stibonator
Goto Top

Zugriff auf QNAP per FTPS mit Filezilla funktioniert nicht

Hallo zusammen,

ich habe hier ein Problem, bei dem ich nicht weiter weiß. Konkret geht es um den Zugriff per FTPS (SFTP wird leider nicht unterstützt, daher fällt das weg) auf unsere QNAP TS-EC879U-RP über's Internet. Das Gerät steht hinter einer Sonicwall, von der aus die benötigten Ports (20, 21) an die QNAP weitergeleitet werden.

Wenn ich mich nun per Filezilla verbinden möchte, bleibt der Prozess beim Auflisten der Verzeichnisse stehen.
Die einstellungen sind wie folgt gesetzt:

Protocol: FTP
Encryption. Require explicit FTP over TLS
Logon Type: Normal (User/PW hinterlegt)

Zugriff mittels externer IP:
10:48:23   Status:   Connecting to 123.45.678.901:21...
10:48:23   Status:   Connection established, waiting for welcome message...
10:48:23   Status:   Initializing TLS...
10:48:23   Status:   Verifying certificate...
10:48:23   Status:   TLS connection established.
10:48:23   Status:   Logged in
10:48:23   Status:   Retrieving directory listing...
10:48:43   Command:   PWD
10:48:43   Response:   257 "/" is the current directory  
10:48:43   Command:   TYPE I
10:48:43   Response:   200 Type set to I
10:48:43   Command:   PORT 192,168,96,64,217,161
10:48:43   Response:   200 PORT command successful
10:48:43   Command:   MLSD
10:48:43   Error:   Connection timed out after 20 seconds of inactivity
10:48:43   Error:   Failed to retrieve directory listing
10:48:43   Status:   Disconnected from server
10:48:43   Status:   Connecting to 123.45.678.901:21...
10:48:43   Status:   Connection established, waiting for welcome message...
10:48:43   Status:   Initializing TLS...
10:48:43   Status:   Verifying certificate...
10:48:43   Status:   TLS connection established.
10:48:43   Status:   Logged in
10:48:43   Status:   Retrieving directory listing...
10:48:57   Command:   PWD
10:48:57   Response:   257 "/" is the current directory  
10:48:57   Command:   TYPE I
10:48:57   Response:   200 Type set to I
10:48:57   Command:   PORT 192,168,96,64,217,165
10:48:57   Response:   200 PORT command successful
10:48:57   Command:   MLSD
10:48:57   Error:   Directory listing aborted by user

Wenn ich plain FTP nutze, dann klappt alles einwandfrei:

10:49:50   Status:   Connecting to 123.45.678.901:21...
10:49:50   Status:   Connection established, waiting for welcome message...
10:49:55   Status:   Logged in
10:49:55   Status:   Retrieving directory listing...
10:49:56   Status:   Directory listing of "/" successful  

Die Einstellungen sind wie folgt gesetzt:
FTP-Dienst ist aktiviert
Protokolltyp: FTP (Standard) und FTP mit SSL/TLS (explizit) sind aktiviert
Portnummer: 21
Unicde-Unterstützung: Ja
Anonymer zugriff aktivieren: Nein

Der Zugriff übers LAN funktioniert fast, hier erscheint folgende Ferhlemeldung:

13:55:07	Status:	Connecting to 10.50.1.25:21...
13:55:07	Status:	Connection established, waiting for welcome message...
13:55:07	Status:	Initializing TLS...
13:55:07	Status:	Verifying certificate...
13:55:07	Status:	TLS connection established.
13:55:07	Status:	Logged in
13:55:07	Status:	Retrieving directory listing of "/marcapo"...  
13:55:07	Command:	CWD /marcapo
13:55:07	Response:	250 CWD command successful
13:55:07	Command:	TYPE I
13:55:07	Response:	200 Type set to I
13:55:07	Command:	PORT 192,168,96,64,222,118
13:55:07	Response:	200 PORT command successful
13:55:07	Command:	MLSD
13:55:07	Response:	150 Opening BINARY mode data connection for MLSD
13:55:07	Error:	Primary connection and data connection certificates don't match.  
13:55:07	Error:	Transfer connection interrupted: ECONNABORTED - Connection aborted
13:55:07	Response:	425 Unable to build data connection: Operation not permitted
13:55:07	Error:	Failed to retrieve directory listing

Hat hier jemand eine Idee, woran es hängen könnte?

