Synology Inc. Online Community Forum

[momo]

Hi there,

well i was tired to wait on a true FTP server included on Synology firmware.
Then i chose to install Pro-ftpd.

First, don't forget to stop default Synology FTP.
[NAS]: ps -fe | grep -i ftpd
[NAS]: killall ftpd

Installation :

[NAS]:ipkg list | grep -i proftpd
proftpd - 1.3.1-3 - Highly configurable FTP server with SSL-TLS

[NAS]:ipkg install proftpd

Proftpd is installed under /opt/

Configuration :
You have to edit proftpd.conf under /opt/etc.
Here is a dummy file to understand how to configure (directives as Apache).
Each user connects to the default root (DefaultRoot) where i have incoming et pub directories.
Then i lock some privileges with Limit.

----
ServerName NAS
ServerType inetd
DefaultServer on
ServerIdent on "NAS Server Ready"
DeferWelcome on
MaxLoginAttempts 3
AccessGrantMsg "Bienvenue %u ..."

AuthGroupFile /etc/ftpgroup
AuthUserFile /etc/ftppasswd

Port 21
PassivePorts xxxxx xxxxx
MasqueradeAddress xxx.xxx.xxx.xxx
Umask 000
TimesGMT off
UseReverseDNS off
IdentLookups off
MaxInstances 100
User nobody
Group nobody
RootLogin off
DefaultRoot /volume1/xchange/ftp
DefaultTransferMode binary
TimeoutIdle 900
TimeoutLogin 120

AllowStoreRestart on
AllowRetrieveRestart on
AllowOverwrite on

SocketOptions rcvBuf 131070
SocketOptions sndBuf 131070

<Limit SITE_CHMOD>
DenyAll
</Limit>

<Directory /volume1/xchange/ftp>
<Limit WRITE>
DenyAll
</Limit>
</Directory>

<Directory /volume1/xchange/ftp/incoming>
<Limit WRITE>
AllowAll
</Limit>
<Limit DELE RMD>
DenyAll
</Limit>
</Directory>

<Directory /volume1/xchange/ftp/pub>
<Limit ALL>
AllowAll
</Limit>

<Limit WRITE>
DenyAll
</Limit>
</Directory>
---

I chose inetd for ServerType because i prefer to use tcpwraper.
I can then configure hosts.deny and hosts.allow to filter.
It is possible to use directive directory to filter IP @ but proftpd.conf should be updated every time i decided to restrict access.

inetd.conf :

telnet stream tcp nowait root /usr/sbin/telnetd telnetd
ftp stream tcp nowait root /opt/libexec/tcpd /opt/sbin/proftpd --config /opt/etc/proftpd.conf

After modifying inetd.conf you need to restart service (/usr/syno/etc/rc.d).

ServerType could be set to standalone as well , but you have to start daemon with this script :

#!/bin/sh
#
# Startup script for proftpd as standalone server
#

if [ -n "`pidof proftpd`" ]; then
/bin/killall proftpd 2>/dev/null
fi

/opt/sbin/proftpd --config /opt/etc/proftpd.conf

PassivePorts xxxxx xxxxx
MasqueradeAddress xxx.xxx.xxx.xxx
It is used for passive FTP and NAT.
You can put IP @ or domain name for MasqueradeAddress.

AuthGroupFile /etc/ftpgroup
AuthUserFile /etc/ftppasswd
It is used to create virtual users.
Like this, the users allowed to ftp have no account on the system.
I use ftpasswd on Solaris to generate this two files (ftpasswd is not included on ipkg distrib).

ServerIdent and DeferWelcome
These parameters are for security reason.
FTP server is not responding with informations about release.
It is more difficult to find back door if the release and the version is not known.

Here is a very good site for directives to configure ProFTP :
http://www.castaglia.org/proftpd/

Now i've a real FTP server with logs, statistics etc ... Not the toy released by Synology.

[Konsti]

Dear momo, thank you for your quick guide, but my installation on my DS106e doesn't work--I cannot connect to the server via FTP/SSH or SFTP.

Please help me and guide us through, one step at a time!

