ProFTPD Plugin for unRAID v6.8.x


SlrG

Recommended Posts

@halfelite

As @itimpi already describes, that won't work. The lines in the mountscript each have two parts. Part one creates a directory and part two sets this directory to be a direct link to another one on your array. So if you create a directory /mnt/cache/FTP/Read/Movies and tell unRAID this is a link to /mnt/user0/Movies, you can't tell unRAID that the same directory should also link to /mnt/user/Movies, like you are doing in the read/write part of your mountscript.

 

If you change your read/write part to look like this:

#Read Write to cache folder for mover to handle later
mkdir /mnt/cache/FTP/Write/Movies;mount --bind /mnt/user/Movies /mnt/cache/FTP/Write/Movies
mkdir /mnt/cache/FTP/Write/TV-Shows;mount --bind /mnt/user/TV-Shows /mnt/cache/FTP/Write/TV-Shows

the commands itself will probably work. But it will make no sense either, because once you write something to your write directory it should not matter if it is on the cache or the array. Why would you prevent the users using the read directory from accessing the files on the server until they are moved from cache to the array? I imagine you don't want the read directory user(s) to change/delete files. That's okay, but it works differently. See below.

 

Also

Quote

FTPUSER-READ /mnt/cache/FTP/Read/

FTPUSER-WRITE /mnt/cache/FTP/Write/

will probably not work. At least it will do nothing to make one directory read only and the other read/write.

 

The comment field keyword ftpuser (lowercase) makes sure the user with this comment is only used as ftp user and not able to login to your server using other means like telnet or ssh. If an additional path is given, the user will only have access to this given path and directories mounted into it. But it will always be read/write access. If you want to limit it further, your will have to do so in the proftpd.conf file.

 

What I think you want to do:

 

Create a new user "readuser" and put "ftpuser /mnt/cache/FTP/" in the comment. Then in the proftpd.conf file you will have to make sure this user/directory gets only read access.

 

Create a new user "writeuser" and put "ftpuser /mnt/cache/FTP/" in the comment. This one will have read/write access by default.

 

The mountscript should look as follows:

#Read Write to cache folder for mover to handle later
mkdir /mnt/cache/FTP/Movies;mount --bind /mnt/user/Movies /mnt/cache/FTP/Movies
mkdir /mnt/cache/FTP/TV-Shows;mount --bind /mnt/user/TV-Shows /mnt/cache/FTP/TV-Shows

 

 

 

 

 

  • Like 1
Link to comment
  • 2 weeks later...

I've got this installed on my backup server. I've created a user named "me" on the server and included "ftpuser /mnt/user/more/stuff" in the description. No matter what I do, I cannot connect to it from FileZilla running on my Win10 machine.  Here is the response that I'm getting:

 

Quote

Status:    Connecting to 192.168.1.9:21...
Status:    Connection established, waiting for welcome message...
Status:    Insecure server, it does not support FTP over TLS.
Command:    USER me
Response:    331 Password required for me
Command:    PASS ********************
Response:    530 Login incorrect.
Error:    Critical error: Could not connect to server

 

I know that the passwords match - I've created one using KeyPass, then I copy/pastad into the User config on the server management page, and also into FileZilla - they're both copied from the same source location.

 

Any recommendations?

Edited by FreeMan
Link to comment

Try with a simple password for testing purposes. Maybe a special char breaks the login? Make sure you have restarted proftpd after changing anything user/config related. If it still does not work, check your syslog for ftp related messages. Maybe it will give more/another info, that helps solving the problem.

Link to comment
7 hours ago, SlrG said:

Try with a simple password for testing purposes. Maybe a special char breaks the login? Make sure you have restarted proftpd after changing anything user/config related. If it still does not work, check your syslog for ftp related messages. Maybe it will give more/another info, that helps solving the problem.

 

I changed it to a short (way too short) password with only letters/numbers. I restarted proftpd. Still no dice...  :(

 

This is all I see in the log:

Quote

Dec 22 10:59:04 Backup proftpd[2559]: 127.0.0.1 - ProFTPD killed (signal 15)
Dec 22 10:59:04 Backup proftpd[2559]: 127.0.0.1 - ProFTPD 1.3.6 standalone mode SHUTDOWN
Dec 22 10:59:08 Backup sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/SlrG-Common/usr/local/sbin/proftpd -c /etc/proftpd.conf
Dec 22 10:59:09 Backup proftpd[781]: 127.0.0.1 - ProFTPD 1.3.6 (stable) (built Tue Jul 11 2017 22:16:01 CEST) standalone mode STARTUP
Dec 22 10:59:24 Backup proftpd[1372]: 127.0.0.1 (192.168.1.7[192.168.1.7]) - USER me (Login failed): Incorrect password

 

The first 4 messages are from where I restarted it after changing the pwd, the last one from where it denied me entry.

 

Have I managed to ban myself after too many failed attempts, so I'm just being rejected flat out?

Link to comment

@FreeMan

Normally, if you didn't change anything in the proftpd.conf incorrect tries will not get you banned. If a short pass doesn't work, this is rather mysterious, as it clearly says incorrect password in your log. If you did change something, please post  your changed proftpd.conf. If not, I'm somewhat out of ideas. Do you have enabled some kind of encryption in FileZille? Default FTP access is unencrypted, but it should not matter within your private network.

Link to comment
21 minutes ago, SlrG said:

@FreeMan

Normally, if you didn't change anything in the proftpd.conf incorrect tries will not get you banned. If a short pass doesn't work, this is rather mysterious, as it clearly says incorrect password in your log. If you did change something, please post  your changed proftpd.conf. If not, I'm somewhat out of ideas. Do you have enabled some kind of encryption in FileZille? Default FTP access is unencrypted, but it should not matter within your private network.

Grrrr....

 

After setting my password to "a" and restarting the daemon, it let me connect!

 

This is the password I was using:  "40dvYYYhVa" Do you see anything in that that may have caused an issue?

 

I have, of course, changed it already. Of course, if I couldn't log in with that, I wouldn't think anyone else would be able to either...

 

 

weird. With a different password of similar length, I can now connect. I have no idea why...

Edited by FreeMan
Link to comment

@FreeMan

It doesn't look like a password what would cause problems. As I am from Germany, the only thing that could go wrong IMHO, would be if the letters y and z got somehow mixed up, as they are on our keyboards compared to US or British ones. But it should not happen normally. Creating an user me with your given password on my system works perfectly fine and access is working, too. I really don't know what is going wrong for you. 

 

A note on security. Please don't make the FTP available on a public network. Default FTP connections are unencrypted and very insecure. It is better to access your home network via VPN and only then use FTP for file transfers. If you really need to do it without VPN make sure your external port is not the default 21, as that will make you a target for possibly fraudulent login attempts very quickly.

 

 

Link to comment
  • 2 weeks later...

I am having issues now connecting to ProFTP remotely. It works fine using the local IP. I recently bought the Google Wifi mesh system and in doing so I needed to get a different DynamicDNS form the Asus one I was using. So I am using the DuckDNS Docker for Unraid and have it up and running. All my dockers are accessible just fine using the DynamicDNS. But I keep getting erros when trying to connect to ProFTP. FileZilla shows the following:

Status:    Logged in
Status:    Retrieving directory listing...
Status:    Server sent passive reply with unroutable address. Passive mode failed.
Command:    PORT 24,158,124,213,211,191
Response:    500 Illegal PORT command
Error:    Failed to retrieve directory listing

 

With each failed connection, the log shows:

Jan 4 15:13:07 TOWER proftpd[30779]: 127.0.0.1 (192.168.0.1[192.168.0.1]) - Refused PORT 24,158,124,213,212,223 (address mismatch)

 

I have my router sending port #### to the internal port 21.

Edited by kricker
Link to comment

It might be, you need to define a passive port range in your proftpd.conf and forward those ports on your router to your unRAID too. Also it might be necessary to set a MasqueradeAddress and it could be helpful to change the SyslogLevel and DebugLevel to get more logging information on the error when connecting.

Link to comment
On 8/31/2017 at 10:11 AM, SlrG said:

@Ruby-Rube

Sadly I can't tell from the errors what the problem could be. Maybe it would help to up the logging level to a high debug by adding


SyslogLevel DEBUG
DebugLevel 10

to you ProFTPd.conf, as described here. Let's see what the error messages look like, if you try it with that enabled.

 

On 12/12/2014 at 8:07 PM, SlrG said:

You propably need to masquerade the unraid servers address with the one you get from noip. (See here: http://www.proftpd.org/docs/howto/NAT.html) You have to add a rule


MasqueradeAddress	ftp.mydomain.com  # using a DNS name
PassivePorts 60000 65535	# These ports should be safe...

replace the ftp.mydomain.com with your noip dns name.

Also you'll have to define and forward the passive ports in your router.

 

On 12/12/2014 at 9:25 PM, simpic said:

Hello,

Got it working after getting the passive ports forwarded properly.

It will only work if the control connection is on port 21 though. Not is I connect on a different port and forward it to 21.

Thanks for your help.

Maybe these older posts will be helpful.

Edited by SlrG
Link to comment

Thanks. I did a lot of reading last night and added this to my config last night but never had success.

# using a DNS name
MasqueradeAddress    ######.####.###

# NAT ports
PassivePorts #### ####

 

My actual DNS and ports are inserted above. The port range has been added to my Google router properly (I believe). Using a port checker I only ever get a response if I use the default port 21 (when I have that forwarded as well on the Google router). If I use any other port and forward it to 21, I get no response. I also get no response when using any of the ports in the passive range.

 

I am turning on the debug logging now to see what I can learn.

 

EDIT:

Well, it is working now. I'm not sure what I did different besides turning on logging. It was late and I was tired, maybe I had a typo or the ports were not quite right. Anyhow, Thanks for all the help. I believe all is good now.

 

Edited by kricker
Link to comment

Sadly I don't know what is going wrong. You should only try to connect to the main active port however. The passive ports will be used automatically by the server if needed. As user simpic reported above he also got it working correctly if he used the default port 21. Any other port did not work.

 

I don't know if you want other users to have access to your server. If not and it is for yourself only, then I would recommend creating a vpn to your network instead and use that to connect to your server "locally".

Link to comment

I have others that connect to my server, that don't need VPN access. I got it working using a different external port that is forwarded to ProFTP's port set in the config file. It is working good now.

 

When connecting now though, Filezilla gives a warning:

This server does not support FTP over TLS.

if you continue, your password and files will be sent in clear over the internet.

Link to comment

Yes. FTP is unencrypted by default. It's an old protocol and not very secure. If you search this thread you can find some tips to enable sftp or tls encryption. Both are not very easy to setup and might work or don't work depending on various factors.  While I experimented with both methods, I'm still running unencrypted and I had not yet a problem, but thats a decision I made for myself.

Link to comment

Thanks. I already stumbled through the thread and found some info. That will be a task for another day.

 

Now I am refreshing myself on folder/file/user access limits. I had it setup years ago, but then when I removed the plugin and reinstalled trying to fix my issue, I nuked my original .conf file, so I am re-learning all those configurations ;) I am getting there! I appreciate all the assistance.

Link to comment

I'd love to help, since I recently switched routers and had similar issues (went from D-Link to a pfSense box).

 

However, I had similar issues to you, and then it just seemed to work late at night also.  Trying to remember what I did...

 

Set up NAT for port 21 and 60000-60100 on pfSense.

 

In the config file added...

 

PassivePorts 60000 60100
MasqueradeAddress domainname.duckdns.org

<IfModule mod_dynmasq.c>
 DynMasqRefresh 28800
</IfModule>

Internal connections worked, but when I tried to connect externally, Filezilla gave an error (not the same error as I was getting before I configured passive ports).

 

Then, I can't remember what happened, but it works now...

  • Thanks 1
Link to comment
  • 2 weeks later...
  • 3 weeks later...

Hi,

 

I have DefaultRoot ~ line in my proftpd.conf file but I still not having any luck restricting the user to their home directory.

I have created user and can log in via sftp but I can still go anywhere in my file system.

Help please?

 

Thanks

 

 

 

Here is my proftpd.conf

# Server Settings
ServerName              ProFTPd
ServerType              standalone
DefaultServer           on
PidFile                 /var/run/ProFTPd/ProFTPd.pid

# Port 21 is the standard FTP port. You propably should not connect to the
# internet with this port. Make your router forward another port to
# this one instead.
Port                    21

# Set the user and group under which the server will run.
User                    nobody
Group                   users

# Prevent DoS attacks
MaxInstances            30

# Speedup Login
UseReverseDNS           off
IdentLookups            off

# Control Logging - comment and uncomment as needed
# If logging Directory is world writeable the server won't start!
# If no SystemLog is defined proftpd will log to servers syslog.
#SystemLog               NONE
#SystemLog               /boot/config/plugins/ProFTPd/slog
TransferLog             NONE
#TransferLog             /boot/config/plugins/ProFTPd/xferlog
WtmpLog                 NONE

# As a security precaution prevent root and other users in
# /etc/ftpuser from accessing the FTP server.
UseFtpUsers             on
RootLogin               off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# "Jail" FTP-Users into their home directory. (chroot)
# The root directory has to be set in the description field
# when defining an user:
# ftpuser /mnt/cache/FTP
# See README for more information.
DefaultRoot ~

# Shell has to be set when defining an user. As a security precaution
# it is set to "/bin/false" as FTP-Users should not have shell access.
# This setting makes proftpd accept invalid shells.
RequireValidShell       no

# Normally, we want files to be overwriteable.
AllowOverwrite          on

 

Edited by abc789987
Add additonal config file
Link to comment

It is not enough to have the DefaultRoot directive on unRAID. You need to define ftp users in the unRAID user management. Please add the keyword ftpuser followed by a space and the path you want to restrict the created user to, into the comment field. e.g.: ftpuser /mnt/cache/FTP/user1 Afterwards make sure to restart proftpd. The given path must exist, or it won't work. Please read the first post of the plugin support thread and the readme file.

Link to comment
1 minute ago, SlrG said:

It is not enough to have the DefaultRoot directive on unRAID. You need to define ftp users in the unRAID user management. Please add the keyword ftpuser followed by a space and the path you want to restrict the created user to, into the comment field. e.g.: ftpuser /mnt/cache/FTP/user1 Afterwards make sure to restart proftpd. The given path must exist, or it won't work. Please read the first post of the plugin support thread and the readme file.

Thank you for reply.

 

I've got users setup this way.

image.png.1296f22f34d485fdd03d9ff6bdf6b59f.png

When I ssh or sftp into my unraid box it will start me out in the defined path but I am not restricted to that path.

image.png.f4e73902abf02d27f4bb15c6e085df7a.png

 

I've been trying to make sense of the Debugging (http://www.proftpd.org/docs/howto/Debugging.html )help page but I'm strugging to fully understand what to do.

 

Link to comment

The user is defined correctly but did you really restart proftpd (in the plugins settings) afterwards? An user defined as ftp user should have no shell and should not be able to login using telnet. The jail will only work when accessing from an ftp client.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.