ProFTPD Plugin for unRAID v6.8.x


SlrG

Recommended Posts

Ok I deleted ProFTP and restarted the server. I can regular FTP into the server now with all of my users after I add them to the list. But SSH isn't working for any of my users.

I made some users for testing before I deleted the plugin and made another one after.

 

'offroadguy56' has ftpuser description and was made before restart.

'smurf' has no description and was made before restart.

'test' has no description and was made after restart.

 

This is probably beyond the scope of the plugin thread but this is the log I see when attempting SSH connection with any user:

Jul 23 23:47:23 UR-SERVER sshd[11681]: Connection from 192.168.1.150 port 52457 on 192.168.1.151 port 22 rdomain ""
Jul 23 23:47:25 UR-SERVER sshd[11681]: User test from 192.168.1.150 not allowed because not listed in AllowUsers
Jul 23 23:47:25 UR-SERVER sshd[11681]: Postponed keyboard-interactive for invalid user test from 192.168.1.150 port 52457 ssh2 [preauth]
Jul 23 23:47:26 UR-SERVER sshd[11687]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.150  user=test
Jul 23 23:47:28 UR-SERVER sshd[11681]: error: PAM: Authentication failure for illegal user test from 192.168.1.150
Jul 23 23:47:28 UR-SERVER sshd[11681]: Failed keyboard-interactive/pam for invalid user test from 192.168.1.150 port 52457 ssh2
Jul 23 23:47:28 UR-SERVER sshd[11681]: Postponed keyboard-interactive for invalid user test from 192.168.1.150 port 52457 ssh2 [preauth]
Jul 23 23:47:32 UR-SERVER sshd[11681]: Connection closed by invalid user test 192.168.1.150 port 52457 [preauth]
Jul 23 23:49:00 UR-SERVER sshd[12036]: Connection from 192.168.1.150 port 52535 on 192.168.1.151 port 22 rdomain ""
Jul 23 23:49:01 UR-SERVER sshd[12036]: User test from 192.168.1.150 not allowed because not listed in AllowUsers
Jul 23 23:49:01 UR-SERVER sshd[12036]: Postponed keyboard-interactive for invalid user test from 192.168.1.150 port 52535 ssh2 [preauth]
Jul 23 23:49:02 UR-SERVER sshd[12040]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.150  user=test
Jul 23 23:49:04 UR-SERVER sshd[12036]: error: PAM: Authentication failure for illegal user test from 192.168.1.150
Jul 23 23:49:04 UR-SERVER sshd[12036]: Failed keyboard-interactive/pam for invalid user test from 192.168.1.150 port 52535 ssh2
Jul 23 23:49:04 UR-SERVER sshd[12036]: Postponed keyboard-interactive for invalid user test from 192.168.1.150 port 52535 ssh2 [preauth]

 

I was actually hoping to make use of SFTP and the folder restrictions ProFTP offers. I don't want family members seeing the entirety of the server folder structure. And I did want to temporarily open FTP access over internet to get friend's backups on my drives. If you have a better solution than encrypting their iso and using SFTP, let me know. The only thing I can think of is running Synology in a VM and leveraging their software.

 

To sum up, SSH is not working (except for root in the webUI), FTP is working with default service, I want SFTP for temporary use across internet, I would like to have folder restrictions for users.

 

Sorry for all the trouble. This stuff is super cool but still new to me and I would like to do it as properly as I can.

 

Thanks.

Link to comment

@offroadguy56

Ah I see. I had only tested with root and as that worked I falsely assumed it would work with other users, too. Further testing shows that it would be possible to enable ssh for other users, but it is a complicated multi step process and it would also be reset each boot, so it would require scripting to restore its state and so all in all it is probably too much hassle.

 

The synology in a vm idea sounds very cool. A quick search shows they seem to support FTPS and SFTP and access management for the users. Though such a solution will obviously not be endorsed by Synology without buying their hardware.

 

If you want to continue with the ssh idea, there is the "openssh-server" docker in unraids community applications.  If I understand it correctly, this will enable ssh for one user per container and this user will only be able to access what you mount into the container. So you should be able to configure a secure backup access for your friends.

