SlrG Posted December 13, 2018 Author Share Posted December 13, 2018 @halfelite As @itimpi already describes, that won't work. The lines in the mountscript each have two parts. Part one creates a directory and part two sets this directory to be a direct link to another one on your array. So if you create a directory /mnt/cache/FTP/Read/Movies and tell unRAID this is a link to /mnt/user0/Movies, you can't tell unRAID that the same directory should also link to /mnt/user/Movies, like you are doing in the read/write part of your mountscript. If you change your read/write part to look like this: #Read Write to cache folder for mover to handle later mkdir /mnt/cache/FTP/Write/Movies;mount --bind /mnt/user/Movies /mnt/cache/FTP/Write/Movies mkdir /mnt/cache/FTP/Write/TV-Shows;mount --bind /mnt/user/TV-Shows /mnt/cache/FTP/Write/TV-Shows the commands itself will probably work. But it will make no sense either, because once you write something to your write directory it should not matter if it is on the cache or the array. Why would you prevent the users using the read directory from accessing the files on the server until they are moved from cache to the array? I imagine you don't want the read directory user(s) to change/delete files. That's okay, but it works differently. See below. Also Quote FTPUSER-READ /mnt/cache/FTP/Read/ FTPUSER-WRITE /mnt/cache/FTP/Write/ will probably not work. At least it will do nothing to make one directory read only and the other read/write. The comment field keyword ftpuser (lowercase) makes sure the user with this comment is only used as ftp user and not able to login to your server using other means like telnet or ssh. If an additional path is given, the user will only have access to this given path and directories mounted into it. But it will always be read/write access. If you want to limit it further, your will have to do so in the proftpd.conf file. What I think you want to do: Create a new user "readuser" and put "ftpuser /mnt/cache/FTP/" in the comment. Then in the proftpd.conf file you will have to make sure this user/directory gets only read access. Create a new user "writeuser" and put "ftpuser /mnt/cache/FTP/" in the comment. This one will have read/write access by default. The mountscript should look as follows: #Read Write to cache folder for mover to handle later mkdir /mnt/cache/FTP/Movies;mount --bind /mnt/user/Movies /mnt/cache/FTP/Movies mkdir /mnt/cache/FTP/TV-Shows;mount --bind /mnt/user/TV-Shows /mnt/cache/FTP/TV-Shows 1 Quote Link to comment
FreeMan Posted December 21, 2018 Share Posted December 21, 2018 (edited) I've got this installed on my backup server. I've created a user named "me" on the server and included "ftpuser /mnt/user/more/stuff" in the description. No matter what I do, I cannot connect to it from FileZilla running on my Win10 machine. Here is the response that I'm getting: Quote Status: Connecting to 192.168.1.9:21... Status: Connection established, waiting for welcome message... Status: Insecure server, it does not support FTP over TLS. Command: USER me Response: 331 Password required for me Command: PASS ******************** Response: 530 Login incorrect. Error: Critical error: Could not connect to server I know that the passwords match - I've created one using KeyPass, then I copy/pastad into the User config on the server management page, and also into FileZilla - they're both copied from the same source location. Any recommendations? Edited December 21, 2018 by FreeMan Quote Link to comment
SlrG Posted December 22, 2018 Author Share Posted December 22, 2018 Try with a simple password for testing purposes. Maybe a special char breaks the login? Make sure you have restarted proftpd after changing anything user/config related. If it still does not work, check your syslog for ftp related messages. Maybe it will give more/another info, that helps solving the problem. Quote Link to comment
FreeMan Posted December 22, 2018 Share Posted December 22, 2018 7 hours ago, SlrG said: Try with a simple password for testing purposes. Maybe a special char breaks the login? Make sure you have restarted proftpd after changing anything user/config related. If it still does not work, check your syslog for ftp related messages. Maybe it will give more/another info, that helps solving the problem. I changed it to a short (way too short) password with only letters/numbers. I restarted proftpd. Still no dice... This is all I see in the log: Quote Dec 22 10:59:04 Backup proftpd[2559]: 127.0.0.1 - ProFTPD killed (signal 15) Dec 22 10:59:04 Backup proftpd[2559]: 127.0.0.1 - ProFTPD 1.3.6 standalone mode SHUTDOWN Dec 22 10:59:08 Backup sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/SlrG-Common/usr/local/sbin/proftpd -c /etc/proftpd.conf Dec 22 10:59:09 Backup proftpd[781]: 127.0.0.1 - ProFTPD 1.3.6 (stable) (built Tue Jul 11 2017 22:16:01 CEST) standalone mode STARTUP Dec 22 10:59:24 Backup proftpd[1372]: 127.0.0.1 (192.168.1.7[192.168.1.7]) - USER me (Login failed): Incorrect password The first 4 messages are from where I restarted it after changing the pwd, the last one from where it denied me entry. Have I managed to ban myself after too many failed attempts, so I'm just being rejected flat out? Quote Link to comment
