SSL Certs in MS Load Balancing

October 10, 2014, 4:35 pm

≫ Next: Serv-U Web Client downloading file but no extension

≪ Previous: Don't start Management Console Serv-U.

$

0

0

Hello,

 

We have 2 win 2008 server nodes setup with FTP (explicit) in Serv-U FTP in a Microsoft Load balancing environment. we need to find out the appropriate procedure on how to setup 3rd Party signed SSL certificates on both nodes for the same FTP site (ftp.mydomain.com).

The KB article 1053 only describes setup of SSL in a single server environment. Some of my  questions are:

• Do we need to generate CSR from both Server nodes with the same common name ?
• Do we need to request certificate for each node for the same site ?
• OR Can we generate CSR from node1, get the CA signed cert, install on node1 and then export it to other node2? if so what is the procedure? (Because this is the recommended procedure for IIS sites)

 

Thanks in advance for any suggestions.

---

Serv-U Web Client downloading file but no extension

October 10, 2014, 11:54 am

≫ Next: Does Serv-U File Server 7.2.0 support 2048 bit SSL?

≪ Previous: SSL Certs in MS Load Balancing

$

0

0

We have Serv-U v 14.0.0.6 with the web client enabled.  The web client does allow the download of a file but when downloading the file name changes and the extension of the file is removed.  Is this a bug in the software?  I'm using IE 11 on Windows 8.1.

 

Thanks,

 

Warren

Does Serv-U File Server 7.2.0 support 2048 bit SSL?

October 14, 2014, 8:38 am

≫ Next: Domain administrator - LDAP configuration hidden ??

≪ Previous: Serv-U Web Client downloading file but no extension

$

0

0

1024 Bit CA SSL certs are no longer available.  My 7.2 server runs fine.

Domain administrator - LDAP configuration hidden ??

October 14, 2014, 9:47 am

≫ Next: Custom Serv-U Integration Library (Linux) - home dir "/path/to/dir" does not exist

≪ Previous: Does Serv-U File Server 7.2.0 support 2048 bit SSL?

$

0

0

Hey,

I have to create a new domain on the FTP Server for a branch in another country...

 

So, when I add some user in this domain with the "Domain administrator" status, they can not manage the "LDAP User" for their domain (add some groups, ...).

 

 

Is it a bug or I can fix it?

 

Regards,

Sylvain

Custom Serv-U Integration Library (Linux) - home dir "/path/to/dir" does not exist

September 13, 2014, 1:17 pm

≫ Next: Serv-U test against Qualys SSL Labs SSL Server Test

≪ Previous: Domain administrator - LDAP configuration hidden ??

$

0

0

Hello again,

 

See previous post here: Custom Serv-U Integration Library Questions(big thanks to dougpapenthien)

I believe I have implemented the necessary functions for my custom integration library.

{

     SUUAFindUser,

     SUUAGetAttribute,

     SUUAEnumDirAccess,

     SUUAVeriftyPassword,

}

(I have a few others returning true or false based on their usage for testing purposes).

 

However, I am running into a new issue.  When I attempt to log in with a test user I get the following error:

"ERROR: Login was not successful."

The Domain log shows the following:

"Error logging in user "user", home dir "/path/to/dir" does not exist.

Interestingly, the first time I tried to log in, Serv-U created the directory on my behalf and reflected this in the domain log.

 

I am suspicious of ownership/permission issues, but I gave the directory full access for testing purposes...This did not help.  During an earlier phase of development I left the SUUAGetAttribute() function as is which defaulted users to the file system root directory.  I was able to log in then.  Additionally, I tested the record in my database as a Database user using the Serv-U GUI and was able to log in and see the appropriate directories just fine.  (I had to disable database users since the Library users are lowest on the hierarchy).  I found an article online that addressed this issue in a Windows environment that had to do with running Serv-U as a service, but it only exists when I implement my custom library, so I am assuming it is something in my implementation I am overlooking.

