Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Support] - SFTP-Fail2Ban

Featured Replies

This is the Unraid CA Support page for Both Github Project SFTP and SFTP2 per my github forks of the project...
*SFTP is discontinued and no longer managed due to OpenSSH CVE. While it will still function. Use at your own risk. The Unraid CA has been set up to use sftp2 moving forward...

image.png.6275d0a80ebfa8e7a4464f35b97f4e7d.png

SFTP (openssh and fail2ban) Server

 

Overview: Easy to use SFTP (SSH File Transfer Protocol) server with OpenSSH and Fail2ban installed for extra hardening against brute force attacks.

Reason: I Use the docker instance and it hadn't been updated in some time. So I decided I still want this, but I needed a Updated Fork of MarkusMcNugen/docker-sftp Orginaly Forked from atmoz/sftp... Due to age of application, It was time for a refresh....

Original Forum Maintainer: MarkusMcNugen/docker-sftp



Last known data for the github project SFTP:

########################################

Base: phusion/baseimage:master-amd64

Estimated Size: 311MB

Docker Hub: https://hub.docker.com/r/bmmbmm01/sftp

Github: https://github.com/bmartino1/docker-sftp


Application Version: Latest when docker was built on 04/12/25

 

Docker Base image versions:

openssh: openssh 1:9.6p1-3ubuntu13.9
https://launchpad.net/ubuntu/noble/+package/openssh-server

fail2ban: fail2ban 1.0.2-3ubuntu0.1
https://launchpad.net/ubuntu/noble/+package/fail2ban

 

Current Docker build versions:

Current Image version as seen in docker log

[INFO] versions of current running:

Fail2Ban: 1.0.2

OpenSSH client: 9.9p1

OpenSSH server: 1:9.9p1-3ubuntu3

 

Note: Please read the Github descriptions. While this container is easy to use, it does require some small configuration edits outside the Unraid Template.

 
*Due To Openssh upgrades, the auto update script will not work due to new OS and glibs update for the docker.... Still waiting on phusion base image to update, Thus a final revamp after getting everything ironed out and a move off the phusion base image...


#########################################
https://github.com/bmartino1/sftp2

Base docker image:

Debian 13-slim image


log During docker build:

sftp-fail2ban | [info] Fail2Ban: 1.1.0

sftp-fail2ban | [info] OpenSSH client: 10.0p2

sftp-fail2ban | [info] OpenSSH server: 1:10.0p1-7

sftp-fail2ban | [info] rsyslog: 8.2504.0-1

sftp-fail2ban | [info] whois: 5.6.3

sftp-fail2ban | [info] glibc: 2.41

sftp-fail2ban | [info] Built at: 2025-10-16T17:44:57Z

Project SFTP2 at Docker Run test:

sftp-fail2ban | [info] Application versions at container start:

sftp-fail2ban | [info] Fail2Ban: 1.1.0

sftp-fail2ban | [info] OpenSSH client: 10.0p2

sftp-fail2ban | [info] OpenSSH server: 1:10.0p1-7

sftp-fail2ban | [info] whois: 5.6.3

sftp-fail2ban | [info] glibc: 2.41


*As seen per the notes on the github...

The Unraid CA Templates setup and shipped to be an easy install and done...

The Default user is admin

The Default password is password


userconf is a write in docker once if user already exist edit will not be maintained... Added users at run time when set such as admin exist in the docker image. to edit the user.conf and edit existing users you will need to delete the docker image to reload and repull the image to reset up accounts per user.conf in the appdata folder or add the optional docker variable to supply at runtime...

(the CA unraid temple is shipped with a IT just works... see github page for additional docker variable!)

