fredriklofter.com

This article describes how to configure an easy way to monitor the logins to your ReadyNAS FTP server. Credits to Jesper for pointing me in all the right directions – thank you! Before we get started: if you haven’t already, download PuTTY.exe from the Internet.

The first step is to create a job on the server that executes once every 15 minutes. This is done by creating a file called /etc/cron.d/backup-ftplog with the content:

0,15,30,45 * * * * root /usr/local/script/backup-ftplog.sh &>/dev/null

Double click PuTTY.exe and enter the internal IP number of the NAS (for instance 192.168.1.253). Log on as root with the same password as admin (netgear1 is default, but you should really change that).

Type cd /etc/cron.d and press enter
Type vi backup-ftplog and press enter
Type (or copy) 0,15,30,45 * * * * root /usr/local/script/backup-ftplog.sh &>/dev/null
(you may want to try hitting the Insert key)
Press ESC and type :wq to write the content to backup-ftplog and quit vi

Next step is to create a new copy of the FTP log under the /tmp folder that is available for some tampering. Create the file /usr/local/script/backup-ftplog.sh (and make it executable) with the following code:

#!/bin/bash
cp /var/log/proftpd.log /tmp/proftpd.log
chmod 644 /tmp/proftpd.log

Still in PuTTY:

Type mkdir /usr/local/script and press enter
Type cd /usr/local/script and press enter
Type vi backup-ftplog.sh and press enter
Type #!/bin/bash on the first row (you may want to press the Insert key)
Type cp /var/log/proftpd.log /tmp/proftpd.log on the second row
Type chmod 644 /tmp/proftpd.log on the third row
Press ESC and type :wq to write the content to backup-ftplog.sh and quit vi
Type chmod 0755 /usr/local/script/backup-ftplog.sh and press enter

Last, create a php-file (call it for instance ftplog.php) and place it on the Apache server. The file should contain the following code:

<html>
<body>
 
<?php
  define("LOGON_PATTERN", "/^(.*) nasnetworkname.*USER (.*):.*$/");
  $file = fopen("/tmp/proftpd.log", "r");
 
  echo "<h3>Recent logons</h3>";
  echo "<ul>";
 
  $previousDateString = "";
  $previousUSername = "";
  $logonCounter = 0;
  while (!feof($file)) {
    $line = fgets($file);
    if (preg_match(LOGON_PATTERN, $line, $groups)) {
      $dateString = $groups[1];
      $username  = $groups[2];
      if (!isEmpty($previousUsername) && !isEqual($previousUsername,$username)) {
        printLine($previousDateString, $previousUsername, $logonCounter);
        $logonCounter = 0;
      } else {
        $logonCounter++;
      }
      $previousDateString = $dateString;
      $previousUsername = $username;
    }
  }
  printLine($previousDateString, $previousUsername, $logonCounter);
  echo "</ul>";
  fclose($file);
 
  function isEqual($string1, $string2) {
    return strcmp($string1, $string2) == 0;
  }
 
  function isEmpty($string) {
    return strcmp($string, "") == 0;
  }
 
  function printLine($previousDateString, $previousUsername, $logonCounter) {
    echo "<li>";
    echo $previousDateString;
    echo " - ";
    echo $previousUsername;
    echo "(";
    echo $logonCounter + 1;
    echo ")";
    echo "</li>";
  }
 
?>
 
</body>
</html>

Change LOGON_PATTERN to reflect the network name of your ReadyNAS. For security measures you may want to make the ftplog.php inaccessible to external users or name/place it differently (less obvious).

Waiver. Accessing the device via SSH requires the add-on Enable Root SSH Access, which will void or greatly impair the warranty and/or support conditions of the device. The text in this summary has been prepared with uttermost care but is, despite of this, strictly a guide to be used in conjunction with normal and cautious computer practice, including the safe operation of electric equipment. I cannot accept liability for your actions. Work smart! Work safely!

One of several key features of the ReadyNAS Duo is the ability to act as an FTP server. I frequently use this to secure pictures taken with my camera when travelling. Out of the box, the traffic to/from the ReadyNAS Duo is not secure. Here’s how you can change that.

