Product test
Office on the NAS: A look at Synology Office Station
by Dominik Bärlocher
Your own FTP server made easy
8.12.2017
Translation: machine translated
There was a time when FTP servers were used for pretty much everything. That time is over. But FTP is not dead. The old protocol can still be used as a backup system. Here is a guide to a backup solution.
The hard drives in the NAS spin up. A brief click, then a short buzz. Someone is accessing the discs from outside, because neither the server nor the PC are recording any data transfers. It must be one of the video producers, Stephanie Tresch or Manuel Wenk. Because they are the only users of the FTP server on the Synology NAS behind my desk.
They don't necessarily need the FTP server, but they use it as an experiment anyway. After all, I have to have some kind of data volume to test the functionality of my server.
The setup of such a server essentially consists of five steps.
- Setting up the share
- Definition of the user group
- User generation
- Set up DNS for external access
- Setting up the FTP client
After this guide, you can do it all yourself.
When does an FTP server make sense?
FTP servers are a bit outdated in the age of clouds and seem a little dusty, but they are still useful if you are looking for a decent backup solution. For active data usage, I now recommend cloud environments - not necessarily iCloud or Google Drive from a security perspective, but also NAS solutions - but as a backup for project data, the FTP server is an excellent choice.
FTP servers make sense if you need to archive data. Sure, servers used to be used instead of cloud shares and can still be used for data exchange today, but in this example we are using the server as a backup solution.
The share: The hard drive for your users
Since a NAS consists of a large share after the initial setup - in my case, eight four-terabyte hard drives in a Synology DS1817+ - you must first set up a share so that your FTP users cannot simply access all the data.
- Call up the admin interface on port 5000 in your browser. In my temp setup, this is the IP 192.168.1.6, so I enter http://192.168.1.6:5000/ in the browser above.
- Go to Shared Folder in the Control Panel
- Click Create
in the top left corner
- Click Create
- I'll call my share "digitec" and leave all other settings as they are. So OK.
This means that the storage is designed so that the user group of video producers has a place where they can store things. Now we need to make the server accessible from the outside.
Important: I'll leave the security settings up to you. In the current example, we will omit the security settings, as otherwise we would go beyond the scope of this article. But please, think carefully about what security requirements you place on your server.
- In the Control Panel, go to File Services
- Select the FTP tab
- Enable the FTP services you want to use. In the current example, I have simply activated all services: FTP, FTP with SSL/TLS and SFTP. But I don't advise you to do that. Choose your service depending on how sensitive the data you want to transfer is
- In the General Options, I think that "No Speed Limit" is the right option. Because the backup should be as fast as possible.
With the speed limit, this does not necessarily mean that you can achieve lightning-fast speeds. The normal bottlenecks in the computer - intranet/internet - backup connection also affect this connection. If the backup is connected to a fibre optic connection, then the copper connection of the computer is the problem that makes the transfer slow.
This defines the share and access is, admittedly poorly, regulated. Let's move on to the next step.
User group: authorisations, but not granular
My example server is designed for three people who all need the same authorisations. I can now either create three users and grant each user separate authorisations. However, this is somewhat tedious and can lead to human error. There are user groups for this purpose. You can grant authorisations for teams in a user group. Sure, if I only have the video team on my one share, then that's not important. But suppose I have to make a share for the editors of the Galaxus editorial team in a week's time. Then I need a second share and other authorisations.
Important: The permissions of the user group are not granular, so they are not detailed but rather a kind of baseline for the permissions of the users. Essentially, in a user group you determine which share the users should access and what minimum permissions the users in the group should have. Granular authorisations are assigned later when the users are generated.
- Go to Group in the Control Panel
- Click Create at the top
- I choose "digitec_video" as the Group Name and "Videodepartment" as the Description
- I specify the digitec share as the read/write permission for the user group. This allows the users in our example to read data on the share, i.e. download it, and write data, i.e. upload it.
- I ignore the user quota because I don't want to set a limit on the amount of data that the two video producers are allowed to transfer
- The application permissions specify which services the users in the group are authorised to use. Despite the abundance of services, I only tick FTP here.
- I can also ignore the speed limit because I don't want to give the connection any additional brakes.
- Finally, I can check all the settings and then click Apply.
This sets up the user group. However, if I decide that Manuel Wenk needs additional permissions or Stephanie Tresch needs a speed limit, then I can set this in the user permissions. But the basic framework for the authorisations of the two is set.
User accounts: Access and granular authorisations
Until now, I haven't created any accounts for the two video producers to work with. This is now changing, as I can make user-specific settings and ensure that a user loses access to the data if they leave the company.
- In the control panel → User
- Create
- Enter the name of the user. I do not recommend spacing. Use either the dot "." or the underscore "_" as a separator.