*It is best practice to make and edit the user.conf file and add users there. To change and add account, please edit users.conf found in the containers /conf
 For each user by ftp default to the home directly so a unraid add path to container path of /home/%username/Folder

Fail2ban, sshkeys, and other need docker data will be made in the /config apppdata marked template folder.
image.png.613784e0b566fed25d6cd9f8836b977a.png


Edited by bmartino1
Data

  • Author

SFTP with Fail2ban is now published and ready to go

 

Optional (Custom Script) Keep apps updated at docker start...

in the appdata folder where the config is set there is a check for this script

cd /config
wget https://raw.githubusercontent.com/bmartino1/sftp2/refs/heads/main/update-inplace.sh


the script will install the latest openssh and fail2ban when updates arise... as this is Ubuntu you could use this to also side load. 

 

Entirely Optional... ATM, I Will check every month or so and push a build if updates are needed...

This is for stable release and info only...

 

Otherwise, you can add this script to the /confg folder and run the latest openssh server and fail2ban....

Preferred to use the Unraid CA...
image.png.b27613fc6f10f9d1428e14280f4618d4.png

 

Otherwise, Run container from Docker registry

 

docker run \
    --cap-add=NET_ADMIN --cap-add=NET_RAW
    -v /host/config/path:/config \
    -p 22:22 -d bmmbmm01/sftp:latest \
    user:pass:::upload

 

User "user" with password "pass" can login with sftp and upload files to a folder called "upload". No mounted directories or custom UID/GID. Later you can inspect the files and use --volumes-from to mount them somewhere else.

 

Volumes, Paths, and Ports

image.png.cd0c80d0cae14fc689f84335facd065b.png 

 

Paths/Files

There is a /stage folder that has the original configs. The entry point script will remake the /config a Volume is not needed to run this docker. The Entry point Script has had some updates and the Docker Log will be able to explain and show issues. Fail2ban and sshd have been updated and scripts/configs updated. If you want to make edits to sshd, fail2ban, and jails configurations asl long as they exist in /config they will be deployed and used. A major edit was done to use the ubuntu package maintainers files and our edits to run are now using the .local file the fail2ban preferred way...

Entry point Script will make any missing files and set correct permission for any add configs and user keys...

 

SSH

image.png.1cfd002782bd2c4f08dc539a1e9d39d5.png 

 

Fail2Ban

image.png.1be6c2b2c33670edb6b361808274b888.png 

*These files are automatically created if they are not present when the container is started

 

Ports (I prefer to run in custom br0 (br0 bond0, eth0 depending on your unraid settings...)

 

The OpenSSH server runs by default on port 22. The default unraid template use the unriad default docker network... You can forward the container's port 22 to any host port if using the docker bridge network and docker nat system.

 

Otherwise you will need to edit the port in sshd_config and jails.local located in the /config folder...

image.png.ff5f4b8a75286c13426b4b89eaa4b11a.png 

 

Customizing

 

Sharing a directory from your computer

Mount the host path to a folder inside the users home directory. Example shows mounting host upload directory to upload directory in user home folder. Alternatively, see the bindmount dirs from another location below for an example of mapping to a different directory and using scripts to mount dirs inside user's home folders.

docker run \
    --cap-add=NET_ADMIN --cap-add=NET_RAW
    -v /host/config/path:/config \
    -v /host/upload:/home/user/upload \
    -p 22:22 -d bmmbmm01/sftp:latest \
    user:pass:1001

 

Add SSH users

 

in the unraid temaptles you can use the "post options" to run commands such as:

image.png.9d0dd39155561a51b7b3daa8bfcef16e.png

to set users and passwords... I personally prefer a file to edit. Especially if you have more then 1 user.

 

Add users to /config/sshd/users.conf with the following pattern:

user:pass:UID:GID


Example:

user:pass:1001:100
user2:abc:1002:100
user3:xyz:1003:100

Note: If no password is provided for the user, they can only login using an SSH key

Example:

user:pass:1001:100
user2:abc:1002:100
user3::1003:100

 

Encrypted password (Untested but should still work) I don't plan to test... log will show user passwords in plantext...

