ProFTPD Plugin for unRAID v6.8.x


SlrG

Recommended Posts

@Necrotic

 

sudo -u nobody mkdir ...

will execute the command given (mkdir) as user nobody. The created directory will have the user nobody as owner.

 

sudo -u root ...

will execute the command given as user root. The log messages you posted don't indicate an error and should not be responsible that the config editor didn't work for you. But I'm glad you got it working. Also thank you very much for posting the ssl instructions.

 

Ya, i just was wondering why run it as nobody or why use sudo at all (I guess to keep things more organized in the process list.

 

Feel free to use the SSL instruction by placing them in the original post if you want. I rather they get it in a common place than read through ton of pages.

Link to comment

Hello SlrG

 

I was unable to access the forum on Sunday for some reason

 

I'm certain that I've not changed anything in the config file, but I will copy the contents of your post and paste them into my config file.

 

I think you're on to something with the passwd file. The user Dave was created using the web interface for UnRaid. Dave cannot login via telnet or a keyboard attached to the unraid server. The user test was created via keyboard on the unraid server and can login, but I still get the same error when trying to connect vis FTP

 

root:x:0:0:Console and webGui login account:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/log:/bin/false
lp:x:4:7:lp:/var/spool/lpd:/bin/false
mail:x:8:12:mail:/:/bin/false
news:x:9:13:news:/usr/lib/news:/bin/false
uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false
ftp:x:14:50::/home/ftp:/bin/false
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:/bin/false
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/false
rpc:x:32:32:RPC portmap user:/:/bin/false
sshd:x:33:33:sshd:/:/bin/false
gdm:x:42:42:GDM:/var/state/gdm:/bin/false
avahi:x:61:214:Avahi Daemon User:/dev/null:/bin/false
avahi-autoipd:x:62:62:Avahi AutoIP Daemon User:/dev/null:/bin/false
messagebus:x:81:81::/dev/null:/bin/false
pop:x:90:90:POP:/:/bin/false
nobody:x:99:100:nobody:/:/bin/bash
dave:x:1002:100:ftpuser /mnt/disk1/audiobooks:/mnt/disk1/audiobooks:/bin/false
test:x:1003:1003:ftpuser:/home/test:

Link to comment

Sadly it doesn't explain your problem. Lets analyse the lines:

dave:x:1002:100:ftpuser /mnt/disk1/audiobooks:/mnt/disk1/audiobooks:/bin/false
test:x:1003:1003:ftpuser:/home/test:

ftpuser is the keyword my plugin scans the password file for. Every user with this keyword will be allowed ftpacces. Users without this keyword will be blocked. This is a security measure, so users with shell access can't be hacked if the ftp is compromised.

 

If a path is given after the keyword it will be extracted and put in the next field (this is the home directory field), lastly a /bin/false will be added (this is an invalid shell command), so shell access for ftpusers will fail, even if their password gets cracked.

 

Your line for user dave looks perfectly normal. The test line you created by shell doesn't, but that doesn't explain the dave problem.

 

What made me ask you to post the file is this line from your log:

Jun 29 19:12:52 Hilda proftpd[17635]: 127.0.0.1 (192.168.1.115[192.168.1.115]) - notice: unable to use '~/' [resolved to '/mnt/cache/FTP/']: No such file or directory

I can't understand why he resolves to /mnt/cache/FTP. That is my FTP directory I have setup on my system. Other than in the examples in the readme file I have no reference to this directory in my plugin. It should not appear on your system, but it obviously does. So I thougt it might have been added in the passwd file. But it didn't.

 

If I create a folder audiobooks on my disk1 and create an user dave with comment ftpuser /mnt/disk1/audiobooks my log looks like this:

Jul 2 19:41:14 lafiel proftpd[7261]: 127.0.0.1 (192.168.178.98[192.168.178.98]) - FTP session opened.
Jul 2 19:41:14 lafiel proftpd[7261]: 127.0.0.1 (192.168.178.98[192.168.178.98]) - Preparing to chroot to directory '/mnt/disk1/audiobooks'
Jul 2 19:41:14 lafiel proftpd[7261]: 127.0.0.1 (192.168.178.98[192.168.178.98]) - USER dave: Login successful.
Jul 2 19:41:19 lafiel proftpd[7261]: 127.0.0.1 (192.168.178.98[192.168.178.98]) - FTP session closed. 

 

So the question is, what makes him try to change root to ~/ or resolve to /mnt/cache/FTP? It just makes no sense.

 

Please check the proftpd.conf, that the DefaultRoot looks exactly like this:

DefaultRoot ~

Replacing the whole config file will be even better as this will make sure there are no unintentionally uncommented lines.

 

If that doesn't solve it, I would try to fully remove my plugin, delete all ftpuser users, reboot the server and check that there are no traces left. Then reinstall the plugin and try again.

Link to comment

im trying to use FTP via web browser, is this at all possible ? i am also having no luck trying to use a different port to connect from..ie 54321 to forward to proftpd on port 21 server side..i know its not a dyn problem as i have tested it using sabnzbd.

 

EDIT: I have also tried using an FTP client on my pc and also on my android, i just keep getting Connection attempt failed with "ECONNREFUSED - Connection refused by server".... i have SABnzbd setup with the same dyn account and works fine, i am trying to use port 7676 to forward to port 21 on server side..connecting to proftpd within my own network on port 21 works fine as well...not sure if i am doing something wrong ??

Link to comment

@loady

I can connect via dyndns and webbrowser to the proftpd on my unraid machine, so yes it should be possible.

 

What does the syslog of your unraid machine show for the time you tried to connect? If it doesn't show anything, the server got no connection. If it does, please post this part of the log.

 

If ftp connection works internally everything regarding proftpd should be setup correctly. If the external connect fails, it is propably caused by the portforwarding on your router. Sometimes it isn't enough to forward to port 21 only. It may be required to forward a fixed passive range, too. See this writeup here. I don't know if this is the problem, but it could be.

 

edit: Also you could try using a different port. If you have a look at this list of ports, not registered and free for personal usage is everything from 49152 to 65535.

Link to comment

I get nothing in the syslog other than when i try to connect internally in which case i get..

 

Jul  3 09:04:23 warptower proftpd[2904]: 127.0.0.1 (192.168.1.136[192.168.1.136]) - FTP session opened. 
Jul  3 09:04:23 warptower proftpd[2904]: 127.0.0.1 (192.168.1.136[192.168.1.136]) - USER anonymous: no such user found from 192.168.1.136 [192.168.1.136] to 192.168.1.122:21 
Jul  3 09:04:23 warptower proftpd[2904]: 127.0.0.1 (192.168.1.136[192.168.1.136]) - FTP session closed. 
Jul  3 09:04:23 warptower proftpd[2905]: 127.0.0.1 (192.168.1.136[192.168.1.136]) - FTP session opened. 
Jul  3 09:04:34 warptower proftpd[2905]: 127.0.0.1 (192.168.1.136[192.168.1.136]) - Preparing to chroot to directory '/mnt/user/movies' 
Jul  3 09:04:34 warptower proftpd[2905]: 127.0.0.1 (192.168.1.136[192.168.1.136]) - USER kevin: Login successful. 

 

i have DD-wrt on my router and have tried numerous things which i have exampled below...

 

I have tried these settings in port forward, enabled one at a time and then both enabled at same time..

 

port+range.jpg

 

Same again here on port range forward...

 

port+range.jpg

 

And also in port triggering...

 

port+forwarding.jpg

 

I have also tired different ports, i just cant get a connection externally, sometimes my FTP client says the connection was refused and other times it says reset by peer..at no time is there anything in the syslog..so it must be something im doing on the router, i kind of remeber trying to play with FTP before and problems regarding not forwarding passive range or something..not sure if i am implementing it correctly..someone who knows ??

 

Also would THIS info make any difference, unfortunatley i cant make much sense of it..or wheter indeed i need to do anything with it.

Link to comment

@loady

 

I'm no dd-wrt user, so I can't say. But lets try this:

On the port forwarding page enable your proftpd rule, this will forward external port 51302 to internal port 21 on your server. Make sure you have clicked apply settings. Then in your webbroser address field enter:

ftp://your.dyndns-address.com:51302/

What message do you get?

 

If it doesn't work try this to check if your port is open.

 

If you want to forward ports for passive use, you have to tell proftpd to use those ports. Normally it won't. Have a look here.

 

The article you linked to, explains a proftpd ftp server running on the dd-wrt router.

Link to comment

Firstly thanks for the help. I thought that was initially correct, i get...

 

The connection has timed out
          The server at warpserver.dontexist.com is taking too long to respond.

 

I tried checking the port and it is indeed wide open !! so the router IS doing its job ?

 

Do you forward a passive range someway ? not really sure how i would implement this as i am pretty sure it would be done server side ?

 

My proftpd.conf

# Server Settings
ServerName              ProFTPD
ServerType              standalone
DefaultServer           on
PidFile                 /var/run/proftpd.pid

# Port 21 is the standard FTP port. You propably should not connect to the
# internet with this port. Make your router forward another port to
# this one instead.
Port                    21

# Set the user and group under which the server will run.
User                    nobody
Group                   users

# Prevent DoS attacks
MaxInstances            30

# Speedup Login
UseReverseDNS           off
IdentLookups            off 

# Control Logging - comment and uncomment as needed
# If logging Directory is world writeable the server won't start!
# If no SystemLog is defined proftpd will log to servers syslog.
#SystemLog               NONE           
#SystemLog               /boot/config/plugins/proftpd/slog
TransferLog             NONE
#TransferLog             /boot/config/plugins/proftpd/xferlog
WtmpLog                 NONE

# As a security precaution prevent root and other users in
# /etc/ftpuser from accessing the FTP server.
UseFtpUsers             on
RootLogin               off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# "Jail" FTP-Users into their home directory. (chroot)
# The root directory has to be set in the description field
# when defining an user:
# ftpuser /mnt/cache/FTP
# See README for more information.
DefaultRoot ~

# Shell has to be set when defining an user. As a security precaution
# it is set to "/bin/false" as FTP-Users should not have shell access.
# This setting makes proftpd accept invalid shells.
RequireValidShell       no

# Normally, we want files to be overwriteable.
AllowOverwrite          on

 

And my proftpd.cfg

# proftpd configuration
SERVICE="enable"

Link to comment

Hi loady,

 

what does the syslog say this time, when you try to connect?

 

To enable passive ports you put the following in your proftpd.conf:

PassivePorts 49152 65534

 

Change it to the port range you want and forward the same range from your router to the unraid server.

Link to comment

i seem to be getting some feed back in syslog...

 

10815: Jul  4 22:03:39 warptower proftpd[30542]: 127.0.0.1 (149.254.51.147[149.254.51.147]) - FTP session closed. 

10814: Jul  4 22:03:39 warptower proftpd[30542]: 127.0.0.1 (149.254.51.147[149.254.51.147]) - FTP session opened. 

10813: Jul  4 22:03:39 warptower proftpd[30521]: 127.0.0.1 (149.254.51.147[149.254.51.147]) - FTP session closed. 

10812: Jul  4 22:03:39 warptower proftpd[30521]: 127.0.0.1 (149.254.51.147[149.254.51.147]) - FTP session opened. 

10811: Jul  4 22:00:18 warptower proftpd[22484]: 127.0.0.1 (149.254.51.147[149.254.51.147]) - FTP session closed. 

10810: Jul  4 22:00:18 warptower proftpd[22484]: 127.0.0.1 (149.254.51.147[149.254.51.147]) - FTP session opened. 

10809: Jul  4 22:00:17 warptower proftpd[22462]: 127.0.0.1 (149.254.51.147[149.254.51.147]) - FTP session closed. 

10808: Jul  4 22:00:17 warptower proftpd[22462]: 127.0.0.1 (149.254.51.147[149.254.51.147]) - FTP session opened. 

10807: Jul  4 21:59:57 warptower proftpd[21702]: 127.0.0.1 (149.254.51.147[149.254.51.147]) - FTP session closed. 

10806: Jul  4 21:59:57 warptower proftpd[21702]: 127.0.0.1 (149.254.51.147[149.254.51.147]) - FTP session opened. 

10805: Jul  4 21:59:56 warptower proftpd[21677]: 127.0.0.1 (149.254.51.147[149.254.51.147]) - FTP session closed. 

10804: Jul  4 21:59:56 warptower proftpd[21677]: 127.0.0.1 (149.254.51.147[149.254.51.147]) - FTP session opened. 

10803: Jul  4 21:58:58 warptower proftpd[19452]: 127.0.0.1 (149.254.51.147[149.254.51.147]) - FTP session closed. 

10802: Jul  4 21:58:58 warptower proftpd[19452]: 127.0.0.1 (149.254.51.147[149.254.51.147]) - FTP session opened. 

10801: Jul  4 21:58:58 warptower proftpd[19423]: 127.0.0.1 (149.254.51.147[149.254.51.147]) - FTP session closed. 

 

Just does that everytime i connect on my FTP client on phone

 

When i try to connect with web browser or FTP client on a pc that is within the network i get nothing in the syslog... :o

 

Pulling teeth out now.

Link to comment

What do you enter in the address bar to connect to your FTP in local network? What settings do you use in the FTP client? Obviously local access should work without problems, before we start fixing remote access. Are you using port 21 when trying local access?

 

Does your FTP client on phone ask you to supply an username and password? Do  you have them set somewhere in settings?

 

Has your server a fixed IP or does it get its IP via DHCP?

Link to comment

In the webbrowser you shouldn't need to specify the port if it is 21. It should work without.

 

What happens if you set your phone client to active mode? What happens if you don't define user and password in the phone client? Normally it should ask you to provide the credentials. Maybe you have a typo in your provided one? (It's unlikely, because there should be a clearer error message in the log, but please check it anyway.) During your tests please use a simple password without special chars. Maybe it chokes on something like that.

 

 

Link to comment

Sorry for delay, i was away for weekend..

 

If phone client set to active it makes no difference, if i do not define user/pass i get prompted ONLY when i am connected to the network and not remotely.

 

On the phone client if wifi is on and i am connected to the network, when i type ftp://192.168.1.122 into browser, the phone client automatically starts and asks for user/pass which then gives access to FTP, however if i type warpserver.dontexist.com into my pc browser it takes me to my router page and the same on the phone browser ???

 

The password was a very simple one.

Link to comment

@loady

No problem. :) I was rather busy this weekend myself.

 

Has your phone client the ability to specify the port it should connect, too? Could you try to forward port 21 from router to 21 on your server? Does it work then? Do you have another phone client you could test?

 

On the phone client if wifi is on and i am connected to the network, when i type ftp://192.168.1.122 into browser, the phone client automatically starts and asks for user/pass which then gives access to FTP, however if i type warpserver.dontexist.com into my pc browser it takes me to my router page and the same on the phone browser ???

 

192... is a local ip address which will not be visible to the outside world. The only external visible system is your router with the ports it has open. The dyndns will always link directly to your router. So if you use ftp://warpserver.dontexist.com you will have to specify the port number you want to connect to. So it should be: ftp://warpserver.dontexist.com:51203 Only then it will be able to connect to your server. Could you try this in your webbrowser on pc and phone? Both locally and remotely please. :) And please post the error message as well as the syslog messages.

 

Oh and if your phone browser opens the phones ftp client it is propably because it can't handle ftp itself. Instead of the phone, could you try to use a pc with a full webbrowser to try to access remotely? If this works it indicates the phones browser/ftp client as the culprit.

 

I'm very sorry that I have to fish around in the dark here. I still have no clear understanding what makes the communication between the systems fail so miserably.

Link to comment

Do not apologise for fishing around in the dark, its no more than I can do myself and I appreciate all of your help.  I'll get busy with those things tomorrow.  I don't have access to another remote pc but I thought maybe I could use my phone Internet connection as a modem and do it that way ??

Link to comment

ok..phone setup up as a wifi hotspot using my GSM internet connection...

 

FROM BROWSER:

 

ftp://warpserver.dontexist.com:51302/'>ftp://warpserver.dontexist.com:51302/ = Error 101 (net::ERR_CONNECTION_RESET): The connection was reset.

 

ftp://warpserver.dontexist.com = general 404 timeout error it would seem, no specific error message

 

warpserver.dontexist.com = HTTP Error 504 (Gateway Timeout): The gateway or proxy server timed out while waiting for a response from an upstream server.

 

warpserver.dontexist.com:51302 = Error 101 (net::ERR_CONNECTION_RESET): The connection was reset.

 

FROM FILEZILLA FTP CLIENT:

 

warpserver.dontexist.com on set with port 51302 with no user/pass details except that user is autofilled as anonymous and same message again when i enter user/pass

 

Status: Resolving address of warpserver.dontexist.com

Status: Connecting to 92.239.184.62:51302...

Status: Connection established, waiting for welcome message...

Error: Could not connect to server

Status: Waiting to retry...

Status: Delaying connection for 1 second due to previously failed connection attempt...

Status: Resolving address of warpserver.dontexist.com

Status: Connecting to 92.239.184.62:51302...

Status: Connection established, waiting for welcome message...

Error: Could not connect to server

 

92.239.184.62 on port 51302

 

Status: Connecting to 92.239.184.62:51302...

Status: Connection established, waiting for welcome message...

Error: Could not connect to server

Status: Waiting to retry...

Status: Connecting to 92.239.184.62:51302...

Status: Connection established, waiting for welcome message...

Error: Could not connect to server

 

Just thought i would check port open tool for completeness, not sure if it has something to do with me using my phones internet..

 

149.254.49.34  Remote Address  Port Number  51302 reports it as closed.

 

Port 51302 is open on warpserver.dontexist.com is reporting as open..guess thats right then ?

 

Also i tried forwarding port 21 to 21 on the router with passive port range forwarded and i get same messages as above..

 

Time to start pulling teeth.

Link to comment

Sorry to bug you again. :) What are the syslog messages for the connection attempts? - Or don't you get any?

 

What port is 149.254.49.34? In the dyndns connection attempts its visible that your ip at that time was  92.239.184.62. So if the port shows as open with dyndns that seems to be alright. :)

 

edit:

If I click on the second link you posted I get asked for user credentials. Which indicates the ftp is running for this atm. (Still set to port 21?) Also with FileZille I can connect, too. Of course without user and pass the access gets denied. If you could setup a test user, jail him into an empty directory and send me the credentials via pm we could test if I can fully connect to you.

Link to comment
What are the syslog messages for the connection attempts? - Or don't you get any?

 

As of now, none..that is with port 21 forwarded on router to port 21, i cant access anything either remotely from phone or within network on pc, that doesnt make sense that you can ??.

 

What port is 149.254.49.34?

 

Do you mean the IP address ?..i believe that would be the external IP address of my mobile network provider ??

 

I have sent you a PM with a test account i set up, i have left the router forwarded to port 21 and will test it from work tonight as well myself. I was thinking why i may be having issues, the shares that i have setup to have FTP access to are also set for me to access via another user account called admin for which i normally get prompted to enter user/pass when accessing them from within network..not sure whether this would make any difference or not and maybe they are treated as separate entities but just a thought.

 

EDIT: just tried your account from within network and only works for me if i type ftp//:192.168.1.122:21 and not ftp://warpserver.dontexist.com:21

 

EDIT2: At work now and works fine for me as well...what the hell is happening at my place ??

Link to comment

Loady,

 

I could be completely off, but I suspect it may be an issue of using the WAN ip from inside the network. Normally if you connect from the outside, the router identifies you as connecting from the WAN side and routes you according to the ports you have set up. However, if you use your public ip/dns from inside the network then you bounce from the LAN side into the router and it essence it says "you're already here" and doesn't process you through the same rules. In essence, the public IP seen from the inside of the LAN is treated as the router IP. I am unsure if this is always the case, just issues with certain router software or even what is really happening but it may explain the disparity.

Try to connect using your external IP, if that works then it may be that DNS isn't resolving  which can be easily tested by running a tracert from cmd prompt.

Link to comment

Within network i cant access via external ip, can still only access within network using 191.168.1.122:21, when i set port to whatever it doesnt work anywhere..essentially i can only seem to gain access when its set to port 21

Well then the joining using the public IP problem is normal, nothing about it. The port issue though I don't know, did you make sure both the server and the router have the proper changes set up? (ie don't route across different ports like XXX -> 21, keep it the same port configured on the server and on both sides of the router). If it doesn't work, also try specifying it as a range instead. Start ofcourse by testing internally first through the 192 ip to make sure that the server is open on that port other than 21.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.