?

Cerberus is constantly ensuring that our software conforms to the latest security standards. As such, when you update or upgrade Cerberus, especially if you go from one major release to another, we may notify you that some of your settings carried over from your older version no longer conform to the latest recommended standards. Below is a list of possible messages you may see and what settings to change to remove the alerts.

Table of Contents

Click on the message you wish to see the definition for to be taken to that section:

System Messages

"Denial of Service (DoS) Protection is inactive because 'Auto-Blocking' is off. To enhance security, you can enable 'Auto-Blocking' by navigating to Firewall Controls : Automatic Threat Blocking."

  • What does this mean: Denial of Service (DoS) protection is not active.
  • Impact: When DoS protection is on, any attempt to connect to the server will be counted towards auto-blocking, even if the connection doesn’t attempt to authenticate. This can help prevent DoS attacks that try to tie up connections and overwhelm the server. DoS Protection can also be useful for services continuously probing the server with garbage data and attempting to find security vulnerabilities. However, a successful login from an IP address resets the “Failed login attempts” counter to zero for the IP address.
  • Solution: Navigate to 'Firewall Controls' > 'Automatic Threat Blocking'. Click the 'DoS Protection' slider to 'On' (green in color) and 'Update'.

"Enhance your server's security by enabling 'Automatic IP Blocking' in Firewall Controls : Automatic Threat Blocking."

  • What does this mean: Auto-Blocking is not active.
  • Impact: When Auto-Blocking is enabled, a failed login attempt is logged whenever a user enters an incorrect password or tries to log in with an invalid username. This can help prevent brute force password guessing. However, a successful login from an IP address resets the “Failed login attempts” counter to zero for the IP address.
  • Solution: Navigate to 'Firewall Controls' > 'Automatic Threat Blocking'. Click the 'Auto-Blocking' slider to 'On' (green in color) and 'Update'.

"For improved security, visit User Manager : Policy : Authentication Requirements and enable 'Account Lockout After X Failed Attempts' Setting"

  • What does this mean: Disable Account After Too Many Failed Attempts is not active.
  • Impact: When Disable Account After Too Many Failed Attempts is enabled, a native account becomes disabled after x number of consecutive failed login attempts. The counter is reset on a successful login.
  • Solution: Navigate to 'User Manager' > 'Policy' > 'Authentication Requirements'. Enable 'Disable Account After' and enter the desired number of failed attempts to allow before the account is disabled, and then 'Update'.

"FTP listener X can allow session hijacking in passive secure data connections"

"FTP listener X can allow unencrypted control or data connections"

  • What does this mean: Require Secure Control or/and Require Secure Data is not active on one or more of your FTP and/or FTPS listeners.
  • Impact: If Require Secure Control (Applies to FTP only) is enabled, only secure control connection will be allowed. This is required to protect passwords from compromise on unsecured networks with FTP.
    If Require Secure Data (Applies to FTP only) is enabled, only secure data connections will be allowed. All directory listings and file transfers will be required to be encrypted.
  • Solution: Navigate to 'Server Manager' > 'Listeners' > 'FTP' or 'FTPS' listeners. Click to enter an FTP or FTPS listener. Enable 'Require Secure Control' and 'Require Secure Data' and 'Update'.

"FXP Support is enabled and could leave the server vulnerable to an FTP bounce or passive mode hijacking exploit"

and/or

"Recommend disabling FXP support in the Advanced Page of Server Manager"

  • What does this mean: File eXchange Protocol (FXP or FXSP) is a method of data transfer which uses FTP to transfer data from one remote server to another (inter-server) without routing this data through the client's connection. Conventional FTP involves a single server and a single client; all data transmission is done between these two.
  • Impact: Enabling FXP support can make a server vulnerable to an exploit known as FTP bounce. As a result of this, Cerberus FTP Server has FXP disabled by default and we strongly recommend against using it. Some sites restrict IP addresses to trusted sites to limit this risk. If you have it on, it's likely due to needing it in the past.
  • Solution: Navigate to  'Server Manager' > 'Protocols' > 'FTP and FTPS' > 'FTP/S Settings', check the 'Deny FXP Transfers' box and 'Update'

"Global Remote Server Verification is disabled. Enable 'Verify Remote Host Certificates' in Server Manager : Security : Server Verification"

  • What does this mean: When enabled, Verify Remote Host Certificates validates SSL/TLS connections to remote hosts.
  • Impact: Turning verification off is the less secure option and is only provided as a temporary fail-safe, such as a certificate issue causing a critical service outage. This setting should be on at all other times.
  • Solution: Navigate to  'Server Manager' > 'Security' > 'Server Verification' > select the 'Verify Remote Host Certificates' slider and 'Update'

"Insecure protocol settings used in 1 SMTP Server Event Target."