 

Add :e behind password to mark it as encrypted. Use single quotes if using a terminal instead of users config file.

foo:$1$0G2g0GSt$ewU0t6GXG15.0hWoOX8X9.:e:1001

Tip: you can use atmoz/makepasswd to generate encrypted passwords:

echo -n "your-password" | docker run -i --rm atmoz/makepasswd --crypt-md5 --clearfrom=-

 

Logging in with SSH keys

Place public keys with the users name in /config/userkeys directory. The keys must be matched with a users names and a .pub extension. These are copied to .ssh/authorized_keys for the user during container start.

 

Example:

user.pub

 

Providing your own SSH host key (recommended but not needed)

This container will generate new SSH host keys at first run in /config/sshd/keys. You can place your own sshd keys in this folder and they will be copied to /etc/ssh/ when the container runs.

 

Tip: you can generate your keys with these commands:

ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key < /dev/null

 

Execute custom scripts or applications

Put your programs in 

/config/sshd/scripts

and it will automatically run when the container starts. See next subsection for an example. Mainly for bindmounts...

 

I find it easier to add a docker variable and just mount the user folders.

chris:password:1001:100

image.png.21fbb45ac75696bb1c9c3efcdb1f5bc8.png

*the container path must be in the home directory


User chris will only have access to profile when they connect to sftp... when chris connects to the sftp ip they will see a profile folder to interact with.
You can define more folder under /home/chris/folder name volume mapped to other paths on unriad.

 

Bindmount dirs from another location...

 

If you are using --volumes-from or just want to make a custom directory available in user's home directory, you can add a script to /config/sshd/scripts/ that bindmounts after container starts.

#!/bin/bash
# File mounted as: /config/sshd/scripts/bindmount.sh
# Just an example (make your own)

function bindmount() {
    if [ -d "$1" ]; then
        mkdir -p "$2"
    fi
    mount --bind $3 "$1" "$2"
}

# Remember permissions, you may have to fix them:
# chown -R :users /data/common

bindmount /data/admin-tools /home/admin/tools
bindmount /data/common /home/dave/common
bindmount /data/common /home/peter/common
bindmount /data/docs /home/peter/docs --read-only

 

NOTE: Using mount requires that your container runs with the CAP_SYS_ADMIN capability turned on. See this answer for more information.


Other Notes:

Original maintainer Note: At the time when this image was last built can delay the availability of an OpenSSH release. Since this is an automated build linked with phusion/baseimage, the build will depend on how often they push changes (out of my control). You can of course make this more predictable by cloning this repo and run your own build manually.

 

--This should be fixed using teh updateapp.sh script... Optional...

 

 

Using Docker Compose:

sftp:
    image: bmmbmm01/sftp:latest
    cap_add:
        - NET_ADMIN
        - NET_RAW
    volumes:
        - /host/upload:/home/user/upload
    ports:
        - "22:22"
    command: user:pass:::upload
    command: user2:pass:::upload

 

Edited by bmartino1
Data edit for sftp2

  • bmartino1 changed the title to [Support] - SFTP-Fail2Ban
  • Author

With some CVE on openssh 9.6 I decided it was time for a build update...


I have also added a docker variable for the update script.

image.png.5824c673914a4a6ad97511e2cf5299a8.png

 

Unraid CA Template has been updated as well

image.png.424167517c3315c90cc63a5901c7110a.png

 

This will give users the ability to use the /config and there own custom script as mentioned above (can be sued to sideload or interact before docker services start....

 

or set the docker variable to a Boolean values of T/F to run/not run the default script above which when ran will check and install the latest openssh (Client and server) and fail2ban before docker services are active...