Content-ID: 308323

Url: https://administrator.de/forum/zugriff-auf-qnap-per-ftps-mit-filezilla-funktioniert-nicht-308323.html

Ausgedruckt am: 23.12.2024 um 09:12 Uhr

Kraemer
Kraemer 27.06.2016 um 14:00:51 Uhr
Goto Top
Moin,

du verwechselst du Ports. Du nutzt die Ports von SFTP. FTPS benutzt andere (sogar dynamisch, wenn ich das richtig im Kopf habe).

Gruß Krämer
Stibonator
Stibonator 27.06.2016 um 14:10:42 Uhr
Goto Top
Halo Krämer,

Du hast Recht, ich habe die Ports tatsächlich vertauscht / falsch in der Firewall eingetragen. Ich habe dasselbe Spiel mit den Ports 989 und 990 wiederholt, nun werden diese korrekt an die QNAP weitergeleitet, allerdings kriege ich hier nun dieselbe Fehlermeldung wie bei der internen IP:

14:09:58	Error:	Primary connection and data connection certificates don't match.  
14:09:58	Error:	Transfer connection interrupted: ECONNABORTED - Connection aborted
14:09:58	Response:	425 Unable to build data connection: Operation not permitted
14:09:58	Error:	Failed to retrieve directory listing

Ich weiß leider nicht, woran das liegen könnte. :|
Kraemer
Kraemer 27.06.2016 um 14:28:07 Uhr
Goto Top
Du hast FTP passiv konfiguriert?
129813
129813 27.06.2016 aktualisiert um 15:41:26 Uhr
Goto Top
Hi.
Sure you can connect via SSH and SFTP, no problem with a QNAP!! You only need SSH enabled and forwarded, then you can use SFTP.

But back to your FTP. In this line you can see that the server wants to tell the client the IP and the port for the data connection
10:48:57   Command:   PORT 192,168,96,64,217,165 
The first 4 parts are the IP and with the last two numbers you can calculate the data port
(217 x 256) + 165 = 55717

So first the error here is the FTP-Server does not tell the client the external IP. And second you did not configure to use a static port range for the data connections. These data ports need to be forwarded to the QNAP. Third, you are not using passive mode.

All common errors of beginners.

Regards
Stibonator
Stibonator 27.06.2016 aktualisiert um 16:07:01 Uhr
Goto Top
@Kraemer: ich habe es mit passivem FTP versucht, es hat allerdings nicht funktioniert. Aktives FTP funktionierte.

Hello highload,

Thanks for your reply. I ticked on the option "Allow SSH connection", chose port 22 and ticked on allow SFTP. I forwarded port 22 to the QNAP, I chose the port range from 55536 to 55540 and I ticked on "reply with external IP" and entered its external IP.

When trying to connect via Filezilla using sFTP, here's what I get:

16:00:12	Status:	Disconnected from server
16:00:12	Status:	Connecting to 123.45.678.910...
16:00:12	Response:	fzSftp started, protocol_version=5
16:00:12	Command:	open "marcapo@123.45.678.910" 22  
16:00:12	Error:	Server unexpectedly closed network connection
16:00:12	Error:	Could not connect to server
16:00:12	Status:	Waiting to retry...
16:00:17	Status:	Connecting to 123.45.678.910...
16:00:17	Response:	fzSftp started, protocol_version=5
16:00:17	Command:	open "marcapo@123.45.678.910" 22  
16:00:17	Error:	Server unexpectedly closed network connection
16:00:17	Error:	Could not connect to server

This happens using the internal as well as the external IP address. QNAP's error log says "Login fail for user marcapo for ssh".
129813
129813 27.06.2016 aktualisiert um 16:34:12 Uhr
Goto Top
SSH only needs 1 port! This port needs to be forwarded.
The other ports you mentioned are only for plain FTP(S) usage not for SFTP.
If you are using plain ftp(s) these dynamic ports all need to be forwarded on the router to the NAS. Don't mix the protocols!!
And use putty or WinSCP as reference clients to verify functions, not FileZilla.
What kind of router and firewall are you using?
Kraemer
Kraemer 27.06.2016 um 16:50:18 Uhr
Goto Top
Zitat von @129813:
SSH only needs 1 port! This port needs to be forwarded.
The other ports you mentioned are only for plain FTP(S) usage not for SFTP.