 

Any advice/guidance would be greatly appreciated.

 

Thank you!

Serv-U test against Qualys SSL Labs SSL Server Test

August 25, 2014, 2:44 pm

≫ Next: Is Serv-U vulnerable to POODLE SSLv3 Exploit?

≪ Previous: Custom Serv-U Integration Library (Linux) - home dir "/path/to/dir" does not exist

$

0

0

Hello,

 

Can SolarWinds Engineers test their Serv-U implementation against Qualys SSL Labs SSL Server Test?

Qualys SSL Labs - Projects / SSL Server Test

https://www.ssllabs.com/ssltest/

 

Serv-U test against Qualys SSL Labs SSL Server Test

Qualys SSL Labs - Projects / SSL Server Test

https://www.ssllabs.com/ssltest/

 

1. I would like the ability to disable older protocols like SSL2, TLS 1.0 and TLS 1.1 and only allow newer protocols such as TLS 1.2 and SSL3.

 

2. I would like the ability to disable Insecure Cipher Suites such as:

SSL_CK_DES_192_EDE3_CBC_WITH_MD5 (0x700c0)   INSECURE

SSL_CK_RC4_128_WITH_MD5 (0x10080)   INSECURE

SSL_CK_RC2_128_CBC_WITH_MD5 (0x30080)   INSECURE

SSL_CK_IDEA_128_CBC_WITH_MD5 (0x50080)   INSECURE

 

3. I would like them to address OpenSSL CCS vulnerability (CVE-2014-0224)

https://community.qualys.com/blogs/securitylabs/2014/06/13/ssl-pulse-49-vulnerable-to-cve-2014-0224-14-exploitable

 

4. I would like support for Forward Secrecy.

https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy

 

Thanks,

Jimmy

Is Serv-U vulnerable to POODLE SSLv3 Exploit?

October 15, 2014, 4:44 am

≫ Next: How-to / Guidance on running MFT server on AWS?

≪ Previous: Serv-U test against Qualys SSL Labs SSL Server Test

$

0

0

More info on the vulnerability: https://isc.sans.edu/diary/OpenSSL%3A+SSLv3+POODLE+Vulnerability+Official+Release/18827

 

Does anyone know if Serv-U is vulnerable to the POODLE SSLv3 exploit?

 

Serv-U accepts SSLv3 connections so I presume Serv-U is vulnerable. There is an option to disable SSLv2 connections, but not one for SSLv3 connections, why is this?

 

Is it vulnerable, if so what can we do to stop it being so? If it is, we need an urgent hotfix as this is all over the internet.

 

bshopp

How-to / Guidance on running MFT server on AWS?

October 16, 2014, 12:08 pm

≫ Next: Serv-u 14 - How to modify users in bulk

≪ Previous: Is Serv-U vulnerable to POODLE SSLv3 Exploit?

$

0

0

Looking for information on howto or guidance if anyone has run the MFT server on AWS?

---

Serv-u 14 - How to modify users in bulk

October 19, 2014, 8:22 pm

≫ Next: How to connect to another computer using FTP Voyager

≪ Previous: How-to / Guidance on running MFT server on AWS?

$

0

0

I am migrating my storage from a local serv-u v14 server to a NAS. I need to change the home directory, physical director and virtual directory file path for around 500 accounts. Is there a way I can do a bulk modify so I don't have to change each account one by one? The path will be the same, so the only thing I need to change is the server name. Thank you.

 

 

Sincerely,

 

Thad Gerber

How to connect to another computer using FTP Voyager

October 20, 2014, 9:49 am

≫ Next: Obtain sFTP host key directly from the ServU server.

≪ Previous: Serv-u 14 - How to modify users in bulk

$

0

0

How do I setup a connection using FTP Voyager Ver 16.1.0.0?

Obtain sFTP host key directly from the ServU server.

October 30, 2014, 8:20 am

≫ Next: Running Scripts from Events

≪ Previous: How to connect to another computer using FTP Voyager

$

0

0

We have ServU servers in house.  Many end-users ask for the host key so they can script sFTP connections.