 

Latest build check logs:

[info] Application versions at build step :
Fail2Ban: 1.0.2
OpenSSH client: 9.9p1
OpenSSH server: 1:9.9p1-3ubuntu3
[info] AUTO_UPDATE=true — Running default update script from /stage...
[INFO] Checking for updates for openssh-server...
[INFO] Current version of openssh-server: 1:9.9p1-3ubuntu3
[INFO] Fetching latest version information for openssh-server...
[INFO] Latest version of openssh-server available: 9.9p1-3ubuntu3
[INFO] openssh-server is up-to-date (version: 1:9.9p1-3ubuntu3).
[INFO] Checking for updates for openssh-client...
[INFO] Current version of openssh-client: 1:9.9p1-3ubuntu3
[INFO] Fetching latest version information for openssh-client...
[INFO] Latest version of openssh-client available: 9.9p1-3ubuntu3
[INFO] openssh-client is up-to-date (version: 1:9.9p1-3ubuntu3).
[INFO] Checking for updates for openssh-sftp-server...
[INFO] Current version of openssh-sftp-server: 1:9.9p1-3ubuntu3
[INFO] Fetching latest version information for openssh-sftp-server...
[INFO] Latest version of openssh-sftp-server available: 9.9p1-3ubuntu3
[INFO] openssh-sftp-server is up-to-date (version: 1:9.9p1-3ubuntu3).
[INFO] Checking for updates for fail2ban...
[INFO] Current version of fail2ban: 1.0.2-3ubuntu0.1
[INFO] Fetching latest version information for fail2ban...
[INFO] Latest version of fail2ban available: 
[INFO] fail2ban is up-to-date (version: 1.0.2-3ubuntu0.1).
[INFO] versions of current running:
Fail2Ban: 1.0.2
OpenSSH client: 9.9p1
OpenSSH server: 1:9.9p1-3ubuntu3

 

Template updates have been made and finalized for the CA community!

Edited by bmartino1
Data - Template Updates

  • Author

CVE watch:
https://ubuntu.com/security/cves?package=openssh

 

Current Image version for project sftp

[INFO] versions of current running:

Fail2Ban: 1.0.2

OpenSSH client: 9.9p1

OpenSSH server: 1:9.9p1-3ubuntu3

Edited by bmartino1
Data

  • 4 months later...
  • Author

Introducing Project SFTP2

well looks like its time for a bit of a rebuild as OpenSSH move to version 10...

The update script scraped the pool and pulled OpenSSH 10.0p1, which requires glibc (libc6) ≥ 2.42

I may also look ad adding the whois login and application to a new Debian slim. As I don't like having to wait on another developer for their base image to update and incoperate cores system packages...

so currently the docker sftp-fail2ban sill work and works well if you don't use the update script or a custom as mentioned earlier for added features that will auto update the openssh and fail2ban...

So I decided to look at other options as rebuild a debain-slim version that does the same...
Will be looking to leave the phusion docker image that was used to make this forked from MarkusMcNugen/docker-sftp
due to waiting on the base docker to update the glibs...

so reusing this forum space for both sftp-fail2ban and sftp2(once it hits the CA) as at this point I'm just using the forum as a wall for notes and head banging as I learn how to develope a docker from another project. Now with the experience and data I have I will rebuild in a different aspect in mind.

https://github.com/bmartino1/sftp2

on could use the sftp-fail2ban and just add the #2 to the image.

image.png

image.png
This would require a minor change as some overhaul was done to how I implement and use jails and fail2ban.
The old stuff works, but its recommended to start over to guarantee config and settings...

I may make a update to the entry point script per my notes in the github. Once the phusion base image has a ubuntu base image for ubunut 20 lts with the updated glibs a update may be made to maintain the sftp-fail2ban docker. https://github.com/phusion/baseimage-docker

but would warn that work and fixes will be made more in the sftp2 image. This is why I added the custom option and other for end users to begin with...