Zitat von @Stibonator:
Konkret geht es um den Zugriff per FTPS (SFTP wird leider nicht unterstützt,
Stibonator
Stibonator 27.06.2016 um 17:03:05 Uhr
Goto Top
We're using a Sonicwall TZ 600. I'm forwarding port 22 to the QNAP. I set the QNAP to answer with its external IP using passive mode.
WinSCP says:

Transfer channel can't be opened. Reason: Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte. (roughly translated: "Connection could not be established,destination computer rejected the connection")  
Could not retrieve directory listing

Timeout detected. (control connection)
Error changing directory to '/'.  

I think it might have to do with the Sonicwall, blocking the connection. I'm gonna try to set the SSH port to something uncommon and report it here.
Thanks so far and in advance for your help! face-smile
129813
129813 27.06.2016 aktualisiert um 17:08:23 Uhr
Goto Top
As I said, SSH has nothing to do with the dynamic ports used for the data connection and FTP(S). These additional ports are only used in conjunction with FTP(S) not ssh (SFTP), you are mixing two totally different protocols !
So only when you want to use FTPS the dynamic port range has to be forwarded on the firewall to your NAS. And check your firewall filters.
Stibonator
Stibonator 27.06.2016 um 17:09:18 Uhr
Goto Top
Yes, I know that now and I don't use the dynamic ports anymore. I'm only concentrating on sFTP (SSH FTP) over port 22 now. I might have one more guess: the QNAP manual says that a ssh connection is only allowed for the administrator - does this also apply to SFTP?
129813
129813 27.06.2016 aktualisiert um 17:11:25 Uhr
Goto Top
Zitat von @Stibonator:

the QNAP manual says that a ssh connection is only allowed for the administrator - does this also apply to SFTP?
Yes. SSH per default is only for users of the admin group.
Stibonator
Stibonator 28.06.2016 aktualisiert um 09:00:18 Uhr
Goto Top
Okay, thanks, got it. Adding the user to the admin group didn't resolve the issues, but I found some How-Tos in the QNAP forum explaining how to add the possibility to grant normal users logging in via sftp. I don't think we're gonna edit the SSH options since the QNAP's running some important services and we don't want to mess it up during business hours.

Is there any way I can configure FTP with excplicit FTP over TLS on the QNAP? Can you help me with that?
I keep getting the error "Unable to build data connection: Operation not permitted".
Kraemer
Kraemer 28.06.2016 aktualisiert um 09:17:24 Uhr
Goto Top
1. FTP mit SSL aktivieren
2. Port=21
3. FTP auf Passiv stellen
4. Portbereich 55536-56559 (standard)
5. Mit externer IP-Adresse reagieren aktivieren
6. Firewall Portforwarding Port 21,55536-56559 auf die Qnap
7. Am Client FTPS als Protokoll / Verbindungsart wählen

Edit: Und nicht vergessen das dem Benutzer auch passende Berechtigungen erteilt werden müssen
Stibonator
Stibonator 28.06.2016 um 11:26:57 Uhr
Goto Top
1:1 umgesetzt, leider immer noch:

10:54:35	Status:	Connecting to 123.45.678.901:21...
10:54:35	Status:	Connection established, waiting for welcome message...
10:54:35	Status:	Initializing TLS...
10:54:35	Status:	Verifying certificate...
10:54:35	Status:	TLS connection established.
10:54:35	Status:	Logged in
10:54:35	Status:	Retrieving directory listing of "/marcapo"...  
10:54:35	Command:	CWD /marcapo
10:54:35	Response:	250 CWD command successful
10:54:35	Command:	TYPE I
10:54:35	Response:	200 Type set to I
10:54:35	Command:	PASV
10:54:35	Response:	227 Entering Passive Mode (123,45,678,901,219,134).
10:54:35	Command:	MLSD
10:54:35	Response:	150 Opening BINARY mode data connection for MLSD
10:54:35	Response:	425 Unable to build data connection: Operation not permitted
10:54:35	Error:	Failed to retrieve directory listing

Auch der Zugriff als admin liefert diese F.ehlermeldung
Kraemer
Lösung Kraemer 28.06.2016 um 12:22:20 Uhr
Goto Top
Prüfen mal folgende Einstellungen im Filezilla:

Open Filezilla, go to Edit -> Settings
Click on Connection -> FTP: Choose Active
Click on Connection -> FTP -> Active Mode: Select "Ask your operating system for the external IP address"
Click on Connection -> FTP -> Passive Mode: Choose Fall Back to Active Mode
129813
129813 28.06.2016 aktualisiert um 12:30:48 Uhr
Goto Top
Test another FTP-Client (WinSCP). FileZilla often fails with FTPS and specific FTP-server-settings and commands
https://stefankonarski.de/content/geloest-filezilla-verzeichnisinhalt-ko ...
Stibonator
Stibonator 28.06.2016 um 12:30:34 Uhr
Goto Top
Hallo Kraemer,

hilft leider nichts. Ich bin mittlerweile echt ratlos, was das Ganze angeht. :D
Kraemer
Kraemer 28.06.2016 um 12:31:42 Uhr
Goto Top
Test another FTP-Client (WinSCP)
Genau das wäre jetzt auch meine Empfehlung
Stibonator
Stibonator 28.06.2016 aktualisiert um 12:34:13 Uhr
Goto Top
Highload: WinSCP as well as FlashFXP generate the same error (WinSCP: "Could not retrieve directory listing. Unable to build data connection: Operation not permitted", FlashFXP: " 425 Unable to build data connection: Operation not permitted").
129813
129813 28.06.2016 um 12:34:57 Uhr
Goto Top
I will test it here with a QNAP sys in a second...
129813
129813 28.06.2016 aktualisiert um 12:46:31 Uhr
Goto Top
Here it works as expected, will post my settings later, i have to leave now, feeding a client face-wink
129813
Lösung 129813 28.06.2016 aktualisiert um 14:25:31 Uhr
Goto Top
I tested it successfully also from outside with dynamic ports forwarded. So there must be a problem with your client-firewall or your router-firewall perhaps doing DPI or something else.

screenshot

screenshot

screenshot

Try turning of MLSD command within WinSCP:

screenshot

--------------------------------------------------------------------------
WinSCP Version 5.7.7 (Build 6257) (OS 6.1.7601 Service Pack 1 - Windows 7 Ultimate)
--------------------------------------------------------------------------
Connecting to XXXXXXXXX:21 ...
Connected with XXXXXXXXX:21, negotiating TLS connection...
220 NASFTPD Turbo station 1.3.5a Server (ProFTPD) [XXXXXXXXXXX]
AUTH TLS
234 AUTH TLS successful
Verifying certificate for "QNAP Systems, Inc." with fingerprint XXXXXXXXXXXXX
Asking user:
**The server's certificate is not known. You have no guarantee that the server is the computer you think it is.**

Server's certificate details follow:

Issuer:
- Organization: QNAP Systems, Inc., NAS, TS Series NAS, q_support@qnap.com
- Location: TW, Taiwan, Taipei

Subject:
- Organization: QNAP Systems, Inc., NAS, TS Series NAS, q_support@qnap.com
- Location: TW, Taiwan, Taipei

Valid: 08.07.2011 10:09:45 - 05.07.2021 10:09:45

Fingerprint (SHA-1): XXXXXXXXXXXXXXXXXXX

Summary: Self signed certificate. The error occurred at a depth of 1 in the certificate chain.

Certificate was not issued for this server. You might be connecting to a server that is pretending to be "XXXXXXXXXXXX".

If you trust this certificate, press Yes. To connect without storing certificate, press No. To abandon the connection press Cancel.

Continue connecting and store the certificate? ()
Using TLSv1.2, cipher TLSv1/SSLv3: ECDHE-RSA-AES128-GCM-SHA256, 2048 bit RSA
TLS connection established. Waiting for welcome message...
USER XXXXXX
331 Password required for XXXXXX
PASS *****************
230 User XXXXXXlogged in
SYST
215 UNIX Type: L8
FEAT
211-Features:
 MFMT
 SIZE
 PROT
 CCC
 PBSZ
 AUTH TLS
 MFF modify;UNIX.group;UNIX.mode;
 REST STREAM
 MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
 UTF8
 LANG en-US*
 EPRT
 EPSV
 MDTM
 SSCN
 TVFS
211 End
OPTS UTF8 ON
200 UTF8 set to on
PBSZ 0
200 PBSZ 0 successful
PROT P
200 Protection set to Private
Connected
--------------------------------------------------------------------------
Using FTP protocol.
Doing startup conversation with host.
PWD
257 "/" is the current directory
Getting current directory name.
Retrieving directory listing...
TYPE A
200 Type set to A
PASV
227 Entering Passive Mode (XXX,XXX,XXX,XXX,218,32).
MLSD
Connecting to XXX.XXX.XXX.XXX:55840 ...
150 Opening ASCII mode data connection for MLSD
Session ID reused
TLS connection established
......
.......
226 Transfer complete
Directory listing successful