SlrG Posted December 22, 2018 Author Share Posted December 22, 2018 @FreeMan Normally, if you didn't change anything in the proftpd.conf incorrect tries will not get you banned. If a short pass doesn't work, this is rather mysterious, as it clearly says incorrect password in your log. If you did change something, please post your changed proftpd.conf. If not, I'm somewhat out of ideas. Do you have enabled some kind of encryption in FileZille? Default FTP access is unencrypted, but it should not matter within your private network. Quote Link to comment
FreeMan Posted December 22, 2018 Share Posted December 22, 2018 (edited) 21 minutes ago, SlrG said: @FreeMan Normally, if you didn't change anything in the proftpd.conf incorrect tries will not get you banned. If a short pass doesn't work, this is rather mysterious, as it clearly says incorrect password in your log. If you did change something, please post your changed proftpd.conf. If not, I'm somewhat out of ideas. Do you have enabled some kind of encryption in FileZille? Default FTP access is unencrypted, but it should not matter within your private network. Grrrr.... After setting my password to "a" and restarting the daemon, it let me connect! This is the password I was using: "40dvYYYhVa" Do you see anything in that that may have caused an issue? I have, of course, changed it already. Of course, if I couldn't log in with that, I wouldn't think anyone else would be able to either... weird. With a different password of similar length, I can now connect. I have no idea why... Edited December 22, 2018 by FreeMan Quote Link to comment
SlrG Posted December 23, 2018 Author Share Posted December 23, 2018 @FreeMan It doesn't look like a password what would cause problems. As I am from Germany, the only thing that could go wrong IMHO, would be if the letters y and z got somehow mixed up, as they are on our keyboards compared to US or British ones. But it should not happen normally. Creating an user me with your given password on my system works perfectly fine and access is working, too. I really don't know what is going wrong for you. A note on security. Please don't make the FTP available on a public network. Default FTP connections are unencrypted and very insecure. It is better to access your home network via VPN and only then use FTP for file transfers. If you really need to do it without VPN make sure your external port is not the default 21, as that will make you a target for possibly fraudulent login attempts very quickly. Quote Link to comment
FreeMan Posted December 23, 2018 Share Posted December 23, 2018 It most certainly won't be exposed to the world on port 21! Thanks for trying out the id/password. It does seem to be functioning now, so I'll double check security before exposing it externally. Thanks! Quote Link to comment
kricker Posted January 4, 2019 Share Posted January 4, 2019 (edited) I am having issues now connecting to ProFTP remotely. It works fine using the local IP. I recently bought the Google Wifi mesh system and in doing so I needed to get a different DynamicDNS form the Asus one I was using. So I am using the DuckDNS Docker for Unraid and have it up and running. All my dockers are accessible just fine using the DynamicDNS. But I keep getting erros when trying to connect to ProFTP. FileZilla shows the following: Status: Logged in Status: Retrieving directory listing... Status: Server sent passive reply with unroutable address. Passive mode failed. Command: PORT 24,158,124,213,211,191 Response: 500 Illegal PORT command Error: Failed to retrieve directory listing With each failed connection, the log shows: Jan 4 15:13:07 TOWER proftpd[30779]: 127.0.0.1 (192.168.0.1[192.168.0.1]) - Refused PORT 24,158,124,213,212,223 (address mismatch) I have my router sending port #### to the internal port 21. Edited January 4, 2019 by kricker Quote Link to comment
SlrG Posted January 5, 2019 Author Share Posted January 5, 2019 It might be, you need to define a passive port range in your proftpd.conf and forward those ports on your router to your unRAID too. Also it might be necessary to set a MasqueradeAddress and it could be helpful to change the SyslogLevel and DebugLevel to get more logging information on the error when connecting. Quote Link to comment
