Configuring Interface Settings
An interface or listener is simply an IP address, port, and protocol combination that the server is accepting connections on. For example, you can add an FTP listener on port 21 and attach it to an IP address. It can be an IPv4 or IPv6 address. The “Default” interfaces represent the settings that will be applied for newly detected interfaces. There are several different parameters that each interface can have:
Types of Listeners
There are five types of listeners that you can add to an IP address:
Traditional FTP, default port 21
Implicit FTP with TLS/SSL encryption, default port 990
SSH2 File Transfer Protocol, default port 22
HTTP, default port 80
HTTP with TLS/SSL encryption, default port 443
The first two allow regular FTP as well as different forms of secure FTP while the SSH2 SFTP listener is for establishing connections over the SFTP protocol (a completely different protocol from FTP, despite the similar name). The HTTP and HTTPS listeners allow web client connections to the server using either the unsecure HTTP protocol or encrypted HTTPS protocol.
There are two types of secure FTP connections possible, FTPS and FTPES. FTPS is usually referred to as implicit FTP with TLS/SSL security. Its closest analog is HTTPS. It is basically the FTP protocol over a TLS/SSL secured connection. This form of secure FTP is deprecated but widely supported and still in use. This is what a Cerberus FTP Server FTPS listener is for and this type of listener typically listens on port 990. Note, the settings “Require Secure Control” and “Require Secure Data” are meaningless for this type of listener. Connections established to an FTPS listener can only be established securely.
FTPES, which is often referred to as explicit FTP with TLS/SSL security, is a modification of the FTP protocol that starts out over an insecure, normal FTP connection and is then upgraded to a secure connection through FTP command extensions during login. This is the preferred method of secure FTP because it allows SPI firewalls to know that there is FTP traffic occurring on the connection. You establish FTPES sessions using a normal Cerberus FTP Server FTP listener, typically over port 21. Both unencrypted FTP and explicit TLS/SSL connections can be established to this type of listener. You cannot establish an implicit FTPS connection over this type of listener.
Adding a New Interface Listener
Cerberus FTP Server supports adding multiple listening interfaces for a given IP address. This allows you to have Cerberus accepting connections from different protocols on multiple ports. The only requirement is that each listener be on a unique IP/port combination. You can add FTP, FTPS (for implicit secure FTP only), SSH2 SFTP, HTTP or HTTPS listeners.
Select the “plus” icon next to the interface list box to add a new interface. A new dialog box will appear to ask for the interface details (interface IP, type, and port combination). Selecting the “X” icon will prompt you to delete the selected interface listener.
|Listen Port||This setting is the port that this interface will listen on for connections. For FTP, this is the control connection port.|
|Max Connections||The setting determines the maximum number of simultaneous connections that can connect to this interface listener.|
|Require Secure Control||(Applies to FTP only) If enabled, only secure control connection will be allowed. This is required to protect passwords from compromise on unsecured networks with FTP.|
|Require Secure Data||(Applies to FTP only) If enabled, only secure data connections will be allowed. All directory listings and file transfers will be required to be encrypted.|
|Don’t Use External IP for Passive connections||If this option is checked, Cerberus will always use the internal IP address when the incoming connection originates on the local network.|
|Passive IP Options||
|Show Welcome Message||If checked, the server will send a welcome message during user login for FTP/S, SSH SFTP, and the HTTP/S web client (note, some FTP and SFTP clients won’t display the welcome message).|
|Allow User Updates||(Applies to HTTP/S only) If checked, the user will be allowed to update his or her personal account information (first name, last name, email, or telephone number) through the HTTP/S web client.|
|Allow Web Account Requests||(Applies to HTTP/S only) If checked, users can request new accounts through the HTTP/s web client.|
|Allow Web Password Resets||(Applies to HTTP/S only) If checked, users can request a reset of their password through the HTTP/s web client. Several constraints must be met for the password reset feature to be active for a user account. The user must have an email address configured on their account, and the user must have previously selected and answered two security questions to be associate with their account. Finally, the administrator must have an SMTP server defined for sending emails.|
|Company Name||(Applies to HTTP/S only) The company name to display in the web client page title|
|Logo Image||(Applies to HTTP/S only) The logo image to display in the web client header. This image’s dimensions should be 230 by 70. The image format should be one that is supported by all web browsers. We recommend PNG, GIF, or JPEG|
|Login Image||(Applies to HTTP/S only) The image to display on the web client login page. This image’s dimensions should be 70 by 70. The image format should be one that is supported by all web browsers. We recommend PNG, GIF, or JPEG|
|Default Web Directory List Count||(Applies to HTTP/S only) The default number of entries that appear in the web client file list.|
|Show Timezone on Dates||(Applies to HTTP/S only) Toggles displaying timezone information for files and directories in the web client|
|Display Local Time||(Applies to HTTP/S only) Toggles between displaying server local time or UTC time for files and directories in the web client|
|Configure CAPTCHA||(Applies to HTTP/S only) Configures Google reCapatcha for the web client login and web requests pages.|
|Redirect requests to HTTP/S listener||(Applies to HTTP only) Any requests that come in over this HTTP listener will be redirected to the same address using HTTPS.|
The “Default” Interfaces
There is a Default interface for each type of listener (FTP, implicit FTPS, SFTP, HTTP, and HTTPS). When a new interface (IP address) is detected, that interface will receive an FTP, FTPS and SFTP listener and each of those listeners will be assigned the values of the appropriate “Default” interface at the time of detection. For example, If the “Default FTP” interface was defined to be on port 21, then when a new interface is detected for the first time it will receive an FTP listener on port 21 with the values of the Default FTP interface. Those settings then become the settings for the newly detected interface. Note that the new interface’s settings are not linked to the “Default” interface in any way. The “Default” interface simply represents the values that newly detected interfaces will be initialized with. Changing the values of the “Default” interface wouldn’t change any values on existing or previously detected interfaces.
For example, when you first install Cerberus FTP Server, the “Default FTP” interface is set to port 21 (the default FTP listening port) and all interfaces detected during that first start will receive FTP listeners with that port value. If you later change the “Default FTP” interface settings then that change will have no effect on existing interfaces.
It is also worth noting that Cerberus remembers the settings for interfaces that were previously detected but might have changed. For servers that have dynamic addresses that constantly change or cycle between a range of addresses, Cerberus will “remember” the old values and apply those instead of the “Default” settings if that interface address is later detected again.
Un-checking the box next to each Default interface will disable automatic listener activation for that interface type when a new interface is detected.
Interface Status Controls
Interfaces can also be enabled or disabled from the main Cerberus FTP Server user interface:
Checking an interface makes it active and starts a listener for connections on the specified IP and port address. Un-checking the interface disables the listener. Disabled listeners will no longer accept connections.