Zugriff auf QNAP per FTPS mit Filezilla funktioniert nicht
Hallo zusammen,
ich habe hier ein Problem, bei dem ich nicht weiter weiß. Konkret geht es um den Zugriff per FTPS (SFTP wird leider nicht unterstützt, daher fällt das weg) auf unsere QNAP TS-EC879U-RP über's Internet. Das Gerät steht hinter einer Sonicwall, von der aus die benötigten Ports (20, 21) an die QNAP weitergeleitet werden.
Wenn ich mich nun per Filezilla verbinden möchte, bleibt der Prozess beim Auflisten der Verzeichnisse stehen.
Die einstellungen sind wie folgt gesetzt:
Protocol: FTP
Encryption. Require explicit FTP over TLS
Logon Type: Normal (User/PW hinterlegt)
Zugriff mittels externer IP:
Wenn ich plain FTP nutze, dann klappt alles einwandfrei:
Die Einstellungen sind wie folgt gesetzt:
FTP-Dienst ist aktiviert
Protokolltyp: FTP (Standard) und FTP mit SSL/TLS (explizit) sind aktiviert
Portnummer: 21
Unicde-Unterstützung: Ja
Anonymer zugriff aktivieren: Nein
Der Zugriff übers LAN funktioniert fast, hier erscheint folgende Ferhlemeldung:
Hat hier jemand eine Idee, woran es hängen könnte?
ich habe hier ein Problem, bei dem ich nicht weiter weiß. Konkret geht es um den Zugriff per FTPS (SFTP wird leider nicht unterstützt, daher fällt das weg) auf unsere QNAP TS-EC879U-RP über's Internet. Das Gerät steht hinter einer Sonicwall, von der aus die benötigten Ports (20, 21) an die QNAP weitergeleitet werden.
Wenn ich mich nun per Filezilla verbinden möchte, bleibt der Prozess beim Auflisten der Verzeichnisse stehen.
Die einstellungen sind wie folgt gesetzt:
Protocol: FTP
Encryption. Require explicit FTP over TLS
Logon Type: Normal (User/PW hinterlegt)
Zugriff mittels externer IP:
10:48:23 Status: Connecting to 123.45.678.901:21...
10:48:23 Status: Connection established, waiting for welcome message...
10:48:23 Status: Initializing TLS...
10:48:23 Status: Verifying certificate...
10:48:23 Status: TLS connection established.
10:48:23 Status: Logged in
10:48:23 Status: Retrieving directory listing...
10:48:43 Command: PWD
10:48:43 Response: 257 "/" is the current directory
10:48:43 Command: TYPE I
10:48:43 Response: 200 Type set to I
10:48:43 Command: PORT 192,168,96,64,217,161
10:48:43 Response: 200 PORT command successful
10:48:43 Command: MLSD
10:48:43 Error: Connection timed out after 20 seconds of inactivity
10:48:43 Error: Failed to retrieve directory listing
10:48:43 Status: Disconnected from server
10:48:43 Status: Connecting to 123.45.678.901:21...
10:48:43 Status: Connection established, waiting for welcome message...
10:48:43 Status: Initializing TLS...
10:48:43 Status: Verifying certificate...
10:48:43 Status: TLS connection established.
10:48:43 Status: Logged in
10:48:43 Status: Retrieving directory listing...
10:48:57 Command: PWD
10:48:57 Response: 257 "/" is the current directory
10:48:57 Command: TYPE I
10:48:57 Response: 200 Type set to I
10:48:57 Command: PORT 192,168,96,64,217,165
10:48:57 Response: 200 PORT command successful
10:48:57 Command: MLSD
10:48:57 Error: Directory listing aborted by user
Wenn ich plain FTP nutze, dann klappt alles einwandfrei:
10:49:50 Status: Connecting to 123.45.678.901:21...
10:49:50 Status: Connection established, waiting for welcome message...
10:49:55 Status: Logged in
10:49:55 Status: Retrieving directory listing...
10:49:56 Status: Directory listing of "/" successful
Die Einstellungen sind wie folgt gesetzt:
FTP-Dienst ist aktiviert
Protokolltyp: FTP (Standard) und FTP mit SSL/TLS (explizit) sind aktiviert
Portnummer: 21
Unicde-Unterstützung: Ja
Anonymer zugriff aktivieren: Nein
Der Zugriff übers LAN funktioniert fast, hier erscheint folgende Ferhlemeldung:
13:55:07 Status: Connecting to 10.50.1.25:21...
13:55:07 Status: Connection established, waiting for welcome message...
13:55:07 Status: Initializing TLS...
13:55:07 Status: Verifying certificate...
13:55:07 Status: TLS connection established.
13:55:07 Status: Logged in
13:55:07 Status: Retrieving directory listing of "/marcapo"...
13:55:07 Command: CWD /marcapo
13:55:07 Response: 250 CWD command successful
13:55:07 Command: TYPE I
13:55:07 Response: 200 Type set to I
13:55:07 Command: PORT 192,168,96,64,222,118
13:55:07 Response: 200 PORT command successful
13:55:07 Command: MLSD
13:55:07 Response: 150 Opening BINARY mode data connection for MLSD
13:55:07 Error: Primary connection and data connection certificates don't match.