The first step is to enable and configure the FTP service in FrontView:

In Advanced Control mode, click on Services -> Standard File Protocols -> FTP
Set the port number to 21 (default)
Set authentication mode to User (default is Anonymous)
Reduce the passive port range to something like 1000 – 1020
Masquerade as the external IP (for instance 83.226.148.211) or domain name (for instance fredriklofter.com)
Click apply and await the response FTP service successfully started

Next step is to temporarily disable the FTP service in FrontView:

In Advanced Control mode, click on Services -> Standard File Protocols -> FTP (so that the box is unticked)
Click Apply and await the response FTP service successfully stopped

Now download (from www.readynas.com -> resources -> add-ons) and install the shell access patch EnableRootSSH. Download EnableRootSSH.bin from www.readynas.com

In Advanced Control mode, click on System -> Update -> Local and select the add-on image EnableRootSSH.bin

Download PuTTY.exe from the Internet.

Tweak the NAS to only allow secure FTP transfers:

Double click PuTTY.exe
Enter the internal IP number of the NAS (for instance 192.168.1.253)
Log on as root with the same password as admin (netgear1 is default)
Type cd /etc/frontview/proftpd
Type ls -l and confirm the existance of the file ftps.conf
Backup the file before editing by typing cp ftps.conf ftps.conf.old
Type vi ftps.conf
Use the cursor keys to navigate to the TLSRequired line and change off to on (you may want to try hitting the Insert key)
Press ESC and type :wq to write the changes to ftps.conf and quit vi

Change the default secure shell port (this will drastically reduce the number of hacking attempts):

Still logged in with PuTTY, type cd /etc/ssh
Type ls -l and confirm the existance of the file sshd_config
Backup the file before editing by typing cp sshd_config sshd_config.old
Type vi sshd_config
Use the cursor keys to navigate to the Port line and change it from 22 (default) to, say, 222
Press ESC and type :wq to write the changes to sshd_config and quit vi
Type exit to end the PuTTY session

Restart the NAS.

In Advanced Control mode, click on System -> Shutdown -> Shutdown and reboot device -> Apply

Enable the FTP service in FrontView.

In Advanced Control mode, click on Services -> Standard File Protocols -> FTP (so that the box is ticked)
Click Apply and await the response FTP service successfully started

Apply FTP access to user(s) to share(s):

In Advanced Control mode, click on Shares -> Shares Listing
Click on FTP/S for the share you want to access via secure FTP
Set the Default Access to Read/write
If appropriate, set rights per user(s) (groups doesn’t work in all FTP clients for some reason)
Click on Apply

Configure port forwarding on the router:

Log in to the admin page of the router (for instance http://192.168.1.254)
Locate the port forwarding page
Add a new service called NAS_FTP and forward ports 20 – 21 to the internal IP of the NAS (for instance 192.168.1.253)
Add a new service called NAS_PASV_FTP and forward the reduced port range above (1000 – 1020) to the internal IP of the NAS (192.168.1.253)
Add a new service called NAS_SSH and forward the SSH port changed above (222) to the internal IP of the NAS (192.168.1.253)
Apply the changes and leave the router admin page (logout)

Test the secure FTP connection using an FTP client (below works for CuteFTP):

Create a new site and label it something appropriate (MyNAS)
Set the external IP (for instance 83.226.148.211) or domain name (for instance fredriklofter.com) as host name
Username and password for a user with FTP/S rights to a share on the NAS (see above)
Login method must be normal (not anonymous)
Set the protocol type to FTP with TLS/SSL (AUTH TLS – Explicit)
Set the port to 21
Set the data connection type to passive (Use PASV)
Click on connect

Test the SSH connection (below works for WinSCP):

Set the external IP (for instance 83.226.148.211) or domain name (for instance fredriklofter.com) as host name
Set the port number to the SSH port changed above (222)
Username root and password same as admin (netgear1 is default)
File protocol SFTP with Allow SCP fallback or SCP (both will work)
Click on login

Waiver. Enabling Root SSH access may cause NETGEAR to deny support. The text in this summary has been prepared with uttermost care but is, despite of this, strictly a guide to be used in conjunction with normal and cautious computer practice, including the safe operation of electric equipment. I cannot accept liability for your actions. Work smart! Work safely!