Tuesday, April 24, 2012

ZyXEL NSA310, Disabling FTP Clear Text Access

NSA310 is a nice NAS with impressive amount of access options. Mainly thanks to Linux which runs it. Besides it is cheap.

There is one caveat: FTP access. While enabling it there is no way to force FTPES mode only. A client can connect either using clear text or SSL.

Forcing NSA310 into FTPES only mode requires some hacking.

First, you need to enable sshd on your box to be able to hack it remotely. Use your web interface to log-in as admin. After that go to the following address (it enables sshd):

https://192.168.15.125/zyxel/cgi-bin/remote_help-cgi?type=sshd_tdc

Now, ssh to your box using root as the username and admin's password.

Go to the following directory:

/usr/local/zy-pkgs/etc/init.d

and create a file named: pureftpd-tweak which contains the folowing code:

#!/bin/sh
CONF=/etc/pure-ftpd.arg
DATA=`cat $CONF`
echo ' -Y 2' $DATA > $CONF
kill `cat /var/run/pure-ftpd.pid`
sleep 1
/usr/local/sbin/pure-ftpd `/bin/cat $CONF`
exit 0

Now tell NSA310 to actually use this file upon boot.
Edit ZYPKG_DEPS file and add the following line in the START-UP section:

/usr/local/zy-pkgs/etc/init.d/pureftpd-tweak

ZYPKG_DEPS should look like this now:

# Dependency for zypkgs

# START-UP (DON'T REMOVE THIS LINE!)
/usr/local/zy-pkgs/etc/init.d/PHP-MySQL-phpMyAdmin
/usr/local/zy-pkgs/etc/init.d/gallery
/usr/local/zy-pkgs/etc/init.d/WordPress
/usr/local/zy-pkgs/etc/init.d/SqueezeCenter
/usr/local/zy-pkgs/etc/init.d/eMule
/usr/local/zy-pkgs/etc/init.d/DyDNS
/usr/local/zy-pkgs/etc/init.d/SMART
/usr/local/zy-pkgs/etc/init.d/BackupPlanner
/usr/local/zy-pkgs/etc/init.d/NFS
/usr/local/zy-pkgs/etc/init.d/Tftp
/usr/local/zy-pkgs/etc/init.d/Syslog
/usr/local/zy-pkgs/etc/init.d/pyLoad
/usr/local/zy-pkgs/etc/init.d/pureftpd-tweak

# SHUTDOWN (DON'T REMOVE THIS LINE!)
/usr/local/zy-pkgs/etc/init.d/pyLoad
/usr/local/zy-pkgs/etc/init.d/Syslog
/usr/local/zy-pkgs/etc/init.d/Tftp
/usr/local/zy-pkgs/etc/init.d/NFS
/usr/local/zy-pkgs/etc/init.d/BackupPlanner
/usr/local/zy-pkgs/etc/init.d/SMART
/usr/local/zy-pkgs/etc/init.d/DyDNS
/usr/local/zy-pkgs/etc/init.d/SqueezeCenter
/usr/local/zy-pkgs/etc/init.d/eMule
/usr/local/zy-pkgs/etc/init.d/gallery
/usr/local/zy-pkgs/etc/init.d/WordPress
/usr/local/zy-pkgs/etc/init.d/PHP-MySQL-phpMyAdmin

Reboot, and that's it.

You can FTPS but not FTP to your box now.

For more information take a look at: ZyXEL Forum and NAS-central.

5 comments:

  1. Mi to niestety nie działa, dalej można się zalogować bez szyfrowania :-(

    ReplyDelete
    Replies
    1. Unfortunately for me it doesn't work.

      Delete
    2. It used to work in April 2012, I haven't upgraded the firmware since than. Upon firmware change Zyxel could have changed the way ftp daemon is started.

      Delete
  2. In your pureftpd-tweak file one of the paths has changed in the latest firmware ... so instead of

    /etc/pure-ftpd.arg
    use the below path instead
    /var/zyxel/pure-ftpd.arg

    ReplyDelete
  3. ZYPKG_DEPS file gets reset after the restart, so the line I added isn't there anymore :(

    ReplyDelete