Jun 27, 2016, updated at 11:58:02 (UTC)

12267

Zugriff auf QNAP per FTPS mit Filezilla funktioniert nicht

Hallo zusammen,

ich habe hier ein Problem, bei dem ich nicht weiter weiß. Konkret geht es um den Zugriff per FTPS (SFTP wird leider nicht unterstützt, daher fällt das weg) auf unsere QNAP TS-EC879U-RP über's Internet. Das Gerät steht hinter einer Sonicwall, von der aus die benötigten Ports (20, 21) an die QNAP weitergeleitet werden.

Wenn ich mich nun per Filezilla verbinden möchte, bleibt der Prozess beim Auflisten der Verzeichnisse stehen.
Die einstellungen sind wie folgt gesetzt:

Protocol: FTP
Encryption. Require explicit FTP over TLS
Logon Type: Normal (User/PW hinterlegt)

Zugriff mittels externer IP:

48:23   Status:   Connecting to 123.45.678.901:21...
48:23   Status:   Connection established, waiting for welcome message...
48:23   Status:   Initializing TLS...
48:23   Status:   Verifying certificate...
48:23   Status:   TLS connection established.
48:23   Status:   Logged in
48:23   Status:   Retrieving directory listing...
48:43   Command:   PWD
48:43   Response:   257 "/" is the current directory  
48:43   Command:   TYPE I
48:43   Response:   200 Type set to I
48:43   Command:   PORT 192,168,96,64,217,161
48:43   Response:   200 PORT command successful
48:43   Command:   MLSD
48:43   Error:   Connection timed out after 20 seconds of inactivity
48:43   Error:   Failed to retrieve directory listing
48:43   Status:   Disconnected from server
48:43   Status:   Connecting to 123.45.678.901:21...
48:43   Status:   Connection established, waiting for welcome message...
48:43   Status:   Initializing TLS...
48:43   Status:   Verifying certificate...
48:43   Status:   TLS connection established.
48:43   Status:   Logged in
48:43   Status:   Retrieving directory listing...
48:57   Command:   PWD
48:57   Response:   257 "/" is the current directory  
48:57   Command:   TYPE I
48:57   Response:   200 Type set to I
48:57   Command:   PORT 192,168,96,64,217,165
48:57   Response:   200 PORT command successful
48:57   Command:   MLSD
48:57   Error:   Directory listing aborted by user

Wenn ich plain FTP nutze, dann klappt alles einwandfrei:

49:50   Status:   Connecting to 123.45.678.901:21...
49:50   Status:   Connection established, waiting for welcome message...
49:55   Status:   Logged in
49:55   Status:   Retrieving directory listing...
49:56   Status:   Directory listing of "/" successful  

Die Einstellungen sind wie folgt gesetzt:
FTP-Dienst ist aktiviert
Protokolltyp: FTP (Standard) und FTP mit SSL/TLS (explizit) sind aktiviert
Portnummer: 21
Unicde-Unterstützung: Ja
Anonymer zugriff aktivieren: Nein

Der Zugriff übers LAN funktioniert fast, hier erscheint folgende Ferhlemeldung:

55:07	Status:	Connecting to 10.50.1.25:21...
55:07	Status:	Connection established, waiting for welcome message...
55:07	Status:	Initializing TLS...
55:07	Status:	Verifying certificate...
55:07	Status:	TLS connection established.
55:07	Status:	Logged in
55:07	Status:	Retrieving directory listing of "/marcapo"...  
55:07	Command:	CWD /marcapo
55:07	Response:	250 CWD command successful
55:07	Command:	TYPE I
55:07	Response:	200 Type set to I
55:07	Command:	PORT 192,168,96,64,222,118
55:07	Response:	200 PORT command successful
55:07	Command:	MLSD
55:07	Response:	150 Opening BINARY mode data connection for MLSD
55:07	Error:	Primary connection and data connection certificates don't match.  
55:07	Error:	Transfer connection interrupted: ECONNABORTED - Connection aborted
55:07	Response:	425 Unable to build data connection: Operation not permitted
55:07	Error:	Failed to retrieve directory listing

Hat hier jemand eine Idee, woran es hängen könnte?

Please also mark the comments that contributed to the solution of the article

Content-Key: 308323

Url: https://administrator.de/contentid/308323

Printed on: April 20, 2024 at 02:04 o'clock

29 Comments

Latest comment

Moin,

du verwechselst du Ports. Du nutzt die Ports von SFTP. FTPS benutzt andere (sogar dynamisch, wenn ich das richtig im Kopf habe).