 

Is it possible to simply retrieve the key from the server and then email it to the end-users?

Running Scripts from Events

October 29, 2014, 10:52 am

≫ Next: Serv-U Version 15.1.1.108 Service Release Now Available

≪ Previous: Obtain sFTP host key directly from the ServU server.

$

0

0

I'm using Serv-U for Linux, and I have some scripts that run properly when I run them from a command line, however when I run a Test Event in Serv-U, It seems to run half my script then doesn't finish. It seems as though it's not running the script as Root.  What can I check?

Serv-U Version 15.1.1.108 Service Release Now Available

November 4, 2014, 8:43 am

≫ Next: Open SSL Vulnerability - 74326 (1) - OpenSSL 'ChangeCipherSpec' MiTM Vulnerability

≪ Previous: Running Scripts from Events

$

0

0

Serv-U Version 15.1.1.108 Service Release is now available for customers under active maintenance and is now available in the customer portal.

 

Serv-U 15.1.1.104 was released November 4, 2014. A complete list of changes and upgrades follows:

 

Features:

• Updated OpenSSL libraries from 0.9.8x to 0.9.8zb.
• Disabled SSLv3 and SSLv2 by default.
• Added the ability to view the fingerprint for the server or domain SSH private key.
• Added additional HTTP response headers to mitigate warnings from security scanning software.
• Added the ability for admins to restrict the file sharing source of outgoing file shares (e.g., sending files from this local machine or from Serv-U).
• Added the ability for the file share owner to recognize when the file share has expired from the file share's detailed page.
• Added the ability to log the source IP address at the user or group level when a user logs into Serv-U.
• Removed the support link from the Management Console and Java clients.

 

Bug Fixes:

• Fixed a bug where Gateway did not bind to the proper port according to RFC specification when initiating outbound connections for FTP data transfers.
• Fixed a bug where the Accept-Public-IP-CIDRs.txt file was overwritten by the installer each time Gateway was updated.
• Fixed a bug where session macro strings (i.e., $IP) did not properly resolve for events involving password and email address changes.
• Fixed a bug where leading or trailing white space on an IP access rule containing an IP address could cause Serv-U to incorrectly interpret the rule as an IP name instead of address.
• Fixed a bug where data would fail to be written to the ODBC database if a particular table's column string length was exceeded.
• Fixed a bug where SSH public keys would fail to be exported when using the export feature.
• Fixed a bug where SSH public keys would not expand server-wide macros (e.g., %DOMAIN_HOME%/path/to/key.pub).
• Fixed a bug where special symbols could not be entered for file sharing passwords (i.e., '#' and '%').
• Fixed a bug where the file sharing wizard's "Generate Email" link would fail to resolve all server variables that were defined in the email body.
• Fixed a bug where the file sharing password could not be changed if no recipients were defined for the share.
• Fixed a bug in FTP Voyager JV and Web Client Pro where upload events would be fired when uploading files greater than 2GB.
• Fixed a bug in FTP Voyager JV where the "Libraries" folder would fail to list its contents (starting in Windows Vista and up).
• Fixed a bug in FTP Voyager JV where the focus would get lost when switching between frames causing keyboard shortcuts to fail.
• Fixed a bug where Web Client Pro would fail to launch with the new release of the Java Runtime Environment.
• Fixed a bug in Web Client Pro where slow connections could cause the browser to abandon the launching of Web Client Pro.
• Fixed a bug where SSH public keys specified at the group level were not applied to members of the group.

Open SSL Vulnerability - 74326 (1) - OpenSSL 'ChangeCipherSpec' MiTM Vulnerability

November 4, 2014, 12:04 pm

≫ Next: Windows vs LDAP Authentication

≪ Previous: Serv-U Version 15.1.1.108 Service Release Now Available

$

0

0

We currently have Serv-U version 10.5 on a server.  We are unable to get support from Solar Winds, and was referred to this site for assistance. 