  • What does this mean: You have an SMTP Event Target in 'Event Manager' > 'Event Target' that uses port 25 with no encryption to allow Cerberus to send emails.
  • Impact: Using port 25 with no encryption is the least secure option when adding an SMTP Event Target. While this is generally OK if the connection to the SMTP Server remains inside your organization, it is recommended to use either port 467 with 'TLS\SSL' encryption, or port 587 with 'STARTTLS' encryption as these are more secure options.
  • Solution: Navigate to  'Event Manager' > 'Event Targets'. Check your 'SMTP Server' Event Target to see a more secure option can be used.

"LDAP server 'xxxx.xxx' which is enabled for authentication has unencrypted binding. Please set 'Enable SSL' in LDAP Users : Server Overview."

  • What does this mean: You are connecting to your domain controller in LDAP Users > Server Overview using an unencrypted connection.
  • Impact: Using no encryption to connect to your domain controller is the least secure option when integrating with Active Directory using LDAP. While this is generally OK if the connection to the domain controller remains inside your organization, it is recommended to use port 626 with 'Enable SSL' turned on as this is the more secure option.
  • Solution: Navigate to  'LDAP Users' > 'Server Overview'. Check to see if port 626 can be used with SSL to connect to your domain controller.

"Password Policy is weak"

  • What does this mean: This is just an advisory warning. We have made the recommended minimum password policy stricter in more recent versions of Cerberus and we recommend increasing your password standards for security.
  • Impact: If you change this it affects NEWLY set passwords for new and existing users only.
  • Solution: Navigate to 'User Manager' > 'Policy' > 'Password Complexity Requirements'. Change the password requirements and press 'Update'

"Secure connections will be unavailable until you enable TLS/SSL and configure a server key pair"

  • What does this mean: If TLS/SSL is turned off, connections are not considered safe.
  • Impact: Client software usually cannot connect if TLS/SSL is turned off as the connections are not considered safe.
  • Solution: Navigate to 'Server Manager' > 'Security' > 'General'. Click the 'TLS/SSL' slider to turn on TLS/SSL and press 'Update'

"Server allows FTP data connections to reserved ports, enable 'Deny Reserved Ports' in Server Manager : Protocols : FTP and FTPS"

  • What does this mean: Reserved ports (below 1024) should only be used for dedicated services.
  • Impact: FTP data connections should not be using ports below 1024. Allowing this could create issues with existing services. We offer the option in case it is required by a legacy implementation. It should normally not be allowed.
  • Solution: Navigate to 'Server Manager' > 'Protocols' > 'FTP and FTPS'. Check the box for 'Deny Reserved Ports'

"Server is configured to allow the weak 3DES/ RC4 encryption cipher with SSL. 3DES/ RC4 should be disabled" and/or "HIPAA non-compliance: Your current SSL settings allow encryption that is less than 128-bits"

  • What does this mean: Ciphers that are now considered 'weak' and insecure are being permitted.
  • Impact: Most modern clients are compatible with newer ciphers. This would only impact old clients and our recommendation would be for you to have your customers upgrade their clients.
  • Solution:
    • Navigate to Server Manager > Security > Advanced TLS > SSL Cipher String
      Replace the string in the text box with this one and 'Update'
      ALL:!RSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!AES128:!ARIA128:!SEED:!CAMELLIA:!SHA1:!SHA256:!SHA384
    • Navigate to 'Server Manager' > 'Protocols' > 'SSH SFTP' > 'SSH Security Defaults'.
      Press the '128-bit Min' button and 'Update'. This will bring you up to 128-bit standard as required.

"Set Remote Password"

  • What does this mean: This is just an advisory warning as this setting is optional.
  • Impact: You'll want to set this password if you want to use the browser based remote server administration feature as you will need to set a password in order to access it.
  • Solution: Navigate to 'Server Manager' > 'Remote'. Right-click the 'admin' user (or whatever username is set at 'The primary administration account') to set the password.

"SSH DSA Host Key is active: DSA is no longer secure; use caution before enabling."

  • What does this mean: The DSA host key exchange algorithm is now considered insecure so Cerberus displays this message to advise if you have a DSA key pair active.
  • Impact: DSA is made available in case it is needed for legacy clients, but should be used with caution. DSA has been deprecated for FIPS, so the DSA will automatically be disabled and removed from the list of keys you can activate if you turn on FIPS 140-2 encryption mode in 'Server Manager' > 'Security'
  • Solution: To disable an active DSA key pair: Navigate to 'Server Manager' > 'Protocols' > 'SSH SFTP' > 'SSH SFTP Security Defaults'. Find DSA under 'Host Keys' and uncheck it. Press 'Update to Save'
    To completely remote the DSA Host Key pair:  Navigate to 'Server Manager' > 'Security' > 'General' > 'SSH Host Key Pairs'. Click 'Edit'. On the 'Manage SSH Keys' dialog, select 'DSA' on the 'Type' drop down. Your DSA key details will fill in. Press 'Delete Key'. The key will be deleted and no longer offered on the key list in 'Server Manager' > 'Protocols' > 'SSH SFTP' > 'SSH SFTP Security Defaults'.

