April 10, 20251 yr This is the Unraid CA Support page for Both Github Project SFTP and SFTP2 per my github forks of the project...*SFTP is discontinued and no longer managed due to OpenSSH CVE. While it will still function. Use at your own risk. The Unraid CA has been set up to use sftp2 moving forward...SFTP (openssh and fail2ban) Server Overview: Easy to use SFTP (SSH File Transfer Protocol) server with OpenSSH and Fail2ban installed for extra hardening against brute force attacks.Reason: I Use the docker instance and it hadn't been updated in some time. So I decided I still want this, but I needed a Updated Fork of MarkusMcNugen/docker-sftp Orginaly Forked from atmoz/sftp... Due to age of application, It was time for a refresh....Original Forum Maintainer: MarkusMcNugen/docker-sftpLast known data for the github project SFTP:########################################Base: phusion/baseimage:master-amd64Estimated Size: 311MBDocker Hub: https://hub.docker.com/r/bmmbmm01/sftpGithub: https://github.com/bmartino1/docker-sftpApplication Version: Latest when docker was built on 04/12/25 Docker Base image versions:openssh: openssh 1:9.6p1-3ubuntu13.9https://launchpad.net/ubuntu/noble/+package/openssh-serverfail2ban: fail2ban 1.0.2-3ubuntu0.1https://launchpad.net/ubuntu/noble/+package/fail2ban Current Docker build versions:Current Image version as seen in docker log[INFO] versions of current running:Fail2Ban: 1.0.2OpenSSH client: 9.9p1OpenSSH server: 1:9.9p1-3ubuntu3 Note: Please read the Github descriptions. While this container is easy to use, it does require some small configuration edits outside the Unraid Template. *Due To Openssh upgrades, the auto update script will not work due to new OS and glibs update for the docker.... Still waiting on phusion base image to update, Thus a final revamp after getting everything ironed out and a move off the phusion base image...#########################################https://github.com/bmartino1/sftp2Base docker image:Debian 13-slim imagelog During docker build:sftp-fail2ban | [info] Fail2Ban: 1.1.0sftp-fail2ban | [info] OpenSSH client: 10.0p2sftp-fail2ban | [info] OpenSSH server: 1:10.0p1-7sftp-fail2ban | [info] rsyslog: 8.2504.0-1sftp-fail2ban | [info] whois: 5.6.3sftp-fail2ban | [info] glibc: 2.41sftp-fail2ban | [info] Built at: 2025-10-16T17:44:57ZProject SFTP2 at Docker Run test:sftp-fail2ban | [info] Application versions at container start:sftp-fail2ban | [info] Fail2Ban: 1.1.0sftp-fail2ban | [info] OpenSSH client: 10.0p2sftp-fail2ban | [info] OpenSSH server: 1:10.0p1-7sftp-fail2ban | [info] whois: 5.6.3sftp-fail2ban | [info] glibc: 2.41*As seen per the notes on the github...The Unraid CA Templates setup and shipped to be an easy install and done...The Default user is adminThe Default password is passworduserconf is a write in docker once if user already exist edit will not be maintained... Added users at run time when set such as admin exist in the docker image. to edit the user.conf and edit existing users you will need to delete the docker image to reload and repull the image to reset up accounts per user.conf in the appdata folder or add the optional docker variable to supply at runtime...(the CA unraid temple is shipped with a IT just works... see github page for additional docker variable!)*It is best practice to make and edit the user.conf file and add users there. To change and add account, please edit users.conf found in the containers /conf For each user by ftp default to the home directly so a unraid add path to container path of /home/%username/FolderFail2ban, sshkeys, and other need docker data will be made in the /config apppdata marked template folder. Edited November 30, 2025Nov 30 by bmartino1 Data
April 10, 20251 yr Author SFTP with Fail2ban is now published and ready to go Optional (Custom Script) Keep apps updated at docker start...in the appdata folder where the config is set there is a check for this scriptcd /config wget https://raw.githubusercontent.com/bmartino1/sftp2/refs/heads/main/update-inplace.shthe script will install the latest openssh and fail2ban when updates arise... as this is Ubuntu you could use this to also side load. Entirely Optional... ATM, I Will check every month or so and push a build if updates are needed...This is for stable release and info only... Otherwise, you can add this script to the /confg folder and run the latest openssh server and fail2ban....Preferred to use the Unraid CA... Otherwise, Run container from Docker registry docker run \ --cap-add=NET_ADMIN --cap-add=NET_RAW -v /host/config/path:/config \ -p 22:22 -d bmmbmm01/sftp:latest \ user:pass:::upload User "user" with password "pass" can login with sftp and upload files to a folder called "upload". No mounted directories or custom UID/GID. Later you can inspect the files and use --volumes-from to mount them somewhere else. Volumes, Paths, and Ports Paths/FilesThere is a /stage folder that has the original configs. The entry point script will remake the /config a Volume is not needed to run this docker. The Entry point Script has had some updates and the Docker Log will be able to explain and show issues. Fail2ban and sshd have been updated and scripts/configs updated. If you want to make edits to sshd, fail2ban, and jails configurations asl long as they exist in /config they will be deployed and used. A major edit was done to use the