Upgrade the dang server, please!

FTP Server, File Server, DDNS, SAMBA, AFP, NFS
mowa
Starting out
Posts: 26
Joined: Fri May 01, 2009 1:48 pm

Upgrade the dang server, please!

Post by mowa » Fri Aug 14, 2009 5:20 am

Qnap chaps, the ftp server is OLD. Very old. There are known security problems. Is it really that hard to upgrade a standard software package?

Naive as I am, I hoped it had been upgraded in 3.1.1 - but it hadn't...

rojek
Getting the hang of things
Posts: 53
Joined: Mon Jul 13, 2009 10:03 pm
Location: Melbourne

Re: Upgrade the dang server, please!

Post by rojek » Thu Aug 20, 2009 9:31 pm

Mowa, how do you find what software piece that is? I am considering opening up FTP on my NAS to internet and trying to get some assurance that the software is solid. Any feedback?
Cheers (TS439 Pro)

mowa
Starting out
Posts: 26
Joined: Fri May 01, 2009 1:48 pm

Re: Upgrade the dang server, please!

Post by mowa » Fri Aug 21, 2009 1:04 am

rojek wrote:Mowa, how do you find what software piece that is? I am considering opening up FTP on my NAS to internet and trying to get some assurance that the software is solid. Any feedback?


It will tell you when you login (if your FTP client doesn't show, just SSH/telnet to the Qnap and type "ftp localhost") - mine says: 220 NASFTPD Turbo station 2.x 1.3.1rc2 Server (ProFTPD)

Total silence from Qnap - this company reminds me more and more of Acronis - in theory an absolutely great product with an astounding number of nice features, in reality bugs and security issues makes it more or less useless...

rojek
Getting the hang of things
Posts: 53
Joined: Mon Jul 13, 2009 10:03 pm
Location: Melbourne

Re: Upgrade the dang server, please!

Post by rojek » Fri Aug 21, 2009 7:06 am

Mine is the same of course.

This sounds concerning. If a vendor can not step in and clarify that a product is safe to use
we might not need to bother to buy any more of their products and opt for other options.
I bought the their NAS partially because of (seemingly) reasonable support.

Where are you QNAP after sales support?!

Mowa, can you point me to any security issues that might be associated with that version of
FTP please. I would like to try to get a view where my risk is if I open it up to the interent.
Cheers (TS439 Pro)

mowa
Starting out
Posts: 26
Joined: Fri May 01, 2009 1:48 pm

Re: Upgrade the dang server, please!

Post by mowa » Fri Aug 21, 2009 3:21 pm

rojek wrote:Mine is the same of course.

This sounds concerning. If a vendor can not step in and clarify that a product is safe to use
we might not need to bother to buy any more of their products and opt for other options.
I bought the their NAS partially because of (seemingly) reasonable support.

Where are you QNAP after sales support?!

Mowa, can you point me to any security issues that might be associated with that version of
FTP please. I would like to try to get a view where my risk is if I open it up to the interent.


http://bugs.gentoo.org/show_bug.cgi?id=258838 - it's not easy to see what's fixed in different versions, but ofcourse a key component in a NAS should be up-to-date.

Same goes with the Samba daemon - it's almost a year old and has known security issues...

Salvad0r
Starting out
Posts: 22
Joined: Wed Apr 01, 2009 3:45 am

Re: Upgrade the dang server, please!

Post by Salvad0r » Fri Aug 21, 2009 5:54 pm

rojek wrote:Where are you QNAP after sales support?!

I'm not sure QNAP have a after sales support do they? :cry:

mowa
Starting out
Posts: 26
Joined: Fri May 01, 2009 1:48 pm

Re: Upgrade the dang server, please!

Post by mowa » Sun Aug 23, 2009 2:43 am

Salvad0r wrote:
rojek wrote:Where are you QNAP after sales support?!

I'm not sure QNAP have a after sales support do they? :cry:


I wonder if they are closing down... This kind of total ignorance is often the first sign. I really don't think they give a **. They could do the important upgrades in a few hours, they just don't care. I guess there's some totally incompetent project manager destroying everything.

User avatar
lentzit
Been there, done that
Posts: 516
Joined: Thu Dec 27, 2007 7:32 pm
Location: Sweden
Contact:

Re: Upgrade the dang server, please!