Gruß Krämer

Halo Krämer,

Du hast Recht, ich habe die Ports tatsächlich vertauscht / falsch in der Firewall eingetragen. Ich habe dasselbe Spiel mit den Ports 989 und 990 wiederholt, nun werden diese korrekt an die QNAP weitergeleitet, allerdings kriege ich hier nun dieselbe Fehlermeldung wie bei der internen IP:

09:58	Error:	Primary connection and data connection certificates don't match.  
09:58	Error:	Transfer connection interrupted: ECONNABORTED - Connection aborted
09:58	Response:	425 Unable to build data connection: Operation not permitted
09:58	Error:	Failed to retrieve directory listing

Ich weiß leider nicht, woran das liegen könnte. :|

Du hast FTP passiv konfiguriert?

Hi.
Sure you can connect via SSH and SFTP, no problem with a QNAP!! You only need SSH enabled and forwarded, then you can use SFTP.

But back to your FTP. In this line you can see that the server wants to tell the client the IP and the port for the data connection

10:48:57   Command:   PORT 192,168,96,64,217,165

The first 4 parts are the IP and with the last two numbers you can calculate the data port
(217 x 256) + 165 = 55717

So first the error here is the FTP-Server does not tell the client the external IP. And second you did not configure to use a static port range for the data connections. These data ports need to be forwarded to the QNAP. Third, you are not using passive mode.

All common errors of beginners.

Regards

@Kraemer: ich habe es mit passivem FTP versucht, es hat allerdings nicht funktioniert. Aktives FTP funktionierte.

Hello highload,

Thanks for your reply. I ticked on the option "Allow SSH connection", chose port 22 and ticked on allow SFTP. I forwarded port 22 to the QNAP, I chose the port range from 55536 to 55540 and I ticked on "reply with external IP" and entered its external IP.

When trying to connect via Filezilla using sFTP, here's what I get:

00:12	Status:	Disconnected from server
00:12	Status:	Connecting to 123.45.678.910...
00:12	Response:	fzSftp started, protocol_version=5
00:12	Command:	open "marcapo@123.45.678.910" 22  
00:12	Error:	Server unexpectedly closed network connection
00:12	Error:	Could not connect to server
00:12	Status:	Waiting to retry...
00:17	Status:	Connecting to 123.45.678.910...
00:17	Response:	fzSftp started, protocol_version=5
00:17	Command:	open "marcapo@123.45.678.910" 22  
00:17	Error:	Server unexpectedly closed network connection
00:17	Error:	Could not connect to server

This happens using the internal as well as the external IP address. QNAP's error log says "Login fail for user marcapo for ssh".

SSH only needs 1 port! This port needs to be forwarded.
The other ports you mentioned are only for plain FTP(S) usage not for SFTP.
If you are using plain ftp(s) these dynamic ports all need to be forwarded on the router to the NAS. Don't mix the protocols!!
And use putty or WinSCP as reference clients to verify functions, not FileZilla.
What kind of router and firewall are you using?

Zitat von @129813:
SSH only needs 1 port! This port needs to be forwarded.
The other ports you mentioned are only for plain FTP(S) usage not for SFTP.

Zitat von @Stibonator:
Konkret geht es um den Zugriff per FTPS (SFTP wird leider nicht unterstützt,

We're using a Sonicwall TZ 600. I'm forwarding port 22 to the QNAP. I set the QNAP to answer with its external IP using passive mode.
WinSCP says:

Transfer channel can't be opened. Reason: Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte. (roughly translated: "Connection could not be established,destination computer rejected the connection")  
Could not retrieve directory listing

Timeout detected. (control connection)
Error changing directory to '/'.  

I think it might have to do with the Sonicwall, blocking the connection. I'm gonna try to set the SSH port to something uncommon and report it here.
Thanks so far and in advance for your help!

As I said, SSH has nothing to do with the dynamic ports used for the data connection and FTP(S). These additional ports are only used in conjunction with FTP(S) not ssh (SFTP), you are mixing two totally different protocols !
So only when you want to use FTPS the dynamic port range has to be forwarded on the firewall to your NAS. And check your firewall filters.

Yes, I know that now and I don't use the dynamic ports anymore. I'm only concentrating on sFTP (SSH FTP) over port 22 now. I might have one more guess: the QNAP manual says that a ssh connection is only allowed for the administrator - does this also apply to SFTP?

Zitat von @Stibonator:

the QNAP manual says that a ssh connection is only allowed for the administrator - does this also apply to SFTP?

Yes. SSH per default is only for users of the admin group.

Okay, thanks, got it. Adding the user to the admin group didn't resolve the issues, but I found some How-Tos in the QNAP forum explaining how to add the possibility to grant normal users logging in via sftp. I don't think we're gonna edit the SSH options since the QNAP's running some important services and we don't want to mess it up during business hours.