13:55:07 Error: Transfer connection interrupted: ECONNABORTED - Connection aborted
13:55:07 Response: 425 Unable to build data connection: Operation not permitted
13:55:07 Error: Failed to retrieve directory listing
Hat hier jemand eine Idee, woran es hängen könnte?
Bitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben
Content-ID: 308323
Url: https://administrator.de/forum/zugriff-auf-qnap-per-ftps-mit-filezilla-funktioniert-nicht-308323.html
Ausgedruckt am: 23.12.2024 um 09:12 Uhr
29 Kommentare
Neuester Kommentar
Hi.
Sure you can connect via SSH and SFTP, no problem with a QNAP!! You only need SSH enabled and forwarded, then you can use SFTP.
But back to your FTP. In this line you can see that the server wants to tell the client the IP and the port for the data connection
The first 4 parts are the IP and with the last two numbers you can calculate the data port
(217 x 256) + 165 = 55717
So first the error here is the FTP-Server does not tell the client the external IP. And second you did not configure to use a static port range for the data connections. These data ports need to be forwarded to the QNAP. Third, you are not using passive mode.
All common errors of beginners.
Regards
Sure you can connect via SSH and SFTP, no problem with a QNAP!! You only need SSH enabled and forwarded, then you can use SFTP.
But back to your FTP. In this line you can see that the server wants to tell the client the IP and the port for the data connection
10:48:57 Command: PORT 192,168,96,64,217,165
(217 x 256) + 165 = 55717
So first the error here is the FTP-Server does not tell the client the external IP. And second you did not configure to use a static port range for the data connections. These data ports need to be forwarded to the QNAP. Third, you are not using passive mode.
All common errors of beginners.
Regards
SSH only needs 1 port! This port needs to be forwarded.
The other ports you mentioned are only for plain FTP(S) usage not for SFTP.
If you are using plain ftp(s) these dynamic ports all need to be forwarded on the router to the NAS. Don't mix the protocols!!
And use putty or WinSCP as reference clients to verify functions, not FileZilla.
What kind of router and firewall are you using?
The other ports you mentioned are only for plain FTP(S) usage not for SFTP.
If you are using plain ftp(s) these dynamic ports all need to be forwarded on the router to the NAS. Don't mix the protocols!!
And use putty or WinSCP as reference clients to verify functions, not FileZilla.
What kind of router and firewall are you using?
Zitat von @129813:
SSH only needs 1 port! This port needs to be forwarded.
The other ports you mentioned are only for plain FTP(S) usage not for SFTP.
SSH only needs 1 port! This port needs to be forwarded.
The other ports you mentioned are only for plain FTP(S) usage not for SFTP.
As I said, SSH has nothing to do with the dynamic ports used for the data connection and FTP(S). These additional ports are only used in conjunction with FTP(S) not ssh (SFTP), you are mixing two totally different protocols !
So only when you want to use FTPS the dynamic port range has to be forwarded on the firewall to your NAS. And check your firewall filters.
So only when you want to use FTPS the dynamic port range has to be forwarded on the firewall to your NAS. And check your firewall filters.
Zitat von @Stibonator:
the QNAP manual says that a ssh connection is only allowed for the administrator - does this also apply to SFTP?
Yes. SSH per default is only for users of the admin group.the QNAP manual says that a ssh connection is only allowed for the administrator - does this also apply to SFTP?
1. FTP mit SSL aktivieren
2. Port=21
3. FTP auf Passiv stellen
4. Portbereich 55536-56559 (standard)
5. Mit externer IP-Adresse reagieren aktivieren
6. Firewall Portforwarding Port 21,55536-56559 auf die Qnap
7. Am Client FTPS als Protokoll / Verbindungsart wählen
Edit: Und nicht vergessen das dem Benutzer auch passende Berechtigungen erteilt werden müssen
2. Port=21
3. FTP auf Passiv stellen
4. Portbereich 55536-56559 (standard)
5. Mit externer IP-Adresse reagieren aktivieren
6. Firewall Portforwarding Port 21,55536-56559 auf die Qnap
7. Am Client FTPS als Protokoll / Verbindungsart wählen
Edit: Und nicht vergessen das dem Benutzer auch passende Berechtigungen erteilt werden müssen
Prüfen mal folgende Einstellungen im Filezilla:
Open Filezilla, go to Edit -> Settings
Click on Connection -> FTP: Choose Active
Click on Connection -> FTP -> Active Mode: Select "Ask your operating system for the external IP address"
Click on Connection -> FTP -> Passive Mode: Choose Fall Back to Active Mode
Open Filezilla, go to Edit -> Settings
Click on Connection -> FTP: Choose Active
Click on Connection -> FTP -> Active Mode: Select "Ask your operating system for the external IP address"
Click on Connection -> FTP -> Passive Mode: Choose Fall Back to Active Mode
Test another FTP-Client (WinSCP). FileZilla often fails with FTPS and specific FTP-server-settings and commands
https://stefankonarski.de/content/geloest-filezilla-verzeichnisinhalt-ko ...
https://stefankonarski.de/content/geloest-filezilla-verzeichnisinhalt-ko ...