Post by lentzit » Sun Aug 23, 2009 6:19 am

As for the current FTP server version its stable and runs well even if its not the latest version. If you have security concerns please share these with this forum maybe we can help you tighten these until qnap come through with the upgrade. There are a lot of ways to secure traffic to an from the server so give it a shot :-)
-TVS-663/16GB QTS 4.2 , RAID5
-QGenie QG-103N - Wireless Storage in Classroom Environment
-Services: WEB | Virtual Station | QSYNC | FTP | SSL | Private Cloud | Photo Station
-Using it for my blog (http://blog.lentzit.com)

jm45
Easy as a breeze
Posts: 411
Joined: Tue Oct 07, 2008 6:30 pm

Re: Upgrade the dang server, please!

Post by jm45 » Sun Aug 23, 2009 5:45 pm

@mowa
Unless you really are a kid,
you perfectly look like, throwing a tantrum.
TS-109 II firmware version: 3.1.0 Build 0708T (1TB disk)

JohnVK
Getting the hang of things
Posts: 79
Joined: Sat Aug 22, 2009 5:14 am

Re: Upgrade the dang server, please!

Post by JohnVK » Sun Aug 23, 2009 5:47 pm

I agree with Lentzit!

You come here and state for fact that there are known bugs and security issues... where's the data to back up that statement? What are these known bugs & security issues?? Provide us with some links at the very least... maybe we can help...

Regards
John

ped
Starting out
Posts: 32
Joined: Wed Feb 11, 2009 5:06 pm

Re: Upgrade the dang server, please!

Post by ped » Sun Aug 23, 2009 5:52 pm

Hi,

I fully agree that it is not satisfying that a component like an FTP server, which I believe in many cases is used over a (non secure) internet connection, is not updated to a newer and more secure version. We may, or may not, be able to make workarounds for some of the bugs and security issues, but these are still workarounds and paying customers should not be required to spend their time on that kind of work. Take a look at the changes between revision 1.3.1rc2 (released in January 2007 and included with the 3.1.1 firmware on my TS-119 two and a half year later) and the latest stable release (1.3.2a from June 2009). I believe most people will agree that we are not talking about a minor update here -- 172 bug fixes (including security issues) and 8 added features:

1.3.2a - Released 30-Jun-2009
--------------------------------
- Bug 3121 - Use PQescapeStringConn() rather than PQescapeString().
- Bug 3176 - Postgres chokes on standard charset names.
- Bug 3179 - Restarted proftpd using mod_shaper will segfault.
- Bug 3188 - prxs broken due to typo.
- Bug 3183 - Incorrect logging to wtmp.
- Bug 3184 - When started in a chroot, proftpd fails to set transfer buffer
size.
- Bug 3190 - MLSD/MLST do not honor <Limit> configurations.
- Bug 3196 - mod_quotatab does not honor last group in supplemental group list.
- Bug 3203 - Missing SQL backend modules can lead to null pointer segfault in
mod_sql.
- Bug 3215 - mod_wrap2_sql should support comma-delimited lists of clients.
This is the same as Bug#3048, only it affects the mod_wrap2_sql module.
- Bug 3221 - Command line defines (-D/--define) are lost on SIGHUP.
- Bug 3234 - SSL connections can cause 100% CPU usage.
- Added French, Bulgarian, and Korean translations.
- Bug 3256 - "SO_OOBINLINE" error occuring again. This is a regression of
Bug#2332 caused by code movement in 1.3.2.
- Bug 3258 - Log cluttered with "using sendfile capability" messages.
- Bug 3261 - Badly formatted TLSRenegotiate directive causes proftpd to hang.
- Bug 3257 - CAP_AUDIT_WRITE capability needed for some PAM modules.

1.3.2 - Released 5-Feb-2009
--------------------------------
- Bug 3169 - Multiple RewriteRules for the same RewriteCondition not processed
properly.
- Bug 3171 - ExtendedLog should log full SITE command using %m.
- Bug 3173 - Encoding-dependent SQL injection vulnerability.