 

Looking at ftp again, that you can use it now is thanks to unraids internal ftp server, as you already noted. The drawback is, that it is unencrypted ftp and always gives access to the complete server.

 

I wrote the proftpd plugin and use it myself for my home network only. Basically it provides unencrypted FTP (like the stock ftp service) but with the added benefit of being able to jail the users into home directories they cant leave and so only have access to what I want them to. While it is possible to open this up to the internet it is in no way recommended because of the default unencrypted connections.

 

Proftpd can be configured to use FTPS or SFTP, but it is sadly complicated and while there are some tips in this thread how to do it, there are cases where it doesn't work and I sadly don't have the time to fully support other users in how to set it up.

Edited by SlrG
typo
  • Thanks 1
Link to comment
  • 1 month later...

I think I had a similar issue in the past. If I recall properly... I manually removed the plugin and it's configuration file from my flash drive. I made sure to get everything related to the plugin and old copies in the plugins-old-versions folder and the plugins-removed folder. Then I rebooted unRaid and reinstalled the plugin from community applications .

Link to comment

It was under failed plugins.

I got it working by deleting, rebooting and reinstalling :)

Now I can access my FTP with WinCSP, but not with my Reolink IP-cameras 🙄 Even with same settings

 

Looks like this is a common problem with Reolink/ProFTPd 

Edited by Flemming
Link to comment
On 9/3/2021 at 3:12 PM, SlrG said:

@Flemming

Are there any error messages in the syslog when trying to connect?

After may hours of troubleshooting I found out that the problem is in my firewall, between the two VLAN's/networks.

I have now allowed traffic between them and it works.

 

In the future I want to limit my ports, do you have any information about what ports are being in use in Active and/or Passive mode?

image.png

Link to comment
  • 3 weeks later...

Hello to all. i installed ftp and created an account. i tried to access via ftp and it works but the user has full access to all folders. Someone explain to me step by step what I need to do to set user "x" to read only this path "/ mnt / user / Download" and deny access to everything else. thanks and sorry if I asked a question already asked.

Link to comment

@Berto90vi

In unraids user creation screen open your user "x" and put "ftpuser /mnt/user/Download" (without the double quotes) into the Description field. Then apply and restart the proftpd plugin. This will jail the user x into the given directory. It will still have read and write access, however. If you want to restrict that, you will need to configure limits in your proftpd.conf.

Link to comment

@master00

Not within the scope of this plugin. If you setup a vm and install gadmin-proftpd as gui this will come with gprostats as statistics generator. Also there might be other ftp servers more capable but not necessarily free.

 

@kricker

The easiest way would be to restore a backup, if you have.

 

Otherwise as there is no recycle bin you can only search and try some linux ways to restore your data.

 

First make sure nothing is written to your array anymore or you will risk the deleted data being overwritten!

 

I had successes using testdisk and photorec on standalone machines, but never had to try on an unraid machine yet. (see this article for other tools: https://www.journaldev.com/36900/top-best-linux-data-recovery-tools)

 

Make sure however, you mount another disk outside of your array as target for all write operations or again you will risk the deleted data being overwritten. Also you will probably need to know on which exact disk the data you want to recover was and then let the tools work on that disk.

 

I hope this ideas are useful, but I fear the chance to recover the data is very slim. 😟

 

 

 

 

  • Like 1
Link to comment
  • 3 weeks later...

Thanks for this plugin! I wonder, why LimeTech does not include the possibilities native.

 

Whatever, I have two suggestions:

 

* Include inline help: To explain some options. Example: What is this "Webserver" option used for?

* Include a log view inside the plugin settings or so, to check connected clients or transfers etc.

Link to comment

@KluthR

Thank you very much. I'm happy that you like the plugin.

 

1 hour ago, KluthR said:

* Include inline help: To explain some options. Example: What is this "Webserver" option used for?

This is a great idea. At the moment the option is broken, but I hope to bring it back/replace it based on stock unraid functionality in the future. I'm still in the research phase however and have so little time besides job and family. :(

 

1 hour ago, KluthR said:

Include a log view inside the plugin settings or so, to check connected clients or transfers etc.

Cool idea. I'll put it on my research list, too. While not accessible through the plugins settings page (and you might already know this), but it's possible to check if there are users connected and what they are doing by calling /usr/local/SlrG-Common/usr/local/bin/ftptop from a shell.

