ProFTPD Plugin for unRAID v6.8.x


SlrG

Recommended Posts

Now back to the unknown problem. Please check if you have the file /etc/rc.d/rc.proftpd

Then in shell call: /etc/rc.d/rc.proftpd getver app local

This is what is called by the web page to retrieve the local app version. If you don't have

this file or it fails we know a little bit more where the problem is.

 

File exists, but look at this:

 

root@Server1:/etc/rc.d# /etc/rc.d/rc.proftpd getver app local
/usr/local/sbin/proftpd: error while loading shared libraries: libssl.so.1: cannot open shared object file: No such file or directory

 

(Running rc12a)

Link to comment

Well, that shows the ssl package is missing. ^^ I'm sure I tested with a stock unraid and didn't get this error. But I'll have to test it again to be sure. This will take a while I fear. I have a lot of other things to do at the moment. I'll report back as soon as possible, but it'll propably take the whole week to have at deeper look at this. Sorry. :(

Link to comment

Well, that shows the ssl package is missing. ^^ I'm sure I tested with a stock unraid and didn't get this error. But I'll have to test it again to be sure. This will take a while I fear. I have a lot of other things to do at the moment. I'll report back as soon as possible, but it'll propably take the whole week to have at deeper look at this. Sorry. :(

 

I took this to my rc12a test unRaid box.  It too comes back with the same missing ssl package.  So this confirms that we missing something on stock unRaid.  Installing openSSL via unMenu doesn't fix it either.  We will await your analysis...

Link to comment

That works like a charm.  Playing with it now.

 

Now I need to harden it up before I expose it to the world.

 

Looks like I can even bolt it down to only certain ip address that can login. 

 

Only issue is getting a static ip address so that we aren't always having to change the login address....

Link to comment

Your isp is changing your ip from time to time and you want some static means to access it? Then get yourself a dyndns service. Check your router on what services it supports and get one of those. (e.g. http://freedns.afraid.org/) Those services will give you a static hostname (e.g. xyz.service.org ) that will be updated to link to your ip, whatever it is at the moment. Your router connects to the service on ip change and registers you new ip. Works fine for me.

Link to comment
  • 3 weeks later...

If you already have dyndns running, you could forward a port of your choice to the port proftpd uses on your unraid server. This will make the ftp service available worldwide. Using port 21 on the router is not recommended, as this port will be an obvious choice for an bruteforce attack. Using the proftp on port 21 on the server is no problem, as this will not be available for outside access.

 

If you create an user with access to /mnt/user you will be able to access your user shares.

 

Be aware however,  that if you have sensitive data in those shares, it is still a high risk to go that route. Standard FTP access uses unencrypted passwords and unencrypted transfers. Proftpd provides the ability to use more secure mechanisms (SFTP/SSL/TLS), I can't guide you on this however, as I only provide access to absolutely uncritical data in very selected directories via FTP. Please have a look on the documentation here: http://www.proftpd.org/docs/

 

An VPN setup from your outside locations to your router would propably be a much more secure way to provide access. And even then you should carefully consider what to share.

 

PS:

As there is a newer version of proftpd with some security fixes available, I'll do a new build on the weekend. Update will be possible through the plugins web interface.

Link to comment

Hmmm..i understand what your saying..and i hear it everytime i look to doing this and every time it scares me off. I wouldnt say the shares are critical data..but i would hate it if some little git deleted my entire movie folder for fun !!...pity theres not more development on this side of things..i just want to be able to be anywhere and grab whatever files i want out of any share without the worrying, i wouldnt be giving anyone else access to it personally.

 

Also...i tried to install the plugin but it came back with...

installing plugin: proftpd
file /tmp/plugin-prepare: successfully wrote INLINE file contents
  /bin/bash /tmp/plugin-prepare ...

*************************************************************
* ProFTPD plugin installation started...
*************************************************************

success
file /tmp/plugin-cleanup: successfully wrote INLINE file contents
  /bin/bash /tmp/plugin-cleanup ... success
file /boot/config/plugins/proftpd/README: already exists
file /boot/config/plugins/proftpd/device_status.png: downloading from -q --no-check-certificate https://github.com/SlrG/unRAIDplugins/raw/master/proftpd/device_status.png ... bad download, deleting
root@warptower:/boot/config/plugins#

Link to comment

Hmm... If you want only read access to your shares this should be pretty secure if you use a password you don't have anywhere else. Even if it gets cracked (I use an unecrypted password for years now and was never hacked.) you won't compromise other logins and the attacker will have only read access.

 

The installation problem was my mistake. I moved the binary files from github to my personal webspace but forgot to post the modified plugin. Please redownload it from the first post and try again.

Link to comment

Nice one SLrG...keep up the good work..i hope you take this on to greater things !!

 

How can i set the user to be read only without having to make the share read only, i want to be able to read/write at home without having to keep changing ?

 

EDIT: Think i see how to do that but am i right to understand that i can only set the permission to read only on the root of the share for the user ??..i set ftpuser path mnt/user/movies/dvdr  /dvdr is a subdirectory i created within the /movie share ??..obviously SMB security settings show the named FTP user but i can only set permission for /movies for that user and not /movies/dvdr

Link to comment

Don't change permissions or share settings, but change the proftpd config. Add the following lines:

 

# Limit write access to a directory and subdirs
<Directory /mnt/user/movies/dvdr>
  <Limit WRITE>
    DenyAll
  </Limit>
</Directory>

 

If you want to allow write operations to a certain directory you add:

# Allow write access to certain directory
<Directory /mnt/user/movies/dvdr/upload>
  <Limit WRITE>
    AllowAll
  </Limit>
</Directory>

 

Then save the config and restart proftpd to enable the changes.