"[SOAP] Server is configured to allow the weak 3DES/ RC4 encryption cipher with SSL. 3DES/ RC4 should be disabled"

  • What does this mean: Ciphers that are now considered 'weak' and insecure are being permitted.
  • Impact: No impact on customers as this is internal to Cerberus. The only impact would be if you plan to use our SOAP API for Cerberus server administration and you are connecting to it from third party software. If that is the case check what cipher algorithms the software connecting to the API supports.
  • Solution: Navigate to 'Server Manager' > 'Remote' > 'SOAP TLS Settings' > 'SOAP SSL Cipher String'
    Replace the string in the text box with this one and 'Update'
    ALL:!RSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!AES128:!ARIA128:!SEED:!CAMELLIA:!SHA1:!SHA256:!SHA384

"SSL certificate has expired"

  • What does this mean: The SSL certificate applied to Cerberus needs to be renewed or replaced.
  • Impact: Users connecting to the HTTPS Web Client, secure FTP (FTPES), or FTPS will get a notice that your site is insecure.
  • Solution: Navigate to 'Server Manager' > 'Security' > 'General' and either renew the certificate there (renewed certificate based on the same private key (Importing a 3rd Party Certificate but DO NOT replace they private key), which will not change), purchase a new SSL certificate (Importing a 3rd Party Certificate), or create a new Cerberus self signed certificate (Creating a Self-Signed Certificate)

"The account '(username)' is configured to allow anonymous access"

  • What does this mean: This is a warning that the named user account has been set up in 'User Manager' > 'Users' to allow access with only username and no password is required.
  • Impact: This is provided to allow access from internal, legacy systems and should NOT be used for normal user accounts. Use with caution!
  • Solution: To remove anonymous status from a native user account, navigate to 'User Manager' > 'Users'. Click on the username of the user in question to make their settings visible. Click on 'Constraints'. Find the 'Anonymous' setting and un-check the box. Scroll to the bottom and click 'Update User' to save.

"The vulnerable SSLv3.0 protocol is enabled but should be disabled"

  • What does this mean: SSLv3.0 is considered insecure, so TLS 1.2 should now be used for all connections.
  • Impact:  Most modern clients are compatible with the newer protocols. This would only impact old clients and our recommendation would be for you to have your customers upgrade their clients as having SSLv3.0 turned on is a security risk.
  • Solution: Navigate to 'Server Manager' > 'Security' > 'Advanced TLS'. Turn off SSLv3.0 and 'Update'

"The Vulnerable TLS 1.0 protocol should be disabled" or "The Vulnerable TLS 1.1 protocol should be disabled"

  • What does this mean: TLS 1.0 and TLS 1.1 are now considered insecure, so TLS 1.2 and 1.3 should now be used for all connections.
  • Impact: Most modern clients are compatible with the newer protocols. This would only impact old clients and our recommendation would be for you to have your customers upgrade their clients as having TLSv1.0 and 1.1 turned on is a security risk.
  • Solution: Navigate to 'Server Manager' > 'Security' > 'Advanced TLS'. Uncheck TLS 1.0 and 1.1 and 'Update'.

"We recommend disabling TLS 1.0/1.1 for SSL-based SOAP (Remote) connections"

  • What does this mean: TLS 1.0 and TLS 1.1 are now considered insecure, so TLS 1.2 should now be used for all connections.
  • Impact: No impact on customers as this is internal to Cerberus. The only impact would be if you plan to use our SOAP API for Cerberus server administration and you are connecting to it from third party software. If that is the case check what TLS protocols are supported.
  • Solution: Navigate to 'Server Manager' > 'Remote' > 'SOAP TLS Settings'. Uncheck TLS 1.0 and 1.1 and 'Update'.

"We recommend using Secure HTTPS for SOAP (Remote) connections"

  • What does this mean: The Cerberus browser based Web Admin Client and the SOAP API use HTTP or HTTPS communicate with Cerberus. This warning explains your Cerberus is allowing the less secure HTTP protocol to communicate with Cerberus in addition to HTTPS.
  • Impact: No impact on customers as this is internal to Cerberus. However, if you plan to use the browser based Web Admin Console and/or the Cerberus SOAP API, you should require HTTPS only for the communication between the browser and or API with Cerberus.
  • Solution: Navigate to 'Server Manager' > 'Remote' > 'General SOAP Settings'. Enable 'Use Secure HTTPS' and 'Update'.

Related articles

Comments

0 comments

Please sign in to leave a comment.