The default copy of CrushFTP ships very secure.  There are no default usernames, or passwords, etc.  The default ciphers are relatively secure, but not as secure as they could be just for compatibility for people starting out using a potentially older browser for example.  We also have some default ports that you may not need or want for file transfer that allow for insecure connections (FTP / HTTP).\\
!Remove plaintext protocols\\
By default we ship a plain HTTP port listening on port bumber 8080 and 9090, delete these on [IP Servers|IP Servers] page. Or change the IP from "lookup" to be 127.0.0.1 making them inaccessible.\\
The default setup of the FTP/FTPES port does not enforce FTPES, to do so turn on encryption. Or remove the FTP port completely, if not needed.\\
\\
[{Image src='hardening_ftp1.jpg' width='100%' height='..' align='left' style='..' class='..' }]
----\\
!Hardening SSL/TLS ciphers\\
This affects FTPS, FTPES, HTTPS and WebDAVS server mode. On Encryption->[SSL|SSL] page press the "All insecure ciphers" button, save the settings then restart the HTTPS server listener.\\
\\
[{Image src='hardening_ssl.jpg' width='100%' height='..' align='left' style='..' class='..' }]
----\\
!Hardening the HTTP headers\\
Usually resetting the WebInterface->[CSP|CSP] page to defaults will do. When using SAML, OAUTH, or other external IDP integration, will need to add the IDP portal domain as allowed domain.\\
\\
[{Image src='hardening_csp1.jpg' width='100%' height='..' align='left' style='..' class='..' }]
\\
The changes take effect instantly, no restart required.\\
\\
----\\
!Hardening SSH algorithms\\
On IP/Servers page select the __SFTP__ server listener, select the __Advanced__ tab, remove all weak algorithms from the list. The actual strength of various algorithms is debated, must consult your own security advisor. Usually the __NIST__ recommanded algorithms will satisfy most security assessors.\\
[{Image src='hardening_sftp1.jpg' width='100%' height='..' align='left' style='..' class='..' }]
\\
__Hostkey algorithms:__\\
\\
Use the default __RSA__ or enable __ECDSA__ and/or __ED25519__.\\
\\
__Ciphers:__\\
{{{
aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
}}}
__Key Exchange (KEX) algorithms:__\\
{{{
curve25519-sha2@libssh.org,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
}}}
__Message Authentication Code (MAC) algorithms :__\\
{{{
hmac-sha256,hmac-sha2-256,hmac-sha256@ssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha512,hmac-sha2-512,hmac-sha512@ssh.com,hmac-sha2-512-etm@openssh.com
}}}
\\
----
\\
If you need __data at rest encryption:__\\
\\
1.) Go to the User Manager, default user.\\
2.) Do a quick filter on "pgp".\\
3.) Configure a public and private key for the PGP encryption.  Doing it here on the default will automatically apply to all users.\\
[{Image src='hardening_pgp1.jpg' width='100%' height='..' align='left' style='..' class='..' }]
\\
[{Image src='hardening_pgp2.jpg' width='100%' height='..' align='left' style='..' class='..' }]
\\
----

\\
__IMPORTANT:__ Do not try to disable or remove the default user as the user cannot be used for logins and is just for applying settings.