- Since I'm too lazy to come up with a secure password, I let the machine do it. Therefore, click on "Generate Random Password". As the password is displayed to me in plain text and is subsequently sent to the users in plain text, I advise the users to delete the email with the access data after the FTP client has been set up.
- In the next screen, I can assign the user to a group. I can't remove the value "users", but I add "digitec_video".
- The granular permissions come into play here. Under "Group Permissions" you can see "Read/Write", which I have defined above in the Group Permissions. I can therefore simply press "Next" in this screen.
- Since I have not set a data quota in the group, I click on "Next" in the "User Quota" screen without setting anything.
- The same applies to the "Application Permissions": Simply click "Next", as I have defined the authorisations for FTP access in the user group.
- Also for the "Speed Settings" → "Next".
- "Apply".
I can edit all granular authorisations later by selecting the user and clicking on "Edit" at the top. So I can impose a speed limit on Manuel if he accidentally shuts down all the other services on my network when uploading a video project backup. Or I can revoke Stephanie Tresch's read permissions if I think it's the right thing to do.
DDNS: So that users can access the server
In order for the two video producers to be able to give their FTP clients an address with which they can access the server, I have to assign an external address to the NAS. Synology makes this quite easy.
Here, however, I will refrain from writing a detailed guide, because in the rarest of cases any standard settings come into play here. Companies may have their own services that you can use. Which are of course also dedicated to FTP.
If you want to do this for your home NAS, you can select "Synology" as the service provider and then follow the wizard. The wizard also takes over the settings on the router where ports need to be forwarded. All in all, a fairly simple story, but very environment-specific, which would make a detailed guide useless and confusing.
The FTP client: The other end
This completes the setup of the NAS so that video producers can upload their data from their local computers to the server after their work is done and make a clean, simple backup. Of course, a proper backup solution has redundancy and everything, but we're doing a simple example because it's about the technological realisation of a simple FTP server. Proof of concept instead of a functional system.
In order for Manuel and Stephanie to upload their data, they need to use an FTP client.
This choice is not the last word in wisdom. The choice of FTP client is up to you. I recommend the clients because I have been working with them on these platforms for ages and they have never let me down.
Windows: Connection settings under WinSCP
Setting up the FTP client is quite simple and straightforward. Simply open WinSCP after the download. If you only use FTP and have not taken any further security precautions - which I explicitly advise against outside of system tests and examples - then the settings look like this. The core of the problem with FTP is that FTP and encryption don't get along particularly well.
For those viewing this guide on mobile devices:
- File Protocol: FTP
- Encryption: No Encryption
- Host Name: The DDNS entry you created above
- Port Number: 21
- User Name: Name of the user
- Password: The password generated by NAS
Then click on "Login" and save the username and password, if desired.
Linux/Mac: Connection settings under FileZilla
On Mac, you can install FileZilla like any other programme. On Linux, you can install Filezilla with the following command in the terminal
sudo apt-get install filezilla
And if you've never seen Linux before, here's the latest version of Kali Linux, a Linux distribution designed for information security and penetration testing. Because there are x versions of Linux, the most popular of which are probably Ubuntu and Fedora. Linux is usually free. Cool, right?
- In Filezilla, go to File → Site Manager.
- Enter the data as above
.3. "Connect".
Now the two video producers can drag and drop their data onto the server to create a clean backup.
rwx: WTF with folder creation
When you create a new folder on the FTP server under WinSCP, you will be confronted - perhaps for the first time - with Unix permissions. Unix permissions are simple. In our case, there are three values that you need to take into account.
- r: Read - read
- w: Write - Write
- x: Execute - Execute
If you want to be able to do everything in your folder, set the permissions like this:
rwx
If you want to read and write, but not execute:
rw-x
Because the permissions, as you see them on the screen, can only be "allowed" or "forbidden". If allowed, the letter is simply there. If forbidden, then there is a - in front of the letter.
Things you should definitely clarify when setting up a server
The method described above for setting up an FTP server is not recommended in practice. This is because it lacks any encryption and I have dealt with gross violations of security best practices
.
Why is that? Because different security measures apply depending on the environment. If you are working on an intranet and neither the NAS nor the computer need to be connected to your LAN, then an FTP server as described above may be sufficient. However, as soon as a connection is established via the Internet, some form of encryption is required. Which one? I'll leave that up to you.
Or: You can think about handling the backup via the cloud, which is already designed for external connections. I'll have a look at that.
So, that's it. Have fun tinkering with FTP and reminiscing about a time when FTP was the alpha and omega of file transfer.
Journalist. Author. Hacker. A storyteller searching for boundaries, secrets and taboos – putting the world to paper. Not because I can but because I can’t not.
25 comments
later