ubuntu package maintainers files and our edits to run are now using the .local file the fail2ban preferred way...Entry point Script will make any missing files and set correct permission for any add configs and user keys... SSH Fail2Ban *These files are automatically created if they are not present when the container is started Ports (I prefer to run in custom br0 (br0 bond0, eth0 depending on your unraid settings...) The OpenSSH server runs by default on port 22. The default unraid template use the unriad default docker network... You can forward the container's port 22 to any host port if using the docker bridge network and docker nat system. Otherwise you will need to edit the port in sshd_config and jails.local located in the /config folder... Customizing Sharing a directory from your computerMount the host path to a folder inside the users home directory. Example shows mounting host upload directory to upload directory in user home folder. Alternatively, see the bindmount dirs from another location below for an example of mapping to a different directory and using scripts to mount dirs inside user's home folders.docker run \ --cap-add=NET_ADMIN --cap-add=NET_RAW -v /host/config/path:/config \ -v /host/upload:/home/user/upload \ -p 22:22 -d bmmbmm01/sftp:latest \ user:pass:1001 Add SSH users in the unraid temaptles you can use the "post options" to run commands such as:to set users and passwords... I personally prefer a file to edit. Especially if you have more then 1 user. Add users to /config/sshd/users.conf with the following pattern:user:pass:UID:GIDExample:user:pass:1001:100 user2:abc:1002:100 user3:xyz:1003:100Note: If no password is provided for the user, they can only login using an SSH keyExample:user:pass:1001:100 user2:abc:1002:100 user3::1003:100 Encrypted password (Untested but should still work) I don't plan to test... log will show user passwords in plantext... Add :e behind password to mark it as encrypted. Use single quotes if using a terminal instead of users config file.foo:$1$0G2g0GSt$ewU0t6GXG15.0hWoOX8X9.:e:1001Tip: you can use atmoz/makepasswd to generate encrypted passwords:echo -n "your-password" | docker run -i --rm atmoz/makepasswd --crypt-md5 --clearfrom=- Logging in with SSH keysPlace public keys with the users name in /config/userkeys directory. The keys must be matched with a users names and a .pub extension. These are copied to .ssh/authorized_keys for the user during container start. Example:user.pub Providing your own SSH host key (recommended but not needed)This container will generate new SSH host keys at first run in /config/sshd/keys. You can place your own sshd keys in this folder and they will be copied to /etc/ssh/ when the container runs. Tip: you can generate your keys with these commands:ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key < /dev/null Execute custom scripts or applicationsPut your programs in /config/sshd/scriptsand it will automatically run when the container starts. See next subsection for an example. Mainly for bindmounts... I find it easier to add a docker variable and just mount the user folders.chris:password:1001:100*the container path must be in the home directoryUser chris will only have access to profile when they connect to sftp... when chris connects to the sftp ip they will see a profile folder to interact with.You can define more folder under /home/chris/folder name volume mapped to other paths on unriad. Bindmount dirs from another location... If you are using --volumes-from or just want to make a custom directory available in user's home directory, you can add a script to /config/sshd/scripts/ that bindmounts after container starts.#!/bin/bash # File mounted as: /config/sshd/scripts/bindmount.sh # Just an example (make your own) function bindmount() { if [ -d "$1" ]; then mkdir -p "$2" fi mount --bind $3 "$1" "$2" } # Remember permissions, you may have to fix them: # chown -R :users /data/common bindmount /data/admin-tools /home/admin/tools bindmount /data/common /home/dave/common bindmount /data/common /home/peter/common bindmount /data/docs /home/peter/docs --read-only NOTE: Using mount requires that your container runs with the CAP_SYS_ADMIN capability turned on. See this answer for more information.Other Notes:Original maintainer Note: At the time when this image was last built can delay the availability of an OpenSSH release. Since this is an automated build linked with phusion/baseimage, the build will depend on how often they push changes (out of my control). You can of course make this more predictable by cloning this repo and run your own build manually. --This should be fixed using teh updateapp.sh script... Optional... Using Docker Compose:sftp: image: bmmbmm01/sftp:latest cap_add: - NET_ADMIN - NET_RAW volumes: - /host/upload:/home/user/upload ports: - "22:22" command: user:pass:::upload command: user2:pass:::upload Edited December 1, 2025Dec 1 by bmartino1 Data edit for sftp2