(a) obviously install Telnet patch.
(b) install the iPKG module and do an "update".
(c) install ProFTPd daemon/service.

(d) what about the GUI? Should I have FTP enabled on the webadmin pages of the server? What ports?
I am using the latest 2.0.3.0590 firmware and the settings pages are somewhat different, now. What settings of the server YOU have?

(e) in order to automatically restart the proFTPd service, on every reboot, is this the reason you modify inetd.conf file, second line? My /etc/inetd.conf file reads as follows:

telnet stream tcp nowait root /usr/sbin/telnetd telnetd
ftp stream tcp nowait root /opt/libexec/tcpd /opt/sbin/proftpd --config /opt/etc/proftpd.conf

(f) Although the service is installed properly, I cannot start it, I get a funny error regarding the ports used, namely:

- warning: the DisplayFirstChdir directive is deprecated and will be removed in a future release. Please use the DisplayChdir directive.
- fatal: Socket operation on non-socket

Have you any idea what they are talking about? What is ths DisplayChdir directive? I have digged the internet for this, and found only this reference but I cannot understand! http://www.proftpd.org/docs/directives/linked/config_ref_DisplayChdir.html

(g) please tell us where you store the account names, groups and permisions of the ProFTPd users. Are they in the typical path /etc/passwd file?

Can anyone else having successfully installed ProFTPd help? Momo, can you post your proftpd.conf file from a URL link? What is your ProFTPd version?

Many thanks in advance--Konsti.

[momo]

Hi there,
waoow a lot of questions ... to answer ...

Konsti,
you were right for steps :

1 - Telnet Patch
2 - Install IPKG and then ipkg update
3 - Install IPKG module proftpd - 1.3.1-3 - Highly configurable FTP server with SSL-TLS
4 - stop the FTP toy started by Synology
ps -fe | grep -i ftpd
killall ftpd
If you do not want to have this started again on reboot rename the SXXftpd script to SXXftpd.orig.
GUI is useless after installing ProFtpd.

5 - Configure your PRO-FTPd by editing the file /opt/etc/proftpd.conf
I have chosen to use inetd instead of standalone for two reasons :
- ftp daemon is not always running if you do not have connection.
- I'm using tcpwraper to allow or deny access (cause i do not want to have Chinese sheeps bruteforcing my system).

Here is my proftpd.conf :

NAS> more proftpd.conf
ServerName NAS
ServerType inetd
DefaultServer on
ServerIdent on "NAS Server Ready" <----- do not present FTP info / security reason
DeferWelcome on <----- FTP info once connected / security reason
MaxLoginAttempts 3 <----- to avoid bruteforce / security reason
MaxClients 3 "Sorry, %m clients limit has been reached. Try again later" <----- to restrict number of clients / i'm uploading up to 120Kb/s so each clients can download up to 40Kb - decent bandwith

AccessGrantMsg "%u you are connected."
AccessDenyMsg "%u, you're not allowed to connect."
DisplayConnect /volume1/xchange/ftp/.connect.msg
DisplayQuit /volume1/xchange/ftp/.exit.msg

AuthUserFile /etc/ftp2ndpasswd <----- this file contain my users (they do not have a shell or a home directory)

Port 21
PassivePorts 55536 55576 <----- Ports used for passive FTP
MasqueradeAddress XXX.XXX.XXX.XXX <----- replace with your public IP or domain name if you are behind a firewall and using NAT
Umask 022
TimesGMT off
UseReverseDNS off
IdentLookups off
MaxInstances 100
User nobody
Group nobody
RootLogin off
DefaultRoot /volume1/xchange/ftp
DefaultTransferMode binary
TimeoutIdle 900
TimeoutLogin 120

AllowStoreRestart on
AllowRetrieveRestart on
AllowOverwrite on

SocketOptions rcvBuf 131070
SocketOptions sndBuf 131070

<Limit SITE_CHMOD>
DenyAll
</Limit>

<Directory /volume1/xchange/ftp>
<Limit WRITE>
DenyAll
</Limit>
</Directory>

<Directory /volume1/xchange/ftp/incoming>
<Limit ALL>
AllowAll
</Limit>
<Limit WRITE>
AllowAll
</Limit>
</Directory>

<Directory /volume1/xchange/ftp/public>
<Limit ALL>
DenyAll
</Limit>

<Limit DIRS READ>
AllowAll
</Limit>
</Directory>

This conf is giving full access on incoming and read only on public.
You can not make a chmod too.