kricker Posted January 8, 2019 Share Posted January 8, 2019 I don't understand what most of that meant, bit I'll look it up! Thanks! Quote Link to comment
SlrG Posted January 8, 2019 Author Share Posted January 8, 2019 (edited) On 8/31/2017 at 10:11 AM, SlrG said: @Ruby-Rube Sadly I can't tell from the errors what the problem could be. Maybe it would help to up the logging level to a high debug by adding SyslogLevel DEBUG DebugLevel 10 to you ProFTPd.conf, as described here. Let's see what the error messages look like, if you try it with that enabled. On 12/12/2014 at 8:07 PM, SlrG said: You propably need to masquerade the unraid servers address with the one you get from noip. (See here: http://www.proftpd.org/docs/howto/NAT.html) You have to add a rule MasqueradeAddress ftp.mydomain.com # using a DNS name PassivePorts 60000 65535 # These ports should be safe... replace the ftp.mydomain.com with your noip dns name. Also you'll have to define and forward the passive ports in your router. On 12/12/2014 at 9:25 PM, simpic said: Hello, Got it working after getting the passive ports forwarded properly. It will only work if the control connection is on port 21 though. Not is I connect on a different port and forward it to 21. Thanks for your help. Maybe these older posts will be helpful. Edited January 8, 2019 by SlrG Quote Link to comment
kricker Posted January 8, 2019 Share Posted January 8, 2019 (edited) Thanks. I did a lot of reading last night and added this to my config last night but never had success. # using a DNS name MasqueradeAddress ######.####.### # NAT ports PassivePorts #### #### My actual DNS and ports are inserted above. The port range has been added to my Google router properly (I believe). Using a port checker I only ever get a response if I use the default port 21 (when I have that forwarded as well on the Google router). If I use any other port and forward it to 21, I get no response. I also get no response when using any of the ports in the passive range. I am turning on the debug logging now to see what I can learn. EDIT: Well, it is working now. I'm not sure what I did different besides turning on logging. It was late and I was tired, maybe I had a typo or the ports were not quite right. Anyhow, Thanks for all the help. I believe all is good now. Edited January 8, 2019 by kricker Quote Link to comment
SlrG Posted January 8, 2019 Author Share Posted January 8, 2019 Sadly I don't know what is going wrong. You should only try to connect to the main active port however. The passive ports will be used automatically by the server if needed. As user simpic reported above he also got it working correctly if he used the default port 21. Any other port did not work. I don't know if you want other users to have access to your server. If not and it is for yourself only, then I would recommend creating a vpn to your network instead and use that to connect to your server "locally". Quote Link to comment
kricker Posted January 8, 2019 Share Posted January 8, 2019 I have others that connect to my server, that don't need VPN access. I got it working using a different external port that is forwarded to ProFTP's port set in the config file. It is working good now. When connecting now though, Filezilla gives a warning: This server does not support FTP over TLS. if you continue, your password and files will be sent in clear over the internet. Quote Link to comment
SlrG Posted January 8, 2019 Author Share Posted January 8, 2019 Yes. FTP is unencrypted by default. It's an old protocol and not very secure. If you search this thread you can find some tips to enable sftp or tls encryption. Both are not very easy to setup and might work or don't work depending on various factors. While I experimented with both methods, I'm still running unencrypted and I had not yet a problem, but thats a decision I made for myself. Quote Link to comment
kricker Posted January 8, 2019 Share Posted January 8, 2019 Thanks. I already stumbled through the thread and found some info. That will be a task for another day. Now I am refreshing myself on folder/file/user access limits. I had it setup years ago, but then when I removed the plugin and reinstalled trying to fix my issue, I nuked my original .conf file, so I am re-learning all those configurations I am getting there! I appreciate all the assistance. Quote Link to comment