1.3.2rc4 - Released 23-Jan-2009
--------------------------------
- Bug 2045 - SQLShowInfo should not be displayed when query returns no data.
- Bug 2915 - mod_rewrite does not work well for SITE commands.
- Bug 1636 - GroupRatio does not check user's supplemental group membership.
- Bug 3137 - ProFTPD does not log filename %f for uploaded files.
- Bug 3142 - "Invalid number of arguments MFMT" due to spaces in path argument.
- Bug 3144 - mod_dynmasq returns same IP address, even though actual IP
address has changed.
- Bug 3040 - Support for CreateHome parent directories owned by user.
- Added Russian translation.
- Bug 2020 - HideFiles sometimes fails.
- Bug 3146 - <Directory> paths using glob characters may not match as expected.
- Bug 3147 - Comma-delimited commands in <Limit> sections not handled properly.
- Bug 3149 - Bad handling of %p, %V, and %v variables in mod_sql.
- Bug 3150 - mod_facl erroneously assumes no permissions, rather than all
permissions, in some cases.
- Bug 3159 - mod_rewrite build fails due to missing mode argument in open(2)
call on some platforms.

1.3.2rc3 - Released 20-Nov-2008
--------------------------------
- Bug 3114 - Bad handling of uid/gid parameters for CreateHome.
- Bug 3115 - Cross-site request forgery.
- Bug 3116 - SQLNegativeCache with no group info can cause segfault.
- Bug 3117 - Authentication improperly allowed (Bug#2922 regression).
- Bug 3119 - Search for libcap2 in addition to libcap for mod_cap support.
- Bug 3120 - WrapTables not allowed in <Anonymous> context.
- Bug 3122 - iconv() not detected properly on FreeBSD when --enable-nls is used.
- Bug 3124 - mod_sql improperly substitutes variables in user/group names.
- Bug 3089 - Memory pool double-free on session exit after aborted data
transfer.
- Bug 3092 - FSIO API needs mechanism for allowing registered FS handlers to
permit atomic renames.
- Bug 2767 - gcc 4.0/amd64 warnings.
- Bug 3126 - Segfault in mod_sql_sqlite when user belongs to multiple groups.
- Bug 3130 - HideFiles can cause segfault.
- Bug 3131 - Session process uses 100% CPU after aborted transfer.
- Bug 3132 - Handling of SIGABRT signal leads to endless loop.
- Bug 3073 - Command arguments not decoded properly in some places.
- Bug 3135 - Aborting a download can lead to segfault in some cases.

1.3.2rc2 - Released 17-Sep-2008
--------------------------------
- Added Chinese translation
- Bug 3076 - RPM build failing on 64 bit OS due to incomplete .spec.
- Bug 3082 - Use "DEFAULT" keyword instead of "ALL" for Trace directive.
Hopefully the "DEFAULT" keyword will be more accurate, more descriptive
of the actual functionality triggered by the keyword.
- Bug 3083 - Multiple issues with handling of <Class> definitions.
- Bug 3077 - Transparently handle the X-variant commands when checking
<Limit> permissions.
- Bug 3036 - Quota information not persisted if session ends abruptly.
- Bug 3094 - Perform unidirectional SSL/TLS shutdown on data connections.
- Bug 3096 - libcap version errors on newer Linux kernel.
- Bug 3074 - Support configure option for pkgconfig .pc file install
location.
- Bug 3095 - TLSPassphraseProvider port number truncated.
- Bug 3099 - Add trace logging of filesystem permission errors. To see
this additional logging, use Trace logging, and configure it to log
the "fileperms" log channel.
- Bug 3100 - Support ftpmail options for sending emails only for specific
users. See doc/contrib/ftpmail.html for more details.
- Bug 3030 - GroupOwner should work for all groups. Previously, GroupOwner
(without using UserOwner) could fail, if the user did not belong to
the specified group. Now proftpd will automatically detect, when
handling GroupOwner, when root privileges need to be used for the
configured group.
- Bug 3101 - mod_wrap2 does not compile on FreeBSD with custom includes.
- Bug 3098 - Socket descriptor leak when using syslog logging, especially at
SyslogLevel 'notice' or higher.
- Bug 3055 - Support Display variable for specifying the timestamp format.
See doc/howto/DisplayFiles.html for more information.
- Bug 2537 - mod_sql does not support %{...}t variable. SQLNamedQuery
statements can now use "%{time:...}" variables for formatting time strings
using strftime(3).
- Bug 2564 - Improper logging of "max connections per host". The issue was
one of the timing of the logging of the "Login successful" message. Now
it happens as part of a LOG_CMD handler for the PASS command.
- Bug 3104 - Syslog logging does not work on Mac OS X.
- Bug 2991 - Need a `prxs' (ProFTPD Extensions) command-line tool for building
shared modules without proftpd source.
- Bug 3106 - Add support for Mac OSX 10.5 sendfile.
- Bug 3107 - TLSProtocol supports misleading "SSLv23" parameter.
- Bug 3108 - Support removing MLST from FEAT list. The mod_facts module
now supports a FactsAdvertise directive; see doc/modules/mod_facts.html
for details.
- Bug 3109 - Errors with file uploads logged but not reported to clients.
- Bug 3112 - Uploaded files are not removed if close() fails.