 

Has anyone had this vulnerability appear in their security scans?  If so, what is the solution?  I

 

This is the information that was forwarded to me, but I am unsure how to test to see if this is in fact a vulnerability for us.

 

 

 

 

 

Details:

 

 

74326 (1) - OpenSSL 'ChangeCipherSpec' MiTM Vulnerability

 

 

 
 
 
 
 
 
 
 
 
 
 
 




  Synopsis

 

 

The remote host is affected
by a vulnerability that could allow sensitive data to be decrypted.

 

 

  Description

 

 

The OpenSSL service on the
remote host is vulnerable to a man-in-the-middle (MiTM) attack, based on its
response to two consecutive 'ChangeCipherSpec' messages during the incorrect
phase of an SSL/TLS handshake.



This flaw could allow a MiTM attacker to decrypt or
forge SSL messages by telling the service to begin encrypted communications
before key material has been exchanged, which causes predictable keys to be
used to secure future traffic.



Note that Nessus has only tested for an SSL/TLS MiTM
vulnerability (CVE-2014-0224). However, Nessus has inferred that the OpenSSL
service on the remote host is also affected by six additional vulnerabilities
that were disclosed in OpenSSL's June 5th, 2014 security advisory :



- An error exists in the function 'ssl3_read_bytes'

that could allow data to be injected into other sessions
or allow denial of service attacks. Note this issue is only exploitable if
'SSL_MODE_RELEASE_BUFFERS' is enabled. (CVE-2010-5298)



- An error exists related to the implementation of the
Elliptic Curve Digital Signature Algorithm (ECDSA) that could allow nonce
disclosure via the 'FLUSH+RELOAD'

cache side-channel attack. (CVE-2014-0076)



- A buffer overflow error exists related to invalid DTLS
fragment handling that could lead to execution of arbitrary code. Note this
issue only affects OpenSSL when used as a DTLS client or server. (CVE-2014-0195)



- An error exists in the function 'do_ssl3_write' that
could allow a null pointer to be dereferenced leading to denial of service
attacks. Note this issue is exploitable only if 'SSL_MODE_RELEASE_BUFFERS' is
enabled. (CVE-2014-0198)



- An error exists related to DTLS handshake handling
that could lead to denial of service attacks. Note this issue only affects
OpenSSL when used as a DTLS client.

(CVE-2014-0221)



- An unspecified error exists related to anonymous ECDH
ciphersuites that could allow denial of service attacks. Note this issue only
affects OpenSSL TLS clients. (CVE-2014-3470)



OpenSSL did not release individual patches for these
vulnerabilities, instead they were all patched under a single version release.
Note that the service will remain vulnerable after patching until the service
or host is restarted.

 

 

  See Also

 

 

 

 

 

 

 

 

 

 

 

 

http://www.nessus.org/u?d5709faa

https://www.imperialviolet.org/2014/06/05/earlyccs.html

https://www.openssl.org/news/secadv_20140605.txt

 

 

  Solution

 

 

OpenSSL 0.9.8 SSL/TLS users
(client and/or server) should upgrade to 0.9.8za. OpenSSL 1.0.0 SSL/TLS users
(client and/or server) should upgrade to 1.0.0m. OpenSSL 1.0.1 SSL/TLS users
(client and/or server) should upgrade to 1.0.1h.

 

 

  Risk Factor

 

 

High

 

 

  CVSS Base Score

 

 

1. 9.3
   (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
2. 8.1 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

 

 

  CVSS Temporal Score

 

 

 

 

  STIG Severity

 

 

I

 

Windows vs LDAP Authentication

November 3, 2014, 8:00 am

≫ Next: can't open console Serv-U 15.1.1

≪ Previous: Open SSL Vulnerability - 74326 (1) - OpenSSL 'ChangeCipherSpec' MiTM Vulnerability

$

0

0

Issue - My users want to log in using their Active Directory authentication credentials, and I don't know how to deploy this in Serv-U.