Is your qnap running the latest firmware?
Stibonator
Stibonator 28.06.2016 aktualisiert um 15:10:50 Uhr
Goto Top
Thanks highload for your efforts! I've set the settings just as you have, still no luck, though.
No, the QNAP is not running the latest firmware. However, I can't simply upgrade it because it's running in a business environment, so upgrading it would require some downtime which I cannot get at the moment.

Turning off MLSD did not do it, either.

The firewall (Sonicwall) does not perform DPI. I'm gonna suggest to perform a firmware upgrade to see whether this resolves the issue.
129813
129813 28.06.2016 aktualisiert um 16:05:25 Uhr
Goto Top
OK. Then another try, login to your NAS via putty (SSH) and navigate to /etc/config and make a cat proftpd.conf and compare the first config lines to this one of my proFTPd config:
ServerName              "ProFTPD"
ServerType              standalone
DefaultServer           on
RootLogin               on
Port                    21
MaxInstances            30
User                    guest
Group                   guest
DefaultRoot             /share
Umask                   000
ShowSymlinks            off
AllowOverwrite          on
TimesGMT                        off
UseReverseDNS           off
WtmpLog                 off
AllowStoreRestart       on
TransferLog             NONE
UseReverseDNS            off
IdentLookups             off
DisplayLogin            /etc/config/welcome.msg
UseEncoding     UTF-8 UTF-8
RLimitMemory daemon 32M 512M
RLimitMemory session 128M 256M
TLSEngine       on
TLSProtocol     TLSv1 TLSv1.1 TLSv1.2
TLSRenegotiate  none
TLSRequired            off
TLSRSACertificateFile  /etc/config/stunnel/backup.cert
TLSRSACertificateKeyFile /etc/config/stunnel/backup.key
TLSCACertificateFile   /etc/ssl/certs/myrootca.crt
TLSOptions              NoCertRequest NoSessionReuseRequired
TLSVerifyClient off
TLSServerCipherPreference  on
TLSCipherSuite EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5
TLSCryptoDevice    all
PassivePorts 55555 56000
MaxClientsPerUser       10
EnableUserWanIp          off
AllowForeignAddress     on
These are only the first lines without the permission directives.

Try to remove the option: NoCertRequest
Stibonator
Stibonator 28.06.2016 aktualisiert um 16:14:40 Uhr
Goto Top
The lines that differ are:

TLSProtocol
Mine: SSLv23 | yous: TLSv1 TLSv1.1 TLSv1.2

TLSOptions
Mine: NoCertRequest | yours: NoSessionReuseRequired

TLSServerCipherPreference, TLSCipherSuite, TLSCryptoDevice
Does not exist in my config

EnableUserWanIp
Mine: on | yours: off

Seeing this I believe it has something to do with the parameter NoSessionReuseRequired. I've seen numerous blog posts during my research who changed that in their ProFTPD settings, but I was not able to find the file this could be changed on the QNAP in.
Can I simply modify it (add the entry), save and that's it?
129813
129813 28.06.2016 aktualisiert um 16:22:52 Uhr
Goto Top
Can I simply modify it (add the entry), save and that's it?
It's worth a try, after modifying and saving the config file you need to restart the proftpd service
Can be done directly on the console with :
/etc/init.d/ftp.sh restart
Stibonator
Stibonator 28.06.2016 um 16:34:01 Uhr
Goto Top
Holy cow, I thought that was it, but after making the changes and restarting the ftp service, the changes are rolled back, my entry which I added is missing... :D
Stibonator
Stibonator 28.06.2016 um 17:48:30 Uhr
Goto Top
Hello again,

mea culpa, I've talked to a colleague and he told me that the Sonicwall does DPI. We set an exclusion for the QNAP and now everything works fine.

Thanks so much for your help! Dir auch Danke, Kraemer!
129813
129813 28.06.2016 um 18:08:44 Uhr
Goto Top
No problem, you're welcome face-smile.