1.3.2rc1 - Released 15-Apr-2008
--------------------------------
- Bug 2978 - Support more verbose OpenSSL diagnostic logging. There is now
support for an "EnableDiags" TLSOptions setting, which logs a lot of
SSL/TLS protocol information to the TLSLog.
- Bug 2969 - Allow APPE after REST.
- Bug 2983 - Use getgrouplist(3) for group lookup, if available. This may
potentially speed up the group membership lookup on some systems.
- Bug 2984 - mod_auth_file uid2name() does not cache results causing slow LIST
response.
- Bug 2925 - Add caching of IP address and DNS name lookups. This may help
speed up data transfers, especially rapid-fire data transfers as used by
"download accelerators".
- Bug 2979 - Ability to ban clients which connect too often. The mod_ban
module now supports a "ClientConnectRate" BanOnEvent rule.
- Bug 2987 - Verbose ban information (i.e. 'ftpdctl ban info -v') not working
on FreeBSD.
- Bug 2986 - Authoritative PAM is not honored.
- Bug 2988 - mod_wrap2_file ignores "ALL" keyword.
- Bug 2982 - Support limit on number of simultaneous file transfers from one
client. Two new configuration directives, MaxTransfersPerHost and
MaxTransfersPerUser, have been added.
- Bug 2386 - Controls should use kernel-enforced credentials where possible.
- Added mod_dynmasq contrib module. See doc/contrib/mod_dynmasq.html for
more information.
- Bug 2968 - Ability to allow protection on control channel, but reject
protection on data channel. See doc/contrib/mod_tls.html#TLSRequired
for details.
- Added mod_unique_id contrib module. See doc/contrib/mod_unique_id.html
for details.
- Bug #2990 - TLSCryptoDevice does not work.
- Bug #2989 - Unable to authenticate users if RadiusUserInfo is not configured.
- Bug #2937 - Should list modules (with versions) for modules loaded as DSOs.
The -vv command-line option now shows all modules (and versions), both
static and shared. See the RELEASE_NOTES for more details.
- Bug #2993 - Unable to compile 1.3.1 on Debian unstable/amd64. The configure
script was brokenly checking for the umode_t data type, which is not needed
by the proftpd source code.
- Bug #2992 - The %f LogFormat variable expanded improperly to "-" for
SITE CHMOD.
- Bug #2995 - The %f LogFormat variable expanded to same file for RNFR and
RNTO.
- Bug #2996 - Requirement for same OpenSSL header, library version in mod_tls
too restrictive. If differences are detected now, the difference is logged,
but the daemon will start up.
- Bug 3005 - OOB abort closes the control connection.
- Bug 3004 - 'ScanOnLogin' QuotaOption does not honor QuotaDirectoryTally
directive.
- Bug 3006 - 'ScanOnLogin' QuotaOption may try to update a nonexistent tally
record.
- Bug 3001 - Incomplete downloads not logged properly in TransferLog if
sendfile is used.
- Bug 3012 - SITE UTIME should support YYYYMMDDhhmmss format.
- Bug 3013 - "TLSOptions AllowPerUser" not working as expected.
- Bug 3019 - DisplayLogin in <Anonymous> section not displayed properly.
- Bug 3015 - Support for RFC3659. There is a new module, mod_facts, which
implements the RFC3659 commands of MLSD and MLST, as well as the MFF and
MFMT commands from an Internet Draft.
- Bug 2894 - The AnonymousGroup directive has been marked for deprecation,
and will be removed in a future release.
- Bug 3003 - Fallback to normal transmission in case of sendfile EOVERFLOW
error missing.
- Bug 2874 - Data transfer buffers should be allocated at startup, not at
compile time.
- Bug 3014 - Optionally set PAM_TTY item when using PAM. Use
"AuthPAMOptions NoTTY" to disable this.
- Bug 2741 - Apply TimeoutNoTransfer, TimeoutStalled, TimeoutIdle to
<Anonymous> section.
- Bug 2997 - Uploading files with "~" causes harmless but annoying log
message.
- Bug 2889 - Update SQLLog so that RNTO stores the path when using the
%F variable.
- Bug 2731 - Add ability to set process priority for file transfers. A new
TransferPriority directive has been added, which can be used to set the
scheduling priority of the session process during file transfers.
- Bug 3020 - Server replies to NLST with 450 at the wrong time.
- Bug 1771 - mod_ratio compile warnings.
- Bug 1973 - mod_ratio uses the too-small int datatype for tracking bytes.
The mod_ratio module has been updated to use off_t, instead of int, for
tracking bytes.
- Bug 1896 - Check AIX account status. The AIX-specific loginrestrictions()
and passwdexpired() functions, if present, are now used by the mod_auth_unix
module during login.
- Bug 2453 - Separate RFC1413 code into mod_ident module.
- Bug 3023 - Allow uploading to /dev/null. This allows testing of network
link speeds by uploading directly to /dev/null on the server.
- Bug 3022 - Timed SQL connections don't reconnect to database.
- Added mod_sql_sqlite contrib module, for authenticating using a SQLite
database. See doc/contrib/mod_sql_sqlite.html for more details.
- Added mod_sql_odbc contrib module, for connecting to a database via
ODBC drivers. See doc/contrib/mod_sql_odbc.html for more information.
- Bug 3025 - Using %b in a SQLNamedQuery does not properly log the file size
for DELE.
- Bug 3026 - RewriteCondition does not negate -d -f -s tests.
- Bug 3027 - Unmatched backreferences are not handled properly in RewriteRules.
Unmatched backreferences are now replaced with empty strings.
- Bug 2999 - Data transfer not aborted when control connection is closed.
- Bug 3031 - IPv4-mapped IPv6 connections not matched properly against IPv4
glob ACLs.
- Bug 3033 - Class rules not honoring '!' negation character.
- Bug 3034 - Rewritten command parameters need to be set in multiple places.
- Bug 2577 - IPv6 support should be enabled by default. IPv6 support is
now enabled by default in the proftpd build, but the shipping
proftpd.conf has:

UseIPv6 off

To disable IPv6 support completely at build time, use the --disable-ipv6
configure option.
- Bug 2000 - mod_cap should not use bundled libcap. Now if a system libcap
is present, that system library will be used instead of the bundled libcap.
If no system libcap is present, the bundled libcap will be used.
- Bug 3044 - Segfault if mod_delay fails to load DelayTable.
- Bug 3048 - mod_wrap2_file should support comma-delimited lists of clients.
- Bug 3045 - "QuotaOptions ScanOnLogin" does not work for 'class' or
'all' limits.
- Bug 3047 - BanOnEvent should support optional ban message. Now messages
for individual ban rules can be configured, in addition to the BanMessage
directive.
- Added contrib/ftpmail, a Perl script which reads a TransferLog FIFO and
sends automatic email notifications whenever uploads occur. See
doc/contrib/ftpmail.html for more details.
- Bug 3050 - Support use of OpenSSL in FIPS mode. See doc/howto/TLS.html for
details on how to use FIPS mode.
- Bug 3051 - mod_quotatab incorrectly reduces file count on rename.
- Bug 2840 - Online Certificate Status Protocol (OCSP) support.
- Bug 3058 - Handling of OPTS command results in badly set values in code.
- Bug 3059 - Wrong handling of UTF8 conversions.
- Bug 3061 - Segfault in mod_quotatab_sql if the SQL query returns NULL
bytes/files values.
- Bug 3056 - Support non-UTF8 encoding and character sets. See
doc/modules/mod_lang.html for more information on the UseEncoding directive.
- Bug 3064 - Better handling of 0xFF character for Cyrillic, non-UTF8 charsets.
These character sets use the same value as the Telnet IAC character in
the alphabet. RFC959 states that FTP control messages must support Telnet
characters; this requirement causes problems for the character sets.
This the RFC959 requirement is relaxed if --enable-nls is used, and if
one of the problematic character sets is configured.

