Official firmware supports FTPS: Network | FTP > Secure FTP (Explicit) == Enable (I use 1.00.05, in other versions it could be in different place).
However, if your NAS is located behind the router (a bit typical situation, isn't it?) you couldn't use FTPS for sharing files. The problem is simple: by default FTPS will choose port from range 1024-65535, but your router couldn't sniff the port number and open incoming port because the information is already encrypted.
I've found very simple hack: by modifying FTP daemon's option you can narrow the ports range and forward all of them to your NAS.
1. Activate Secure FTP on your NAS.
2. Install and enable SSHD module.
3. Connect to device by SSH and execute command:
/opt/bin/sqlite /app/cfg/conf.db "update conf set v='2 -p 3000:3010' where k='ftp_ssl'"
The new option ("-p 3000:3010") is specified the range of ports which ftp daemon will be used.
4. Re-configure your router and forward all incoming connections to ports 3000-3010 to the NAS.
5. Disable SSHD module.
Voila.
P.S. When the hack is applied you shouldn't make any changes on FTP configuration page and both radio buttons for "Secure FTP" option will not be checked. It's OK.
P.P.S. If you would like to reverse the hack just go to FTP configuration page, check one of "Secure FTP" radio buttons and "press Apply" button.
UPDATE:
To connect using FTPS you can use WinSCP client. Enter IP address/domain name, Port=21, File Protocol=FTP + TLS Explicit encryption. Then check "Advanced options", on page "Connection" check "Passive mode" (it is checked by default) and then on page "FTP" check "Force IP address for passive mode connection".
Another way to connect to the NAS using FTPS is Total Commander's integrated ftp client. Just enter 'ftps://domain' and check SSL/TLS checkbox.
Yo writes:
Thanks for the idea.
Could you precise how to connect to device by SSH and where to execute commande on the NAS ?
Thanks for help !
huh? you can use any SSH client (I use KiTTY, the PuTTY's fork). just enter NAS IP address, login, password and that's it.
Yo writes:
OK thanks for help ! I'm a beginner with SSH, etc. !!
PuTTY is installed and I tried to log on the NAS, but my login/password is denied.
Which login should be used ? The one I usually use via Internet to connect to the Thecus (IP 192.198.1.100) is denied… Is there any firewall or something that could block the connection ?
PS : where should be used the PID/password given by the SSHD module ?
Thanks for your patience !
SSHD Module v2.2
Openssh 4.3p2 daemon PID : 4319
Default root password is 'thecus'
this password should be used in PuTTY during connection to your NAS after SSHD module installed and enabled (take a note that username for SSH connection is 'root').
for security reason it's strongly recommended to disable SSHD module when you finish to apply this hack.
Yo writes:
Thanks for the tips.
The indication for username was missing !
Your command has been executed.
SSHD module has been disabled.
Ports 3000-3010 are redirected to the NAS IP Address (192.168.1.100).
When connecting via FTPES to my NAS, Filezilla sees the NAS (because the user is recognized).
But I still do not manage to reach the folders on my NAS by FTPES because of an error that occurs in Filezilla :
227 Entering Passive Mode (192,168,1,100,108,55)
Non routable address (roughly translated from french !)
The router uses DHCP but I gave a static IP Address to the NAS (192.168.1.100) so that it's recognized for the redirection.
I guess the router doesn't really understand what the NAS tells him. Wrong port ? Wrong IP address ? Wrong IP status (dynamic/static) ?
I'm still looking for the reason…
Anyway, thanks for all !
> The indication for username was missing
nope. you can double check README file for SSHD module. it's there.
> 192,168,1,100,108,55
=>
IP: 192.168.1.100
Port: 108*256+55=27703
this is a bit strange. Port should be in range 3000-3010. you can try to reboot your NAS because the ftp daemon should be restarted to use options which were stored to database by hack (we can't "restart" only ftp the daemon by disable/enable it through the web interface because it reverses the hack).
actually I haven't tried Filezilla. may be it is not compatible with pure-ftpd daemon's Secure FTP (Explicit) implementation. I've just tried WinSCP (4.2.8) and Total Commander 7.5x (it has native support: use SSL/TLS checkbox)
> I guess the router doesn't really understand what the NAS tells him.
it couldn't, because the connection is encrypted. this is why we configure the ftps daemon to use short range of ports and forward all incoming connections to these ports to the NAS.
I would recommend you try to connect to NAS without the router. if it works and you see the list of directories you have to check:
– the FTP daemon settings (mine settings: FTP – Enabled, Port – 21, Secure FTP (Explicit) — no radio checked, that's OK because of "hack")
– port-forwarding on your router (mine settings: forward all incoming connections from port 21 and from ports 3000-3010 to the NAS)
also be sure that you had created a user on your NAS, have given an appropriate rights to the user, and you are connecting to the FTPS using his login/password.
Yo writes:
Thanks for answering so quickly !
The two radio buttons of Secure FTP are now inactive, that means that the Hack is enabled (if I well understand !)
Everything is now OK, but the port range (3000:3010) seems to be to narrow.
With a 3000:3200 range, everything is OK (with WinSCP and Filezilla).
Muchos Gracias and Mille Mercis for your time !
Sincerely yours,
Yohan
you are welcome.
I'm glad that it was useful for somebody else 🙂
Len writes:
Hi. Not sure if you are still interested in this, but anyhow. I used this hack and it seemed to work quite well. I set FileZilla up to use the external IP of the NAS. However, I can't get a directory listing. Keep getting the error below. Any clues on what could be the issue? I actually set it to use 3000 to 3020 and it happens on every port. I am a bit lost on what to try next.
Response: 200 PORT command successful
Command: MLSD
Response: 425 Could not open data connection to port 3007: Connection refused
Error: Failed to retrieve directory listing
Have you re-configured your router to forward all incoming connections to ports 3000-3020 to the NAS?
Len writes:
Oh, and yes, I have forwarded all the necessary ports. Thanks.
Len writes:
I have delayed my response until I got my facts straight. I actually think my problem lies in the fact the N3200PRO keeps responding to the FTP client with the internal LAN address. I did use your module, but I still can't get passive mode FTP to work because of this problem.
I know this is off-topic, but do you know how to let the NAS know what the routers external IP address is? I set up DDNS as I thought this was the solution, but still no luck.
my NAS is connected to my home network using internal LAN interface and I don't use it's WAN interface. so I have no idea if FTP works fine in this configuration or not.
can you connect to your NAS using non-secure FTP? (simply disable the hack through NAS web interface and try it).
I don't know how to tell to the NAS about public (external) IP address. However, I don't know why this might be needed.
DDNS couldn't help you with that because it is designed for slightly different purpose. You shouldn't set up DDNS on your NAS because it is located behind the router and it doesn't have a public IP address (if I correct of cause).
I use DDNS, but it is configured on my router (not on the NAS) so my router's public IP address is registered at DDNS provider.
P.S. this is not my module. I've just found a little hack in changing FTP's setting.
Anonymous writes:
Thanks for the awesome tip.
Just a note that in the code snipper above:
where k='ftp_ssl'"
needed to be
where k='ftpd_ssl'"
on my N7700pro.
I'm surprised "ftp_ssl" works at all – it this perhaps a typo or is it indeed different on the n3200pro?
You are welcome.
It's not a typo, in 3200pro the key is 'ftp_ssl'
P.S. I've just double checked it.
Anonymous writes:
Cool.
So for folks trying this hack on other Thecus platforms, if key "ftp_ssl" doesn't work for you, try "ftpd_ssl" instead.
The easiest way to check the key name is: