Jump to content
SlrG

ProFTPD Plugin for unRAID v6.3.5

493 posts in this topic Last Reply

Recommended Posts

@halfelite

As @itimpi already describes, that won't work. The lines in the mountscript each have two parts. Part one creates a directory and part two sets this directory to be a direct link to another one on your array. So if you create a directory /mnt/cache/FTP/Read/Movies and tell unRAID this is a link to /mnt/user0/Movies, you can't tell unRAID that the same directory should also link to /mnt/user/Movies, like you are doing in the read/write part of your mountscript.

 

If you change your read/write part to look like this:

#Read Write to cache folder for mover to handle later
mkdir /mnt/cache/FTP/Write/Movies;mount --bind /mnt/user/Movies /mnt/cache/FTP/Write/Movies
mkdir /mnt/cache/FTP/Write/TV-Shows;mount --bind /mnt/user/TV-Shows /mnt/cache/FTP/Write/TV-Shows

the commands itself will probably work. But it will make no sense either, because once you write something to your write directory it should not matter if it is on the cache or the array. Why would you prevent the users using the read directory from accessing the files on the server until they are moved from cache to the array? I imagine you don't want the read directory user(s) to change/delete files. That's okay, but it works differently. See below.

 

Also

Quote

FTPUSER-READ /mnt/cache/FTP/Read/

FTPUSER-WRITE /mnt/cache/FTP/Write/

will probably not work. At least it will do nothing to make one directory read only and the other read/write.

 

The comment field keyword ftpuser (lowercase) makes sure the user with this comment is only used as ftp user and not able to login to your server using other means like telnet or ssh. If an additional path is given, the user will only have access to this given path and directories mounted into it. But it will always be read/write access. If you want to limit it further, your will have to do so in the proftpd.conf file.

 

What I think you want to do:

 

Create a new user "readuser" and put "ftpuser /mnt/cache/FTP/" in the comment. Then in the proftpd.conf file you will have to make sure this user/directory gets only read access.

 

Create a new user "writeuser" and put "ftpuser /mnt/cache/FTP/" in the comment. This one will have read/write access by default.

 

The mountscript should look as follows:

#Read Write to cache folder for mover to handle later
mkdir /mnt/cache/FTP/Movies;mount --bind /mnt/user/Movies /mnt/cache/FTP/Movies
mkdir /mnt/cache/FTP/TV-Shows;mount --bind /mnt/user/TV-Shows /mnt/cache/FTP/TV-Shows

 

 

 

 

 

  • Like 1

Share this post


Link to post

I've got this installed on my backup server. I've created a user named "me" on the server and included "ftpuser /mnt/user/more/stuff" in the description. No matter what I do, I cannot connect to it from FileZilla running on my Win10 machine.  Here is the response that I'm getting:

 

Quote

Status:    Connecting to 192.168.1.9:21...
Status:    Connection established, waiting for welcome message...
Status:    Insecure server, it does not support FTP over TLS.
Command:    USER me
Response:    331 Password required for me
Command:    PASS ********************
Response:    530 Login incorrect.
Error:    Critical error: Could not connect to server

 

I know that the passwords match - I've created one using KeyPass, then I copy/pastad into the User config on the server management page, and also into FileZilla - they're both copied from the same source location.

 

Any recommendations?

Edited by FreeMan

Share this post


Link to post

Try with a simple password for testing purposes. Maybe a special char breaks the login? Make sure you have restarted proftpd after changing anything user/config related. If it still does not work, check your syslog for ftp related messages. Maybe it will give more/another info, that helps solving the problem.

Share this post


Link to post
7 hours ago, SlrG said:

Try with a simple password for testing purposes. Maybe a special char breaks the login? Make sure you have restarted proftpd after changing anything user/config related. If it still does not work, check your syslog for ftp related messages. Maybe it will give more/another info, that helps solving the problem.

 

I changed it to a short (way too short) password with only letters/numbers. I restarted proftpd. Still no dice...  :(

 

This is all I see in the log:

Quote

Dec 22 10:59:04 Backup proftpd[2559]: 127.0.0.1 - ProFTPD killed (signal 15)
Dec 22 10:59:04 Backup proftpd[2559]: 127.0.0.1 - ProFTPD 1.3.6 standalone mode SHUTDOWN
Dec 22 10:59:08 Backup sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/SlrG-Common/usr/local/sbin/proftpd -c /etc/proftpd.conf
Dec 22 10:59:09 Backup proftpd[781]: 127.0.0.1 - ProFTPD 1.3.6 (stable) (built Tue Jul 11 2017 22:16:01 CEST) standalone mode STARTUP
Dec 22 10:59:24 Backup proftpd[1372]: 127.0.0.1 (192.168.1.7[192.168.1.7]) - USER me (Login failed): Incorrect password

 

The first 4 messages are from where I restarted it after changing the pwd, the last one from where it denied me entry.

 

Have I managed to ban myself after too many failed attempts, so I'm just being rejected flat out?

Share this post


Link to post

@FreeMan

Normally, if you didn't change anything in the proftpd.conf incorrect tries will not get you banned. If a short pass doesn't work, this is rather mysterious, as it clearly says incorrect password in your log. If you did change something, please post  your changed proftpd.conf. If not, I'm somewhat out of ideas. Do you have enabled some kind of encryption in FileZille? Default FTP access is unencrypted, but it should not matter within your private network.

Share this post


Link to post
21 minutes ago, SlrG said:

@FreeMan

Normally, if you didn't change anything in the proftpd.conf incorrect tries will not get you banned. If a short pass doesn't work, this is rather mysterious, as it clearly says incorrect password in your log. If you did change something, please post  your changed proftpd.conf. If not, I'm somewhat out of ideas. Do you have enabled some kind of encryption in FileZille? Default FTP access is unencrypted, but it should not matter within your private network.

Grrrr....

 

After setting my password to "a" and restarting the daemon, it let me connect!

 

This is the password I was using:  "40dvYYYhVa" Do you see anything in that that may have caused an issue?

 

I have, of course, changed it already. Of course, if I couldn't log in with that, I wouldn't think anyone else would be able to either...

 

 

weird. With a different password of similar length, I can now connect. I have no idea why...

Edited by FreeMan

Share this post


Link to post

@FreeMan

It doesn't look like a password what would cause problems. As I am from Germany, the only thing that could go wrong IMHO, would be if the letters y and z got somehow mixed up, as they are on our keyboards compared to US or British ones. But it should not happen normally. Creating an user me with your given password on my system works perfectly fine and access is working, too. I really don't know what is going wrong for you. 

 

A note on security. Please don't make the FTP available on a public network. Default FTP connections are unencrypted and very insecure. It is better to access your home network via VPN and only then use FTP for file transfers. If you really need to do it without VPN make sure your external port is not the default 21, as that will make you a target for possibly fraudulent login attempts very quickly.

 

 

Share this post


Link to post

It most certainly won't be exposed to the world on port 21!

 

Thanks for trying out the id/password. It does seem to be functioning now, so I'll double check security before exposing it externally. Thanks!

Share this post


Link to post
Posted (edited)

I am having issues now connecting to ProFTP remotely. It works fine using the local IP. I recently bought the Google Wifi mesh system and in doing so I needed to get a different DynamicDNS form the Asus one I was using. So I am using the DuckDNS Docker for Unraid and have it up and running. All my dockers are accessible just fine using the DynamicDNS. But I keep getting erros when trying to connect to ProFTP. FileZilla shows the following:

Status:    Logged in
Status:    Retrieving directory listing...
Status:    Server sent passive reply with unroutable address. Passive mode failed.
Command:    PORT 24,158,124,213,211,191
Response:    500 Illegal PORT command
Error:    Failed to retrieve directory listing

 

With each failed connection, the log shows:

Jan 4 15:13:07 TOWER proftpd[30779]: 127.0.0.1 (192.168.0.1[192.168.0.1]) - Refused PORT 24,158,124,213,212,223 (address mismatch)

 

I have my router sending port #### to the internal port 21.

Edited by kricker

Share this post


Link to post

It might be, you need to define a passive port range in your proftpd.conf and forward those ports on your router to your unRAID too. Also it might be necessary to set a MasqueradeAddress and it could be helpful to change the SyslogLevel and DebugLevel to get more logging information on the error when connecting.

Share this post


Link to post

I don't understand what most of that meant, bit I'll look it up! Thanks!

Share this post


Link to post
Posted (edited)
On 8/31/2017 at 10:11 AM, SlrG said:

@Ruby-Rube

Sadly I can't tell from the errors what the problem could be. Maybe it would help to up the logging level to a high debug by adding


SyslogLevel DEBUG
DebugLevel 10

to you ProFTPd.conf, as described here. Let's see what the error messages look like, if you try it with that enabled.

 

On 12/12/2014 at 8:07 PM, SlrG said:

You propably need to masquerade the unraid servers address with the one you get from noip. (See here: http://www.proftpd.org/docs/howto/NAT.html) You have to add a rule


MasqueradeAddress	ftp.mydomain.com  # using a DNS name
PassivePorts 60000 65535	# These ports should be safe...

replace the ftp.mydomain.com with your noip dns name.

Also you'll have to define and forward the passive ports in your router.

 

On 12/12/2014 at 9:25 PM, simpic said:

Hello,

Got it working after getting the passive ports forwarded properly.

It will only work if the control connection is on port 21 though. Not is I connect on a different port and forward it to 21.

Thanks for your help.

Maybe these older posts will be helpful.

Edited by SlrG

Share this post


Link to post
Posted (edited)

Thanks. I did a lot of reading last night and added this to my config last night but never had success.

# using a DNS name
MasqueradeAddress    ######.####.###

# NAT ports
PassivePorts #### ####

 

My actual DNS and ports are inserted above. The port range has been added to my Google router properly (I believe). Using a port checker I only ever get a response if I use the default port 21 (when I have that forwarded as well on the Google router). If I use any other port and forward it to 21, I get no response. I also get no response when using any of the ports in the passive range.

 

I am turning on the debug logging now to see what I can learn.

 

EDIT:

Well, it is working now. I'm not sure what I did different besides turning on logging. It was late and I was tired, maybe I had a typo or the ports were not quite right. Anyhow, Thanks for all the help. I believe all is good now.

 

Edited by kricker

Share this post


Link to post

Sadly I don't know what is going wrong. You should only try to connect to the main active port however. The passive ports will be used automatically by the server if needed. As user simpic reported above he also got it working correctly if he used the default port 21. Any other port did not work.

 

I don't know if you want other users to have access to your server. If not and it is for yourself only, then I would recommend creating a vpn to your network instead and use that to connect to your server "locally".

Share this post


Link to post

I have others that connect to my server, that don't need VPN access. I got it working using a different external port that is forwarded to ProFTP's port set in the config file. It is working good now.

 

When connecting now though, Filezilla gives a warning:

This server does not support FTP over TLS.

if you continue, your password and files will be sent in clear over the internet.

Share this post


Link to post

Yes. FTP is unencrypted by default. It's an old protocol and not very secure. If you search this thread you can find some tips to enable sftp or tls encryption. Both are not very easy to setup and might work or don't work depending on various factors.  While I experimented with both methods, I'm still running unencrypted and I had not yet a problem, but thats a decision I made for myself.

Share this post


Link to post

Thanks. I already stumbled through the thread and found some info. That will be a task for another day.

 

Now I am refreshing myself on folder/file/user access limits. I had it setup years ago, but then when I removed the plugin and reinstalled trying to fix my issue, I nuked my original .conf file, so I am re-learning all those configurations ;) I am getting there! I appreciate all the assistance.

Share this post


Link to post

I'd love to help, since I recently switched routers and had similar issues (went from D-Link to a pfSense box).

 

However, I had similar issues to you, and then it just seemed to work late at night also.  Trying to remember what I did...

 

Set up NAT for port 21 and 60000-60100 on pfSense.

 

In the config file added...

 

PassivePorts 60000 60100
MasqueradeAddress domainname.duckdns.org

<IfModule mod_dynmasq.c>
 DynMasqRefresh 28800
</IfModule>

Internal connections worked, but when I tried to connect externally, Filezilla gave an error (not the same error as I was getting before I configured passive ports).

 

Then, I can't remember what happened, but it works now...

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now