April 12, 20251 yr Author With some CVE on openssh 9.6 I decided it was time for a build update... I have also added a docker variable for the update script. Unraid CA Template has been updated as well This will give users the ability to use the /config and there own custom script as mentioned above (can be sued to sideload or interact before docker services start.... or set the docker variable to a Boolean values of T/F to run/not run the default script above which when ran will check and install the latest openssh (Client and server) and fail2ban before docker services are active... Latest build check logs: [info] Application versions at build step : Fail2Ban: 1.0.2 OpenSSH client: 9.9p1 OpenSSH server: 1:9.9p1-3ubuntu3 [info] AUTO_UPDATE=true — Running default update script from /stage... [INFO] Checking for updates for openssh-server... [INFO] Current version of openssh-server: 1:9.9p1-3ubuntu3 [INFO] Fetching latest version information for openssh-server... [INFO] Latest version of openssh-server available: 9.9p1-3ubuntu3 [INFO] openssh-server is up-to-date (version: 1:9.9p1-3ubuntu3). [INFO] Checking for updates for openssh-client... [INFO] Current version of openssh-client: 1:9.9p1-3ubuntu3 [INFO] Fetching latest version information for openssh-client... [INFO] Latest version of openssh-client available: 9.9p1-3ubuntu3 [INFO] openssh-client is up-to-date (version: 1:9.9p1-3ubuntu3). [INFO] Checking for updates for openssh-sftp-server... [INFO] Current version of openssh-sftp-server: 1:9.9p1-3ubuntu3 [INFO] Fetching latest version information for openssh-sftp-server... [INFO] Latest version of openssh-sftp-server available: 9.9p1-3ubuntu3 [INFO] openssh-sftp-server is up-to-date (version: 1:9.9p1-3ubuntu3). [INFO] Checking for updates for fail2ban... [INFO] Current version of fail2ban: 1.0.2-3ubuntu0.1 [INFO] Fetching latest version information for fail2ban... [INFO] Latest version of fail2ban available: [INFO] fail2ban is up-to-date (version: 1.0.2-3ubuntu0.1). [INFO] versions of current running: Fail2Ban: 1.0.2 OpenSSH client: 9.9p1 OpenSSH server: 1:9.9p1-3ubuntu3 Template updates have been made and finalized for the CA community! Edited April 12, 20251 yr by bmartino1 Data - Template Updates
April 12, 20251 yr Author CVE watch:https://ubuntu.com/security/cves?package=openssh Current Image version for project sftp[INFO] versions of current running:Fail2Ban: 1.0.2OpenSSH client: 9.9p1OpenSSH server: 1:9.9p1-3ubuntu3 Edited November 30, 2025Nov 30 by bmartino1 Data
September 9, 2025Sep 9 Author Introducing Project SFTP2well looks like its time for a bit of a rebuild as OpenSSH move to version 10...The update script scraped the pool and pulled OpenSSH 10.0p1, which requires glibc (libc6) ≥ 2.42I may also look ad adding the whois login and application to a new Debian slim. As I don't like having to wait on another developer for their base image to update and incoperate cores system packages...so currently the docker sftp-fail2ban sill work and works well if you don't use the update script or a custom as mentioned earlier for added features that will auto update the openssh and fail2ban...So I decided to look at other options as rebuild a debain-slim version that does the same...Will be looking to leave the phusion docker image that was used to make this forked from MarkusMcNugen/docker-sftpdue to waiting on the base docker to update the glibs...so reusing this forum space for both sftp-fail2ban and sftp2(once it hits the CA) as at this point I'm just using the forum as a wall for notes and head banging as I learn how to develope a docker from another project. Now with the experience and data I have I will rebuild in a different aspect in mind.https://github.com/bmartino1/sftp2on could use the sftp-fail2ban and just add the #2 to the image.This would require a minor change as some overhaul was done to how I implement and use jails and fail2ban.The old stuff works, but its recommended to start over to guarantee config and settings...I may make a update to the entry point script per my notes in the github. Once the phusion base image has a ubuntu base image for ubunut 20 lts with the updated glibs a update may be made to maintain the sftp-fail2ban docker. https://github.com/phusion/baseimage-dockerbut would warn that work and fixes will be made more in the sftp2 image. This is why I added the custom option and other for end users to begin with... Edited November 30, 2025Nov 30 by bmartino1 data and info - spelling
November 29, 2025Nov 29 Author 1 hour ago, isvein said:Will this be updated to use the new repo?https://github.com/bmartino1/sftp2it already has but I don't have good documentation to move into it...this shoudl be in teh tempalte you may need to delte the old tempalte if you previously installed the intial tranfer update.sftp2 shoudl be on debain slim now where I'm not bound by the phusion ubuntu maintainers...sftp2 came about do to isseus with cusom or auto update openssh upon docker restart when the opensshteam added a openssh pacakges for next gen OS due to edits to underline libs thus broke sftp...so I would recomend: (As I tried to make this as compabitle as posbble for transtiong users...you can edit the repository and use:the CA temaplte has been updated already. so you may need to remove the old one on unraid (which will clear settings...)on doker webui tab add continer. selct the sftp docker template and hit the x at the top to remove...as the updated CA tempatle has some new options but teh enty script is writen to use defaults if not supplied...as I've added new and more dokver varables to easily deply this.adatioanl docker varables as I shiped a working default for transtioning users:per my gihub:https://github.com/bmartino1/sftp2 so yes this is and has been updated already.