Resolution - Configure either Windows Authentication or LDAP Authentication in your Serv-U Domain.

 

Many Serv-U administrators find themselves asking:

"What is the difference between Windows Authentication and LDAP Authentication in Serv-U? And which one should I configure?"

And we are here to assist with this choice.

 

Windows vs. LDAP

Both LDAP and Active Directory are used to allow users to connect to Serv-U by using Active Directory credentials. LDAP additionally allows for authentication against other LDAP servers like Apache Directory Server and OpenLDAP. The main difference between LDAP Groups and Windows Groups in Serv-U is the following: Windows Groups utilize NTFS permissions, but configuration is at the Organizational Unit only, with no hook into Security Groups. LDAP Groups do not leverage NTFS permissions (so Serv-U is in control of file and folder permissions) but you can use Security Groups to apply permissions and settings (though settings are not inherited by nested groups). Even though the LDAP configuration can be slightly more difficult to set up, if an admin asks for a recommendation on which to use we would prefer LDAP due to ease of use once it is configured correctly.

 

 

After you make the choice, configure Windows or LDAP authentication

Windows Authentication Configuration	LDAP Authentication Configuration
Windows Authentication online guide Windows Groups Integrating Serv-U with Windows Accounts Windows Groups and Organizational Units in Serv-U  -  KB Article #1977 Enabling Windows User NT-SAM / Active Directory Support in Serv-U  -  KB Article #1412	LDAP Authentication online guide LDAP User Groups LDAP Authentication in Serv-U  -  KB Article #2143 LDAP Authentication - ERROR: Login was not successful  -  KB Article #2141

 

Testing

The following images show what a successful HTTP login looks like for the user and the Serv-U admin. Note that LDAP and Windows Authentication looks identical in the logs.   The login page for the user named LDAP   The log entries for the admin for a successful login and logout can be viewed under Serv-U admin console > Domain Activity > Log.   [02] Fri 31Oct14 16:03:53 - (000003) Connected to 10.XXX.X.XX (local address 10.XXX.X.XX, port 80) [40] Fri 31Oct14 16:03:53 - (000003) HTTP_LOGIN: user: LDAP; domain: 10.XXX.X.XX [02] Fri 31Oct14 16:03:53 - (000003) User "LDAP@lab.aus.example" logged in [41] Fri 31Oct14 16:03:53 - (000003) HTTP_OKAY (200): SESS_OKAY [40] Fri 31Oct14 16:03:57 - (000003) HTTP_LIST: path: "~/" [41] Fri 31Oct14 16:03:57 - (000003) HTTP_OKAY (200): okay [40] Fri 31Oct14 16:04:05 - (000003) HTTP_LOGOUT [41] Fri 31Oct14 16:04:05 - (000003) HTTP_OKAY (200): okay [02] Fri 31Oct14 16:04:05 - (000003) User "LDAP@lab.aus.example" logged out [02] Fri 31Oct14 16:04:05 - (000003) Closed session     Being able to read and understand the log is useful for not only this issue, but for many other issues in Serv-U. If an error occurs Serv-U will most likely have the error in its log. If you see no such errors then Serv-U did not capture the issue in the connection, and with LDAP and AD authentication, we urge you to review the directory machine's log. The following articles contain more information about setting up and understanding the log files in Serv-U: Setting Up Serv-U's Log  -  KB Article #1357 Reading Serv-U's Log File  -  KB Article #1212

 

 

Please keep Serv-U up to date

Finally we urge any administrator working with LDAP or Windows authentication to make sure their Serv-U installation is up to date. To ensure the best experience, we advise that you upgrade to the latest version of Serv-U BEFORE configuring your advanced user authentication. If you need more information about what has been fixed or what the latest version of Serv-U is, please visit our release notes page: http://www.serv-u.com/ReleaseNotes/ For upgrade, backup, and migration information, please refer to the following links: http://www.serv-u.com/kb/1154/Upgrading-to-the-Latest-Version-of-ServU http://www.serv-u.com/kb/1047/Backing-Up-or-Moving-ServU-Settings