1.3.1 - Released 5-Oct-2007
--------------------------------
- Bug 2944 - mod_sql_mysql fails to compile due to missing quotation.
- Bug 2946 - Anonymous logins fail if the mod_facl module is enabled.
- Bug 2947 - SIGBUS on Mac OS X when dynamically loading shared libs.
- Bug 2950 - Hostname with multiple IP addresses might cause "ai_family not
supported" error if IPv6 support enabled.
- Bug 2955 - Undeclared identifier MAP_FAILED for mod_delay on AIX.
- Bug 2958 - mod_wrap2 does not handle multiple rules in access files.
- Bug 2963 - Use of -A option for LIST/NLST commands not cleared for
subsequent commands.
- Bug 2964 - Building RPM fails because of *snprintf trying to be redefined.
This is actually caused by a particular combination of compiler flags
(-O2 and -Wp,-D_FORTIFY_SOURCE=2), which are used by the `rpmbuild'
command in some Linux releases.
- Bug 2974 - Install error if multiple modules, using their own build script,
are built as shared modules.
- Bug 2981 - Command-line long options --ipv4 and --ipv6 do not work.
- Bug 2795 - Improvements to RPM .spec file to build more of the modules, plus
better optional packaging organization.

1.3.1rc3 - Released 04-Jul-2007
--------------------------------
- Bug 2875 - Malformed getopt checks cause compilation errors in getopt.c.
- Bug 2877 - ServerType 'inetd' results in "getnameinfo error: ai_family not
supported" errors in log.
- Bug 2878 - Error compiling proftpd on Solaris 2.9 using --with-lastlog.
- Bug 2881 - ProFTPD does not support OPTS UTF8 command when --enable-nls is
used.
- Bug 2883 - Problem with locale and SQL database queries.
- Bug 2893 - ProFTPD can use the wrong group data if the user name changes.
- Bug 2897 - mod_quotatab subtracts size of deleted file from bytes-transferred
tally.
- Bug 2902 - Stack read overrun in mod_xfer on 32bit platform. Use an
explicit compiler cast to ensure that the proper data type size is used
in the arguments for a variadic function.
- Bug 2906 - RewriteCondition backreferences not properly substituted.
- Bug 2913 - TYPE command does not clear ASCII flag from LIST/NLST commands.
- Bug 2911 - NLST on a nonexistent path, followed by an NLST on an existing
file, causes segfault.
- Bug 2922 - Auth API allows one auth module to authenticate user data provided
by a different auth module.
- Bug 2921 - NLST fails if using POSIX ACLs. The mod_ls module, when
handling the NLST command, was using an unnecessary access(2) check.
- Bug 2864 - DisplayLogin should work regardless of chroot. This now works
for DisplayQuit and DisplayTransferFiles as well.
- Bug 2920 - ABOR command not handled during data transfer.
- Bug 2924 - DeleteAbortedStores doesn't work when the ABOR command is used.
- Bug 2890 - SystemLog permission errors on SIGHUP when mod_tls is enabled.
- Bug 2932 - Syslog contains "error setting IPV6_V6ONLY: Protocol not
available". Check the IPV6_V6ONLY socket option first, and only attempt
to disable it if needed. Also use the IPPROTO_IPV6 socket level.
- Bug 2934 - Function perm_copy_fd() not in older Linux libacl versions.
- Bug 2923 - ftptop display flickers if delay is greater than 25 seconds.
- Bug 2900 - Some kernels incorrectly reuse IPv6 ports for EPSV command.
- Bug 2935 - DELE command doesn't check file stat result before logging.
- Bug 2938 - mod_wrap2 does not honor WrapTables for <Anonymous> logins.
- Bug 2939 - Anonymous restrictions apply after a failed anonymous login
followed by a successful normal user login.
- Bug 2942 - BanLog directive does not accept "none" parameter.

Myself and others have been rambling about this for some time (http://forum.qnap.com/viewtopic.php?f=161&t=13385, http://forum.qnap.com/viewtopic.php?f=14&t=17864, http://forum.qnap.com/viewtopic.php?f=161&t=14546), but except from an empty promise (probably with good intentions) nothing has happened -- and support has apparently decided to ignore the issue...

/ Regards, Poul
TS-119
FW: 3.3.8 build 1217

JohnVK
Getting the hang of things
Posts: 79
Joined: Sat Aug 22, 2009 5:14 am

Re: Upgrade the dang server, please!