Cessquill Posted January 9, 2019 Share Posted January 9, 2019 I'd love to help, since I recently switched routers and had similar issues (went from D-Link to a pfSense box). However, I had similar issues to you, and then it just seemed to work late at night also. Trying to remember what I did... Set up NAT for port 21 and 60000-60100 on pfSense. In the config file added... PassivePorts 60000 60100 MasqueradeAddress domainname.duckdns.org <IfModule mod_dynmasq.c> DynMasqRefresh 28800 </IfModule> Internal connections worked, but when I tried to connect externally, Filezilla gave an error (not the same error as I was getting before I configured passive ports). Then, I can't remember what happened, but it works now... 1 Quote Link to comment
d2dyno Posted January 24, 2019 Share Posted January 24, 2019 With the release of RC 6.7.x, the OpenSSL version got bumped to 1.1.x. This breaks the Proftpd plugin. Is it possible to update it's compatibility with 6.7? Quote Link to comment
SlrG Posted January 24, 2019 Author Share Posted January 24, 2019 It should be possible. I'll have a look at it once I get some freetime. But please be patient, it will take time. Quote Link to comment
kricker Posted January 24, 2019 Share Posted January 24, 2019 Good to know, I'll be staying off 6.7.x until then. Thanks for the heads up @d2dyno. And thanks @SlrG for taking a look when you can. Quote Link to comment
abc789987 Posted February 9, 2019 Share Posted February 9, 2019 (edited) Hi, I have DefaultRoot ~ line in my proftpd.conf file but I still not having any luck restricting the user to their home directory. I have created user and can log in via sftp but I can still go anywhere in my file system. Help please? Thanks Here is my proftpd.conf # Server Settings ServerName ProFTPd ServerType standalone DefaultServer on PidFile /var/run/ProFTPd/ProFTPd.pid # Port 21 is the standard FTP port. You propably should not connect to the # internet with this port. Make your router forward another port to # this one instead. Port 21 # Set the user and group under which the server will run. User nobody Group users # Prevent DoS attacks MaxInstances 30 # Speedup Login UseReverseDNS off IdentLookups off # Control Logging - comment and uncomment as needed # If logging Directory is world writeable the server won't start! # If no SystemLog is defined proftpd will log to servers syslog. #SystemLog NONE #SystemLog /boot/config/plugins/ProFTPd/slog TransferLog NONE #TransferLog /boot/config/plugins/ProFTPd/xferlog WtmpLog NONE # As a security precaution prevent root and other users in # /etc/ftpuser from accessing the FTP server. UseFtpUsers on RootLogin off # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 # "Jail" FTP-Users into their home directory. (chroot) # The root directory has to be set in the description field # when defining an user: # ftpuser /mnt/cache/FTP # See README for more information. DefaultRoot ~ # Shell has to be set when defining an user. As a security precaution # it is set to "/bin/false" as FTP-Users should not have shell access. # This setting makes proftpd accept invalid shells. RequireValidShell no # Normally, we want files to be overwriteable. AllowOverwrite on Edited February 9, 2019 by abc789987 Add additonal config file Quote Link to comment
SlrG Posted February 9, 2019 Author Share Posted February 9, 2019 It is not enough to have the DefaultRoot directive on unRAID. You need to define ftp users in the unRAID user management. Please add the keyword ftpuser followed by a space and the path you want to restrict the created user to, into the comment field. e.g.: ftpuser /mnt/cache/FTP/user1 Afterwards make sure to restart proftpd. The given path must exist, or it won't work. Please read the first post of the plugin support thread and the readme file. Quote Link to comment
abc789987 Posted February 9, 2019 Share Posted February 9, 2019 1 minute ago, SlrG said: It is not enough to have the DefaultRoot directive on unRAID. You need to define ftp users in the unRAID user management. Please add the keyword ftpuser followed by a space and the path you want to restrict the created user to, into the comment field. e.g.: ftpuser /mnt/cache/FTP/user1 Afterwards make sure to restart proftpd. The given path must exist, or it won't work. Please read the first post of the plugin support thread and the readme file. Thank you for reply. I've got users setup this way. When I ssh or sftp into my unraid box it will start me out in the defined path but I am not restricted to that path. I've been trying to make sense of the Debugging (http://www.proftpd.org/docs/howto/Debugging.html )help page but I'm strugging to fully understand what to do. Quote Link to comment
SlrG Posted February 10, 2019 Author Share Posted February 10, 2019 The user is defined correctly but did you really restart proftpd (in the plugins settings) afterwards? An user defined as ftp user should have no shell and should not be able to login using telnet. The jail will only work when accessing from an ftp client. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.