  • Thanks 1
Link to comment

@KluthR

Using FTPS is possible, and if you search this thread, you will find infos how to do it, but it is not a very straightforward process and integrating it flawlessly into the plugin wouldn't be easy. More so if LE certificates would be used, as they need to be renewed regularly and the server has to fulfill certain requirements (e.g. fixed public IP) to get a certificate. Also if it works and what is needed to make it work depends heavily on the users personal network setup which come in a multitude of variants.

 

Such "complicated" setups leave the scope of what this plugin is designed for (quick, easy, unencrypted FTP for private networks, tightly integrated into the unraid user management) and I recommend using a docker alternative or setting up a VM which will allow for much more ease and freedom in tinkering with the system. The underlying slackware linux of unraid is very basic and is missing a lot of packages and management tools other distros have by default. As plugins are directly modifying the unraid system any additional package increases the risk to break the base functionality and potentionelly harm the data integrity.

 

Firing up an ubuntu vm with proftpd and gadmin-proftpd gui or using another ftpserver with gui and mounting the shares to be accessed by ftp is much easier and will be more flexible in the long run. Personally for larger projects I like CrushFTP, which is not free however.

  • Thanks 1
Link to comment
On 10/28/2021 at 3:17 PM, SlrG said:

Cool idea. I'll put it on my research list, too. While not accessible through the plugins settings page (and you might already know this), but it's possible to check if there are users connected and what they are doing by calling /usr/local/SlrG-Common/usr/local/bin/ftptop from a shell.

Awesome to know how to do this!

Link to comment
  • 3 weeks later...

I have been using this plugin for a while and it has been great.  Lately I am having trouble with people hammering my server and using all of my upload bandwidth. 

 

I see there is a module called mod_shaper that would allow me to limit the bandwith a user is using.

http://www.castaglia.org/proftpd/modules/mod_shaper.html

 

Can anyone please help me get pointed in the right direction to get this implemented?

Or is this something that has to be added to the plugin?

 

Thanks

Link to comment

@KentBrockman

The proftpd version in the plugin is compiled with integrated mod_shaper support. So by editing your proftpd.conf file and adding directives as described in the link you have posted above, you should be able to limit the bandwith proftpd is able to use. An configuration example is given on the bottom of the page you linked. Obviously you will have to modify the paths and directives from the example to suit your needs, but it should get you started.

 

 <IfModule mod_shaper.c>
    ShaperEngine on
    ShaperLog /var/log/ftpd/shaper.log
    ShaperTable /var/log/ftpd/shaper.tab

    # An overall rate (in KB/s) must be set.  This line explicitly
    # sets both the download and upload rates to be the same.
    ShaperAll downrate 1500 uprate 1500

    # Allow all system users to see shaper info
    ShaperControlsACLs info allow user *

    # Allow FTP admins to alter settings both overall and per-session
    ShaperControlsACLs all,sess allow group ftpadm
  </IfModule>

 

Don't forget to test your modified configuration. It should give you hints if something is not correctly configured:

/usr/local/SlrG-Common/usr/local/sbin/proftpd -c /etc/proftpd.conf -t

Also remember to restart the proftpd server from the plugins configuration page for the changes to take effect.

Edited by SlrG
Link to comment

Thank You SlrG,

 

I have it running now and upload bandwidth is being throttled as I was hoping.

I can't quite make sense of the set rate vs the actual speeds I am seeing.

 

I have tried 500KB/s and 1000KB/s for overall up/down rates but my router is telling me actual is between 5-10Mbps.

Either way I am happy, I was just wondering if anyone knew how the set rates relate to the real world numbers.

 

Thanks again

Link to comment

@KentBrockman

I'm glad you are happy. :)

 

KB/s is Kilo Bytes per Second. 1 Kilo Byte is 1024 Byte and 1 Byte is 8 bit. So 1 KB/s is 8192 bits per second or 8192 bps. Your chosen values of 500 KB/s are 4096000 bps or 4 Mbps and 1000KB/s are 8192000 bps or 8 Mbps.

 

If other things in your network besides your FTP server generate some traffic too, this would probably explain the overhead reported by your router.

  • Thanks 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.