November 29, 2025Nov 29 Author due to sftp2 rework and how to handle custom edits and other edits for fail2banI would recommend staring over by deleting the appdata config. Specifically the fail2ban folder... (your keys, user.conf and others are fine and should be used in the transition)debug is more for the move between sftp and sftp2. I kept sftp1 but won't update it due to phusion and the nature of openssh CVE that requires the latest glibs to be secure. Thus the move to sftp2. Which is working.??? so is their a issue your having? Edited November 30, 2025Nov 30 by bmartino1 spelling
November 29, 2025Nov 29 Aha :) I see now Im on the right one.I got tricked by the "Project Page" button that takes me to the old repoedit:Well, here is something I noticed:I have followed how to make a user like "admin:password:1000:100" but the logs still complains that "useradd warning: admin's uid 100 outside of the UID_MIN 1000 and UID_MAX 60000 range"Looks to me like it thinks the group ID is the user id Edited November 30, 2025Nov 30 by isvein
November 30, 2025Nov 30 Author 2 hours ago, isvein said:Aha :) I see now Im on the right one.I got tricked by the "Project Page" button that takes me to the old repoedit:Well, here is something I noticed:I have followed how to make a user like "admin:password:1000:100" but the logs still complains that "useradd warning: admin's uid 100 outside of the UID_MIN 1000 and UID_MAX 60000 range"Looks to me like it thinks the group ID is the user idI have not found a good way to fix that in the docker. It is a known error that can be ignored. This is essentially saying that Debian at user creation has made a uid# and guid# and to make the group ID that the ID exist... So it complains about the user group add portion... That number that gets passed by the user config string that makes the user. And the number needs to be higher than 1000 for the start of new user and group creations.... The reason that number exists is more for permission of a puid and guid of the docker for reading and writing paths on the unraid host.... Template ships with uid 0 and guid 0 root for escalated permissions. Essentially the admin user 1000 with group "users" 100 is what's the container passes permission wise to the unraid host to the folder mounted at container /home/admin/sftp and is what is passed to unraid for permission...Which is why we want 1000:100 for the user conf for userid and group id in the string...I tried to find a fix for this while use the code to help transition users from sftp and the older "MarkusMcNugen/docker-sftp" image.... to reuse this in Debian and config another system controls to fix that. It has more to do with the fact that we're using the number 100 which is a default group and because of the nature of the add command we're using the existing guid.I stayed Debian as that is what I know and Ubuntu is built off of it so it wasn't too hard to revamp code to get a working image and once I understood all faucets of the old code new code and existing code I was able to add my own variables and what I wanted from the docker...The only reason I didn't go alpine was issues with the WHOIS binary... as alot of the openssh CVE are in the structure of the SSHD config. As I use the fail2ban docker log folder and who is log to hardware firewall ban. And have an allowlist area for fail2ban from known location / friend's house. I use this docker in a rsync with zfs send for a ring network...At this Time I have no plans to edit fix code and updat the image as things are working on my end with the data as it should. Please let me know of any issues and I will give you a workaround and or update the unraid template / github code... Edited November 30, 2025Nov 30 by bmartino1 data and info - spelling
November 30, 2025Nov 30 Author Debian wants 1000:1000 for the line.But I want the user group marked there that why 100This is only at new user creation per the user.conf file. Deletion of console command to usermod -aG %username% %group name% are needed to change user groups after creation....https://linux.die.net/man/8/usermod Edited November 30, 2025Nov 30 by bmartino1
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.