Edited by bmartino1
data and info - spelling

  • 2 months later...
  • Author
1 hour ago, isvein said:

Will this be updated to use the new repo?
https://github.com/bmartino1/sftp2


it already has but I don't have good documentation to move into it...

this shoudl be in teh tempalte you may need to delte the old tempalte if you previously installed the intial tranfer update.

sftp2 shoudl be on debain slim now where I'm not bound by the phusion ubuntu maintainers...

sftp2 came about do to isseus with cusom or auto update openssh upon docker restart when the opensshteam added a openssh pacakges for next gen OS due to edits to underline libs thus broke sftp...

so I would recomend: (As I tried to make this as compabitle as posbble for transtiong users...
you can edit the repository and use:
image.png

the CA temaplte has been updated already. so you may need to remove the old one on unraid (which will clear settings...)
on doker webui tab add continer. selct the sftp docker template and hit the x at the top to remove...
image.png
image.png

as the updated CA tempatle has some new options but teh enty script is writen to use defaults if not supplied...
as I've added new and more dokver varables to easily deply this.
image.png

adatioanl docker varables as I shiped a working default for transtioning users:
image.png

per my gihub:
https://github.com/bmartino1/sftp2

so yes this is and has been updated already.

  • Author

due to sftp2 rework and how to handle custom edits and other edits for fail2ban

image.png

I would recommend staring over by deleting the appdata config. Specifically the fail2ban folder... (your keys, user.conf and others are fine and should be used in the transition)

debug is more for the move between sftp and sftp2. I kept sftp1 but won't update it due to phusion and the nature of openssh CVE that requires the latest glibs to be secure. Thus the move to sftp2. Which is working.

??? so is their a issue your having?

Edited by bmartino1
spelling

Aha :)
I see now Im on the right one.
I got tricked by the "Project Page" button that takes me to the old repo

edit:
Well, here is something I noticed:
I have followed how to make a user like "admin:password:1000:100" but the logs still complains that "useradd warning: admin's uid 100 outside of the UID_MIN 1000 and UID_MAX 60000 range"

Looks to me like it thinks the group ID is the user id

Edited by isvein

  • Author
2 hours ago, isvein said:

Aha :)
I see now Im on the right one.
I got tricked by the "Project Page" button that takes me to the old repo

edit:
Well, here is something I noticed:
I have followed how to make a user like "admin:password:1000:100" but the logs still complains that "useradd warning: admin's uid 100 outside of the UID_MIN 1000 and UID_MAX 60000 range"

Looks to me like it thinks the group ID is the user id

I have not found a good way to fix that in the docker. It is a known error that can be ignored.
This is essentially saying that Debian at user creation has made a uid# and guid# and to make the group ID that the ID exist... So it complains about the user group add portion... That number that gets passed by the user config string that makes the user. And the number needs to be higher than 1000 for the start of new user and group creations.... The reason that number exists is more for permission of a puid and guid of the docker for reading and writing paths on the unraid host.... Template ships with uid 0 and guid 0 root for escalated permissions.

Essentially the admin user 1000 with group "users" 100 is what's the container passes permission wise to the unraid host to the folder mounted at container /home/admin/sftp and is what is passed to unraid for permission...
Which is why we want 1000:100 for the user conf for userid and group id in the string...

I tried to find a fix for this while use the code to help transition users from sftp and the older "MarkusMcNugen/docker-sftp" image.... to reuse this in Debian and config another system controls to fix that. It has more to do with the fact that we're using the number 100 which is a default group and because of the nature of the add command we're using the existing guid.

I stayed Debian as that is what I know and Ubuntu is built off of it so it wasn't too hard to revamp code to get a working image and once I understood all faucets of the old code new code and existing code I was able to add my own variables and what I wanted from the docker...
The only reason I didn't go alpine was issues with the WHOIS binary... as alot of the openssh CVE are in the structure of the SSHD config. As I use the fail2ban docker log folder and who is log to hardware firewall ban. And have an allowlist area for fail2ban from known location / friend's house. I use this docker in a rsync with zfs send for a ring network...

At this Time I have no plans to edit fix code and updat the image as things are working on my end with the data as it should. Please let me know of any issues and I will give you a workaround and or update the unraid template / github code...

Edited by bmartino1
data and info - spelling

  • Author

Debian wants 1000:1000 for the line.

But I want the user group marked there that why 100

This is only at new user creation per the user.conf file. Deletion of console command to usermod -aG %username% %group name% are needed to change user groups after creation....
https://linux.die.net/man/8/usermod

Edited by bmartino1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.