Setup FTPS on your ReadyNAS Duo

By | January 15, 2010


One of several key features of the ReadyNAS Duo is the ability to act as an FTP server. I frequently use this to secure pictures taken with my camera when travelling. Out of the box, the traffic to/from the ReadyNAS Duo is not secure. Here’s how you can change that.

The first step is to enable and configure the FTP service in FrontView:

In Advanced Control mode, click on Services -> Standard File Protocols -> FTP
Set the port number to 21 (default)
Set authentication mode to User (default is Anonymous)
Reduce the passive port range to something like 1000 – 1020
Masquerade as the external IP (for instance 83.226.148.211) or domain name (for instance fredriklofter.com)
Click apply and await the response FTP service successfully started

Next step is to temporarily disable the FTP service in FrontView:

In Advanced Control mode, click on Services -> Standard File Protocols -> FTP (so that the box is unticked)
Click Apply and await the response FTP service successfully stopped

Now download (from www.readynas.com -> resources -> add-ons) and install the shell access patch EnableRootSSH. Download EnableRootSSH.bin from www.readynas.com

In Advanced Control mode, click on System -> Update -> Local and select the add-on image EnableRootSSH.bin

Download PuTTY.exe from the Internet.

Tweak the NAS to only allow secure FTP transfers:

Double click PuTTY.exe
Enter the internal IP number of the NAS (for instance 192.168.1.253)
Log on as root with the same password as admin (netgear1 is default)
Type cd /etc/frontview/proftpd
Type ls -l and confirm the existance of the file ftps.conf
Backup the file before editing by typing cp ftps.conf ftps.conf.old
Type vi ftps.conf
Use the cursor keys to navigate to the TLSRequired line and change off to on (you may want to try hitting the Insert key)
Press ESC and type :wq to write the changes to ftps.conf and quit vi

Change the default secure shell port (this will drastically reduce the number of hacking attempts):

Still logged in with PuTTY, type cd /etc/ssh
Type ls -l and confirm the existance of the file sshd_config
Backup the file before editing by typing cp sshd_config sshd_config.old
Type vi sshd_config
Use the cursor keys to navigate to the Port line and change it from 22 (default) to, say, 222
Press ESC and type :wq to write the changes to sshd_config and quit vi
Type exit to end the PuTTY session

Restart the NAS.

In Advanced Control mode, click on System -> Shutdown -> Shutdown and reboot device -> Apply

Enable the FTP service in FrontView.

In Advanced Control mode, click on Services -> Standard File Protocols -> FTP (so that the box is ticked)
Click Apply and await the response FTP service successfully started

Apply FTP access to user(s) to share(s):

In Advanced Control mode, click on Shares -> Shares Listing
Click on FTP/S for the share you want to access via secure FTP
Set the Default Access to Read/write
If appropriate, set rights per user(s) (groups doesn’t work in all FTP clients for some reason)
Click on Apply

Configure port forwarding on the router:

Log in to the admin page of the router (for instance http://192.168.1.254)
Locate the port forwarding page
Add a new service called NAS_FTP and forward ports 20 – 21 to the internal IP of the NAS (for instance 192.168.1.253)
Add a new service called NAS_PASV_FTP and forward the reduced port range above (1000 – 1020) to the internal IP of the NAS (192.168.1.253)
Add a new service called NAS_SSH and forward the SSH port changed above (222) to the internal IP of the NAS (192.168.1.253)
Apply the changes and leave the router admin page (logout)

Test the secure FTP connection using an FTP client (below works for CuteFTP):

Create a new site and label it something appropriate (MyNAS)
Set the external IP (for instance 83.226.148.211) or domain name (for instance fredriklofter.com) as host name
Username and password for a user with FTP/S rights to a share on the NAS (see above)
Login method must be normal (not anonymous)
Set the protocol type to FTP with TLS/SSL (AUTH TLS – Explicit)
Set the port to 21
Set the data connection type to passive (Use PASV)
Click on connect

Test the SSH connection (below works for WinSCP):

Set the external IP (for instance 83.226.148.211) or domain name (for instance fredriklofter.com) as host name
Set the port number to the SSH port changed above (222)
Username root and password same as admin (netgear1 is default)
File protocol SFTP with Allow SCP fallback or SCP (both will work)
Click on login

Waiver. Enabling Root SSH access may cause NETGEAR to deny support. The text in this summary has been prepared with uttermost care but is, despite of this, strictly a guide to be used in conjunction with normal and cautious computer practice, including the safe operation of electric equipment. I cannot accept liability for your actions. Work smart! Work safely!