Post by JohnVK » Sun Aug 23, 2009 6:02 pm

Thanks Ped, I had no idea yet of the history and at least you are providing valuable information (I was just looking for the change list as well :wink: ). From this point on I agree that it's quite necessary to update this FTP server.

Even though I think it's not very wise to use some integrated utility with limited capabilities that's obviously being treated by QNAP as just a "nice extra feature" to publicly publish your ftp server. I would personally look at other more robust solutions :wink:

Anyway, yes, where's QNAP support?? I have only recently joined because I purchased a TS-409 but there doesn't seem to be much support going on in this forum (except from end users)?? :shock:

Regards
John

User avatar
lentzit
Been there, done that
Posts: 516
Joined: Thu Dec 27, 2007 7:32 pm
Location: Sweden
Contact:

Re: Upgrade the dang server, please!

Post by lentzit » Sun Aug 23, 2009 6:21 pm

Since i´m not a hacker i would not know what all these bugs do and dont but of course i agree that the ftp server should be upgraded asap if its there and i love the fact that there are guys out there like you to point out the flaws so we at least have a chance to act correctly. To bad that its always the end users that figure it out first :-( so i hope the upgrade will be available soon...

...until that happends you are on your own...almost every software company (for example Microsoft) acts that way...most of the bugs do not harm anyone but of course should and will be fixed eventually.

For you guys that still want to use the FTP function and are thinking about transfer security you could activate the security options like SSL/TLS
ftp-service.png


then upload your own ssl certificate
ssl-security-cert.jpg


and activate ip restrictions
ftp-ip-sec.jpg
You do not have the required permissions to view the files attached to this post.
-TVS-663/16GB QTS 4.2 , RAID5
-QGenie QG-103N - Wireless Storage in Classroom Environment
-Services: WEB | Virtual Station | QSYNC | FTP | SSL | Private Cloud | Photo Station
-Using it for my blog (http://blog.lentzit.com)

JohnVK
Getting the hang of things
Posts: 79
Joined: Sat Aug 22, 2009 5:14 am

Re: Upgrade the dang server, please!

Post by JohnVK » Sun Aug 23, 2009 9:35 pm

lentzit wrote:Since i´m not a hacker i would not know what all these bugs do and dont but of course i agree that the ftp server should be upgraded asap if its there and i love the fact that there are guys out there like you to point out the flaws so we at least have a chance to act correctly. To bad that its always the end users that figure it out first :-( so i hope the upgrade will be available soon...

...until that happends you are on your own...almost every software company (for example Microsoft) acts that way...most of the bugs do not harm anyone but of course should and will be fixed eventually.

Hi Lentzit,

First let me apologise to the other posters for going a bit off topic here, but personally I have no problem with customers being the ones to point out issues. That's how it usually works, like you said. It's impossible to test all variables in a piece of software. In my job I'm also always on the receiving end of being made aware of issues (I'm a network implementation manager), so I understand. But what I would have problems with if those issues are being ignored. It's just not good business to not respond, aside from being flat out rude. And from the looks of it a fair amount of posts go unanswered in this forum. That's not exactly a comforting idea if you know what I mean. After all, the forum is labeled "QNAP community forum" and this section is called "Support"... so the least customers should be able to expect is for QNAP to actively participate, right? Otherwise what's the point of this forum? Customers have problems, QNAP technical support has the solutions (or is able to create them). This is not open source where users need to depend on other users :wink:

And.. adding a piece of release candidate software to a final product.. is that really a smart thing to do?? (it's a rhetorical question :wink: )

Anyway, even if I have nothing to gain from it since I will not be using it, I do hope the necessary upgrade will be available soon for those that ARE using the integrated FTP server.

Cheers
John

User avatar
lentzit
Been there, done that
Posts: 516
Joined: Thu Dec 27, 2007 7:32 pm
Location: Sweden
Contact:

Re: Upgrade the dang server, please!

Post by lentzit » Sun Aug 23, 2009 9:40 pm

Hi John, i totally agree with you on that part.
-TVS-663/16GB QTS 4.2 , RAID5
-QGenie QG-103N - Wireless Storage in Classroom Environment
-Services: WEB | Virtual Station | QSYNC | FTP | SSL | Private Cloud | Photo Station
-Using it for my blog (http://blog.lentzit.com)

Post Reply

Return to “File Sharing”