6 - my users are virtuals one ... They do not have any shell or home directory for security reason.
To do so you can use the ftpasswd utility (which is included in the default package of proftpd but not in ipkg distrib).
file format is exactly the same as /etc/passwd.
My file is /etc/ftp2ndpasswd.

here is an exemple of file :
johndoe:$1$3yzKQDso$Dd3tt.O7WgSmU03ctMa7s.:5000:100::/nonexist:/sbin/nologin


Hope this helps ...
ciaooooo

[Konsti]

Dear momo, thanks for your help.

I have disabled the FTP access from the NAS webadmin pages. I have created /opt/etc/proftpd.conf according to your steps, and when I run the server, it comes with the same error:

Synology> /opt/sbin/proftpd --config /opt/etc/proftpd.conf
Synology - fatal: Socket operation on non-socket

What the heck can be wrong? How can I make sure that the ports/sockets on my DS106e are available for proftpd to run correctly? Can there be a possible conflict with proftpd and NAS services? I only run HTTPS for the webadmin, iTunes Library and uPNP media support. FileStation is a local service with no extra ports required...

1. how do you connect to your NAS, via SFTP or FTP & SSH?
2. this tcpwrapper you mention, is it a service you installed via iPKG? Is it necessary to install for ProFTPd?
3. where can we find ftpasswd for PowerPC-based Synology servers? You're probably running ARM-compiled code....

Can you have any idea on the "ports" error, mate?
Thanks, Konsti.

[Konsti]

OK, from http://www.proftpd.org/docs/faq/linked/faq-ch4.html we read the following, regarding the error "Fatal: Socket operation on non-socket":

You have ProFTPD configured to run in inetd mode rather than standalone. In this mode, ProFTPD expects that it will be run from the inetd super-server, which implies that stdin/stdout will be sockets instead of terminals. As a result, socket operations will fail and the above error will be printed. If you wish to run ProFTPD from the shell, in standalone mode, you'll need to modify your proftpd.conf configuration file and add or edit the ServerType directive to read:

ServerType standalone

I changed accordingly /opt/etc/proftpd.conf for the sake of trying, and now when I execute the command for the server to run, I have no errors. However, in the list of processes, with ps -fe | grep -i ftp there's no trace of proftpd running...!

I have also tried to find a pre-compiled version of ftpasswd command/binary, but there doesn't seem to be anywhere for PowerPC... Can you assist, please? I think we can make a good guide at the end for all Synology users to install ProFTPd.

Thanks.

[momo]

1. how do you connect to your NAS, via SFTP or FTP & SSH?
2. this tcpwrapper you mention, is it a service you installed via iPKG? Is it necessary to install for ProFTPd?
3. where can we find ftpasswd for PowerPC-based Synology servers? You're probably running ARM-compiled code....

Hi there,

1 - FTP & SSH
2 - Yes, I have installed TCP Wrapper via IPKG.
[NAS]: ipkg list_installed
...
tcpwrappers - 7.6-4 - A library that allows IP level control over ports
...

You do not need to install TCP Wrapper to use ProFTPd.
The purpose of TCPWrapper is to filter via hosts.allow and hosts.deny files.
You can do the same (filter by IP address) for ProFTPd under the Directory directive.

3 - ftpasswd is a Perl file.
Standard distribution has one included but not the ipkg package.
So what i do is to generate my file on my Workstation under Solaris 10.
I'm pretty sure that if Perl is installed on NAS, ftpasswd is working correctly for file generation.

BTW, did you restart Inetd service after modification of inetd.conf ?
if not, it can explain your error.

ciaoooo

[Konsti]

Dear momo, please be patient with me for fixing this up--I know some Unix and being computer literate I can manage

1. I am using "Transmit" for MacOS X so FTP & SSH are used, that is sure. So case solved.

2. Thanks also for clarifying that we don't need TCPWrapper to make ProFTPd work--I was a little puzzled about this daemon.