I will test it here with a QNAP sys in a second...
Here it works as expected, will post my settings later, i have to leave now, feeding a client
I tested it successfully also from outside with dynamic ports forwarded. So there must be a problem with your client-firewall or your router-firewall perhaps doing DPI or something else.
Try turning of MLSD command within WinSCP:
Is your qnap running the latest firmware?
Try turning of MLSD command within WinSCP:
--------------------------------------------------------------------------
WinSCP Version 5.7.7 (Build 6257) (OS 6.1.7601 Service Pack 1 - Windows 7 Ultimate)
--------------------------------------------------------------------------
Connecting to XXXXXXXXX:21 ...
Connected with XXXXXXXXX:21, negotiating TLS connection...
220 NASFTPD Turbo station 1.3.5a Server (ProFTPD) [XXXXXXXXXXX]
AUTH TLS
234 AUTH TLS successful
Verifying certificate for "QNAP Systems, Inc." with fingerprint XXXXXXXXXXXXX
Asking user:
**The server's certificate is not known. You have no guarantee that the server is the computer you think it is.**
Server's certificate details follow:
Issuer:
- Organization: QNAP Systems, Inc., NAS, TS Series NAS, q_support@qnap.com
- Location: TW, Taiwan, Taipei
Subject:
- Organization: QNAP Systems, Inc., NAS, TS Series NAS, q_support@qnap.com
- Location: TW, Taiwan, Taipei
Valid: 08.07.2011 10:09:45 - 05.07.2021 10:09:45
Fingerprint (SHA-1): XXXXXXXXXXXXXXXXXXX
Summary: Self signed certificate. The error occurred at a depth of 1 in the certificate chain.
Certificate was not issued for this server. You might be connecting to a server that is pretending to be "XXXXXXXXXXXX".
If you trust this certificate, press Yes. To connect without storing certificate, press No. To abandon the connection press Cancel.
Continue connecting and store the certificate? ()
Using TLSv1.2, cipher TLSv1/SSLv3: ECDHE-RSA-AES128-GCM-SHA256, 2048 bit RSA
TLS connection established. Waiting for welcome message...
USER XXXXXX
331 Password required for XXXXXX
PASS *****************
230 User XXXXXXlogged in
SYST
215 UNIX Type: L8
FEAT
211-Features:
MFMT
SIZE
PROT
CCC
PBSZ
AUTH TLS
MFF modify;UNIX.group;UNIX.mode;
REST STREAM
MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
UTF8
LANG en-US*
EPRT
EPSV
MDTM
SSCN
TVFS
211 End
OPTS UTF8 ON
200 UTF8 set to on
PBSZ 0
200 PBSZ 0 successful
PROT P
200 Protection set to Private
Connected
--------------------------------------------------------------------------
Using FTP protocol.
Doing startup conversation with host.
PWD
257 "/" is the current directory
Getting current directory name.
Retrieving directory listing...
TYPE A
200 Type set to A
PASV
227 Entering Passive Mode (XXX,XXX,XXX,XXX,218,32).
MLSD
Connecting to XXX.XXX.XXX.XXX:55840 ...
150 Opening ASCII mode data connection for MLSD
Session ID reused
TLS connection established
......
.......
226 Transfer complete
Directory listing successful
Is your qnap running the latest firmware?
OK. Then another try, login to your NAS via putty (SSH) and navigate to
These are only the first lines without the permission directives.
Try to remove the option: NoCertRequest
/etc/config
and make a cat proftpd.conf
and compare the first config lines to this one of my proFTPd config:ServerName "ProFTPD"
ServerType standalone
DefaultServer on
RootLogin on
Port 21
MaxInstances 30
User guest
Group guest
DefaultRoot /share
Umask 000
ShowSymlinks off
AllowOverwrite on
TimesGMT off
UseReverseDNS off
WtmpLog off
AllowStoreRestart on
TransferLog NONE
UseReverseDNS off
IdentLookups off
DisplayLogin /etc/config/welcome.msg
UseEncoding UTF-8 UTF-8
RLimitMemory daemon 32M 512M
RLimitMemory session 128M 256M
TLSEngine on
TLSProtocol TLSv1 TLSv1.1 TLSv1.2
TLSRenegotiate none
TLSRequired off
TLSRSACertificateFile /etc/config/stunnel/backup.cert
TLSRSACertificateKeyFile /etc/config/stunnel/backup.key
TLSCACertificateFile /etc/ssl/certs/myrootca.crt
TLSOptions NoCertRequest NoSessionReuseRequired
TLSVerifyClient off
TLSServerCipherPreference on
TLSCipherSuite EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5
TLSCryptoDevice all
PassivePorts 55555 56000
MaxClientsPerUser 10
EnableUserWanIp off
AllowForeignAddress on
Try to remove the option: NoCertRequest
Can I simply modify it (add the entry), save and that's it?
It's worth a try, after modifying and saving the config file you need to restart the proftpd serviceCan be done directly on the console with :
/etc/init.d/ftp.sh restart
No problem, you're welcome .