Is there any way I can configure FTP with excplicit FTP over TLS on the QNAP? Can you help me with that?
I keep getting the error "Unable to build data connection: Operation not permitted".

1. FTP mit SSL aktivieren
2. Port=21
3. FTP auf Passiv stellen
4. Portbereich 55536-56559 (standard)
5. Mit externer IP-Adresse reagieren aktivieren
6. Firewall Portforwarding Port 21,55536-56559 auf die Qnap
7. Am Client FTPS als Protokoll / Verbindungsart wählen

Edit: Und nicht vergessen das dem Benutzer auch passende Berechtigungen erteilt werden müssen

1:1 umgesetzt, leider immer noch:

54:35	Status:	Connecting to 123.45.678.901:21...
54:35	Status:	Connection established, waiting for welcome message...
54:35	Status:	Initializing TLS...
54:35	Status:	Verifying certificate...
54:35	Status:	TLS connection established.
54:35	Status:	Logged in
54:35	Status:	Retrieving directory listing of "/marcapo"...  
54:35	Command:	CWD /marcapo
54:35	Response:	250 CWD command successful
54:35	Command:	TYPE I
54:35	Response:	200 Type set to I
54:35	Command:	PASV
54:35	Response:	227 Entering Passive Mode (123,45,678,901,219,134).
54:35	Command:	MLSD
54:35	Response:	150 Opening BINARY mode data connection for MLSD
54:35	Response:	425 Unable to build data connection: Operation not permitted
54:35	Error:	Failed to retrieve directory listing

Auch der Zugriff als admin liefert diese F.ehlermeldung

Prüfen mal folgende Einstellungen im Filezilla:

Open Filezilla, go to Edit -> Settings
Click on Connection -> FTP: Choose Active
Click on Connection -> FTP -> Active Mode: Select "Ask your operating system for the external IP address"
Click on Connection -> FTP -> Passive Mode: Choose Fall Back to Active Mode

Test another FTP-Client (WinSCP). FileZilla often fails with FTPS and specific FTP-server-settings and commands
https://stefankonarski.de/content/geloest-filezilla-verzeichnisinhalt-ko ...

Hallo Kraemer,

hilft leider nichts. Ich bin mittlerweile echt ratlos, was das Ganze angeht. :D

Test another FTP-Client (WinSCP)

Genau das wäre jetzt auch meine Empfehlung

Highload: WinSCP as well as FlashFXP generate the same error (WinSCP: "Could not retrieve directory listing. Unable to build data connection: Operation not permitted", FlashFXP: " 425 Unable to build data connection: Operation not permitted").

I will test it here with a QNAP sys in a second...

Here it works as expected, will post my settings later, i have to leave now, feeding a client

I tested it successfully also from outside with dynamic ports forwarded. So there must be a problem with your client-firewall or your router-firewall perhaps doing DPI or something else.

Try turning of MLSD command within WinSCP:

--------------------------------------------------------------------------
WinSCP Version 5.7.7 (Build 6257) (OS 6.1.7601 Service Pack 1 - Windows 7 Ultimate)
--------------------------------------------------------------------------
Connecting to XXXXXXXXX:21 ...
Connected with XXXXXXXXX:21, negotiating TLS connection...
220 NASFTPD Turbo station 1.3.5a Server (ProFTPD) [XXXXXXXXXXX]
AUTH TLS
234 AUTH TLS successful
Verifying certificate for "QNAP Systems, Inc." with fingerprint XXXXXXXXXXXXX
Asking user:
**The server's certificate is not known. You have no guarantee that the server is the computer you think it is.**

Server's certificate details follow:

Issuer:
- Organization: QNAP Systems, Inc., NAS, TS Series NAS, q_support@qnap.com
- Location: TW, Taiwan, Taipei

Subject:
- Organization: QNAP Systems, Inc., NAS, TS Series NAS, q_support@qnap.com
- Location: TW, Taiwan, Taipei

Valid: 08.07.2011 10:09:45 - 05.07.2021 10:09:45

Fingerprint (SHA-1): XXXXXXXXXXXXXXXXXXX

Summary: Self signed certificate. The error occurred at a depth of 1 in the certificate chain.

Certificate was not issued for this server. You might be connecting to a server that is pretending to be "XXXXXXXXXXXX".

If you trust this certificate, press Yes. To connect without storing certificate, press No. To abandon the connection press Cancel.