---

can't open console Serv-U 15.1.1

November 13, 2014, 7:34 am

≫ Next: File share email notification error:

≪ Previous: Windows vs LDAP Authentication

$

0

0

Hi Forum

 

we have upgrade today to Serv-U 15.1.1 after that we can't open the console

 

Script Error

http://127.0.0.1:43958/Common/Scripts/BrowserCheckAW.js

File share email notification error:

October 8, 2014, 9:15 am

≫ Next: ftp voyager scheduler variables not working

≪ Previous: can't open console Serv-U 15.1.1

$

0

0

Hello I have a problem with the notification on file Share.

SMTP is configured correctly with an account (xxx@xxx.com) My server requires aunteticacion user: xxx and password: xxx.

The  event´s emails work´s fine.

 

My problem it´s with file share,(send and request).

 

The email and name of the user is

user:Sender 

Email:(yyy@yy.com)

 

The guest never receives the email notification, that he has available a download file.

In log gives an error:

 

You can not send a message to zzzz@zzz.com,: 553 5.7.1 <yyy@yy.com>: Sender address rejected: not owned by user xxx

 

 

as we need to configure the server for this to work properly?.

 

 

Thanks to all !!

ftp voyager scheduler variables not working

November 14, 2014, 1:22 pm

≫ Next: Recover userid/pwd for Serv-U

≪ Previous: File share email notification error:

$

0

0

I have my local folder to download files like htis c:\deeplog\%Y and the scheduler software keeps saying that the directory is invlaid.  I am following the steps i foudn here.  What am  I doing wrong?  Thanks. 

 

Date/Time Path Name Variables in FTP Voyager Scheduler

Recover userid/pwd for Serv-U

November 14, 2014, 11:46 am

≫ Next: Serv-U test against Qualys SSL Labs SSL Server Test

≪ Previous: ftp voyager scheduler variables not working

$

0

0

Our company purchased Serv-U for our FTP server in 2010. People who created credentials left the company, so we don't have userid/pwd to connect to Serv-U and create additional accounts.

 

Is there any way to recover Serv-U userid/pwd?

 

Thanks,

 

Mark

Serv-U test against Qualys SSL Labs SSL Server Test

August 25, 2014, 2:44 pm

≫ Next: Email on Event: only 255chars ?

≪ Previous: Recover userid/pwd for Serv-U

$

0

0

Hello,

 

Can SolarWinds Engineers test their Serv-U implementation against Qualys SSL Labs SSL Server Test?

Qualys SSL Labs - Projects / SSL Server Test

https://www.ssllabs.com/ssltest/

 

Serv-U test against Qualys SSL Labs SSL Server Test

Qualys SSL Labs - Projects / SSL Server Test

https://www.ssllabs.com/ssltest/

 

1. I would like the ability to disable older protocols like SSL2, TLS 1.0 and TLS 1.1 and only allow newer protocols such as TLS 1.2 and SSL3.

 

2. I would like the ability to disable Insecure Cipher Suites such as:

SSL_CK_DES_192_EDE3_CBC_WITH_MD5 (0x700c0)   INSECURE

SSL_CK_RC4_128_WITH_MD5 (0x10080)   INSECURE

SSL_CK_RC2_128_CBC_WITH_MD5 (0x30080)   INSECURE

SSL_CK_IDEA_128_CBC_WITH_MD5 (0x50080)   INSECURE

 

3. I would like them to address OpenSSL CCS vulnerability (CVE-2014-0224)

https://community.qualys.com/blogs/securitylabs/2014/06/13/ssl-pulse-49-vulnerable-to-cve-2014-0224-14-exploitable

 

4. I would like support for Forward Secrecy.

https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy

 

Thanks,

Jimmy