3. ...but how do I restart inetd as you suggest? Kill it and run it as 'root'? I rebooted the device, is that good enough? I've changed inetd.conf as you suggested... But when I do 'ps' I just see inetd running, not proftpd. Is it supposed to also be there on the tasks list? I can't connect to the NAS!

4. Can you possibly suggest your ftp2ndpasswd file, for anonymous user, because I cannot login with any account to check if ProFTPd is running! Perhaps you can point me to the Pearl script for ftpasswd--I can run it on my MacOS X Terminal for sure.

Your settings, what users do they allow as username? You say "all" but you obviously mean those in ftp2ndpasswd file, correct? I don't know the exact syntax of this file...

Grazie! Thanks! Merci! Danke! Gracias!

[momo]

Hi there,

well i have to switch back my context to Synology stuff (as I just finish some work on my garage ...)
ok, that quite normal that you have only an inetd process as proftpd will be forked by the inetd daemon.
to restart inetd service, you just have to do :

cd /usr/syno/etc/rc.d
./S03inetd.sh stop
./S03inetd.sh start

after that, try an ftp to your NAS and you should see this on /var/log/messages :

proftpd[9681]: connect from XXX.XXX.XXX.XXX
proftpd[9681]: NAS - 192.168.1.15:21 masquerading as XXX.XXX.XXX.XXX
proftpd[9681]: NAS (XXX.XXX.XXX.XXX[XXX.XXX.XXX.XXX]) - FTP session opened.
proftpd[9681]: NAS (XXX.XXX.XXX.XXX[XXX.XXX.XXX.XXX]) - Preparing to chroot to directory '/volume1/xchange/ftp'
proftpd[9681]: NAS (XXX.XXX.XXX.XXX[XXX.XXX.XXX.XXX]) - FTP session closed.

For anonymous user, you just have to add a block inside the proftpd.conf file, that's all.
Here is an example :

<Anonymous /volume1/xchange/ftp/guest>
User nobody
Group nobody

# Deny write operations to all directories, except for 'incoming' where
# 'STOR' is allowed (but 'READ' operations are prohibited)

<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>

<Directory incoming>
<Limit READ >
DenyAll
</Limit>
<Limit STOR>
AllowAll
</Limit>
</Directory>

</Anonymous>

Yes all users in my proftpd passwd file are allowed.
You can find the Perl script here : http://www.castaglia.org/proftpd/contrib/ftpasswd.html

ciaoooooooo

[spiff]

Thanks for a great proftpd guide.

This toy ftp server (as you put it ) provided by Synology has annoyed me as well.

[momo]

Hi there,
you're welcome.
After that, you have a fully configurable FTP server.
You can do whatever you want.
I don't know why Synology do not use an other FTP server.
Well I guess that it is easier to play with the GUI instead of digging with directives like Apache.

ciaoooo

[ludovic]

GUI is useless after installing ProFtpd.

Hello,

why did you say that GUI is useless ? I think ut's interesting for people who does not manage linux as you ?

Best regards

Ludovic

[momo]

why did you say that GUI is useless ? I think ut's interesting for people who does not manage linux as you ?
Ludovic

Hi there,
well i think that you misunderstood what i said about GUI.
GUI is not able to modify the config file used by ProFTPd.
That's the meaning of GUI is useless.

[ludovic]

Hello Momo,

you are right. There was a misunderstood on GUI.

Best regards

Ludovic

[Sander1978]

Hi there,

I have been experimenting with your guide and it worked great from the start. However when I tried to change the port in the services file and restarting the synology I lost /opt/libexec/tcpd for some reason and I am unable to get it back. Anybody have any tips on how to get that file back besides doing a factory defaults reset?

EDIT: already found it, it was in tcpwrappers. And after finding it I saw it in a post above
I should read more carefully

Thnx for the guide btw, works great here

[Glitch]

Great tutorial, thanx momo!

Got my proFTPd server running in no time. A lot better then the toy ftp server from Synology.