Continue connecting and store the certificate? ()
Using TLSv1.2, cipher TLSv1/SSLv3: ECDHE-RSA-AES128-GCM-SHA256, 2048 bit RSA
TLS connection established. Waiting for welcome message...
USER XXXXXX
331 Password required for XXXXXX
PASS *****************
230 User XXXXXXlogged in
SYST
215 UNIX Type: L8
FEAT
211-Features:
 MFMT
 SIZE
 PROT
 CCC
 PBSZ
 AUTH TLS
 MFF modify;UNIX.group;UNIX.mode;
 REST STREAM
 MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
 UTF8
 LANG en-US*
 EPRT
 EPSV
 MDTM
 SSCN
 TVFS
211 End
OPTS UTF8 ON
200 UTF8 set to on
PBSZ 0
200 PBSZ 0 successful
PROT P
200 Protection set to Private
Connected
--------------------------------------------------------------------------
Using FTP protocol.
Doing startup conversation with host.
PWD
257 "/" is the current directory
Getting current directory name.
Retrieving directory listing...
TYPE A
200 Type set to A
PASV
227 Entering Passive Mode (XXX,XXX,XXX,XXX,218,32).
MLSD
Connecting to XXX.XXX.XXX.XXX:55840 ...
150 Opening ASCII mode data connection for MLSD
Session ID reused
TLS connection established
......
.......
226 Transfer complete
Directory listing successful

Is your qnap running the latest firmware?

Thanks highload for your efforts! I've set the settings just as you have, still no luck, though.
No, the QNAP is not running the latest firmware. However, I can't simply upgrade it because it's running in a business environment, so upgrading it would require some downtime which I cannot get at the moment.

Turning off MLSD did not do it, either.

The firewall (Sonicwall) does not perform DPI. I'm gonna suggest to perform a firmware upgrade to see whether this resolves the issue.

OK. Then another try, login to your NAS via putty (SSH) and navigate to /etc/config and make a cat proftpd.conf and compare the first config lines to this one of my proFTPd config:

ServerName              "ProFTPD"
ServerType              standalone
DefaultServer           on
RootLogin               on
Port                    21
MaxInstances            30
User                    guest
Group                   guest
DefaultRoot             /share
Umask                   000
ShowSymlinks            off
AllowOverwrite          on
TimesGMT                        off
UseReverseDNS           off
WtmpLog                 off
AllowStoreRestart       on
TransferLog             NONE
UseReverseDNS            off
IdentLookups             off
DisplayLogin            /etc/config/welcome.msg
UseEncoding     UTF-8 UTF-8
RLimitMemory daemon 32M 512M
RLimitMemory session 128M 256M
TLSEngine       on
TLSProtocol     TLSv1 TLSv1.1 TLSv1.2
TLSRenegotiate  none
TLSRequired            off
TLSRSACertificateFile  /etc/config/stunnel/backup.cert
TLSRSACertificateKeyFile /etc/config/stunnel/backup.key
TLSCACertificateFile   /etc/ssl/certs/myrootca.crt
TLSOptions              NoCertRequest NoSessionReuseRequired
TLSVerifyClient off
TLSServerCipherPreference  on
TLSCipherSuite EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5
TLSCryptoDevice    all
PassivePorts 55555 56000
MaxClientsPerUser       10
EnableUserWanIp          off
AllowForeignAddress     on

These are only the first lines without the permission directives.

Try to remove the option: NoCertRequest

The lines that differ are:

TLSProtocol
Mine: SSLv23 | yous: TLSv1 TLSv1.1 TLSv1.2

TLSOptions
Mine: NoCertRequest | yours: NoSessionReuseRequired

TLSServerCipherPreference, TLSCipherSuite, TLSCryptoDevice
Does not exist in my config

EnableUserWanIp
Mine: on | yours: off

Seeing this I believe it has something to do with the parameter NoSessionReuseRequired. I've seen numerous blog posts during my research who changed that in their ProFTPD settings, but I was not able to find the file this could be changed on the QNAP in.
Can I simply modify it (add the entry), save and that's it?

Can I simply modify it (add the entry), save and that's it?

It's worth a try, after modifying and saving the config file you need to restart the proftpd service
Can be done directly on the console with :

/etc/init.d/ftp.sh restart

Holy cow, I thought that was it, but after making the changes and restarting the ftp service, the changes are rolled back, my entry which I added is missing... :D

Hello again,

mea culpa, I've talked to a colleague and he told me that the Sonicwall does DPI. We set an exclusion for the QNAP and now everything works fine.

Thanks so much for your help! Dir auch Danke, Kraemer!

No problem, you're welcome

German solved Question NAS systems Hardware

Hotly discussed

Check of ZFW Firewallgleixnerd - 3 Comments

How to set up and configure a Linux GRE tunnelAlexWisha - 3 Comments

WIREGUARD VPN ON UDM PRO BEHIND FRITZBOX - HANDSHAKE DID NOT COMPLETEjstricker - 3 Comments

End of Support dates for Office 2016, 2019 Apps und Productivity ServersDani - 1 Comment