 

This will disable write access for all ftp users. It may be modified to apply to certain users only, or maybe even to only block write access not coming from the local network. I never tried this through, so you will have to google around if it is possible. Proftpd is quite powerful in what it can do. Sadly there is no php gui which supports all the bells and whistles.

Link to comment

Thanks for this great plugin.

 

I'm running unRAID Server Plus version: 5.0-rc15a. Port 21 is open on router.

netstat -tulpn | grep :21

 

gives

 

metcp        0      0 0.0.0.0:21              0.0.0.0:*              LISTEN      17392/proftpd: (acc

 

telnet localhost 21

 

gives

 

220 ProFTPD 1.3.5rc3 Server (ProFTPD) [127.0.0.1]

 

I have a user paul with with the description

 

ftpuser /mnt/disk1/audiobooks

 

I just can't logon. I enter username and then password, but I always get the error

 

530 Permission denied

 

I've tried it with different users, different clients, but I still get the same error.

 

Has anyone got any ideas how I can resolve this please? I know it's not a fault with the plugin, it's almost certainly something stupid I've done.

Link to comment

Did you restart the proftpd daemon after adding the user? If no, please do.

 

If yes, could you post the lines from the syslog from the time when you try to connect? They might give more detail on the error. Also please post the users and permissions for /mnt/, /mnt/disk1 and /mnt/disk1/audiobooks.

Link to comment

Thanks for the reply.

 

I did restart the profto daemon and rebooted a couple of times

Jun 29 19:12:25 Hilda emhttp: shcmd (39): usermod -c 'ftpuser /mnt/disk1/audiobooks' paul (Other emhttp)
Jun 29 19:12:25 Hilda emhttp: shcmd (40): cp /etc/passwd /etc/shadow /etc/samba/private/smbpasswd /boot/config (Other emhttp)
Jun 29 19:12:25 Hilda emhttp: shcmd (41): :>/etc/samba/smb-shares.conf (Other emhttp)
Jun 29 19:12:25 Hilda emhttp: Restart SMB... (Other emhttp)
Jun 29 19:12:25 Hilda emhttp: shcmd (42): killall -HUP smbd (Minor Issues)
Jun 29 19:12:25 Hilda emhttp: shcmd (43): ps axc | grep -q rpc.mountd (Other emhttp)
Jun 29 19:12:25 Hilda emhttp: _shcmd: shcmd (43): exit status: 1 (Other emhttp)
Jun 29 19:12:25 Hilda emhttp: shcmd (44): /usr/local/sbin/emhttp_event svcs_restarted (Other emhttp)
Jun 29 19:12:25 Hilda emhttp_event: svcs_restarted (Other emhttp)
Jun 29 19:12:44 Hilda proftpd[17635]: 127.0.0.1 (192.168.1.115[192.168.1.115]) - FTP session opened. 
Jun 29 19:12:52 Hilda proftpd[17635]: 127.0.0.1 (192.168.1.115[192.168.1.115]) - notice: unable to use '~/' [resolved to '/mnt/cache/FTP/']: No such file or directory 
Jun 29 19:12:52 Hilda proftpd[17635]: 127.0.0.1 (192.168.1.115[192.168.1.115]) - Preparing to chroot to directory '~/' 
Jun 29 19:12:52 Hilda proftpd[17635]: 127.0.0.1 (192.168.1.115[192.168.1.115]) - chroot to '~/' failed for user 'paul': Operation not permitted  (Minor Issues)
Jun 29 19:12:52 Hilda proftpd[17635]: 127.0.0.1 (192.168.1.115[192.168.1.115]) - error: unable to set DefaultRoot directory  (Errors)
Jun 29 19:12:52 Hilda proftpd[17635]: 127.0.0.1 (192.168.1.115[192.168.1.115]) - FTP session closed.

 

Permiisions for audiobooks are -rw-rw-rwx 1 nobody users 0

 

/mnt/disk1

 

 

drwxrwxrwx 2 nobody users        48 2013-06-29 19:22 audiobooks/

 

Thanks again

 

Link to comment

Thank you so much for your work with this plugin. Just a couple of notes.

 

1) For some reason, even though I enabled the webserver on SF, it wouldn't load the proftpd.conf change page for this plugin. I saw the unzip command it was trying to do and after I tried it manually it worked, no idea what that is about (yes I restarted both the plugin and the webserver without success).

 

2) Please beware that the proftpd.conf config change page will clean the file from any \ in the file. This is problematic because certain options in proftpd require a REGEX path, for which the use of \ can be necessary (an example is below).

 

3) This is the example I used to my server, first I tried to set them into their own subfolder and do symlinks (doesnt work), then I tried to do a "mount --bind" command but that was a terrible idea since it will prevent you from shutting down the array without you unmounting it yourself. So I gave up and set them into the /mnt/user folder and used the following block. It will hide folders that I want from showing up on the ftp client (please note that they can still access the folders if they type it in manually). Additionally the last part of the regex is to make it hide any file/folder that starts with a ".", this cleans up all those pesky hidden config and apple folders.

 

<Directory /mnt/user>
  #hidefiles enables me through regex to determine what folders to flag as hidden, please note you can do a ! before it to make it inverse, problem is regex will propagate into the subfolders which to fix is more problematic.
  HideFiles ^(Pictures|\.FTP|Music|Backup|ROMS|\..*)$
HideNoAccess on 
# Limit write access to a directory and subdirs, along with any delete of the folder.
<Limit RNFR RMD XRMD WRITE>
    DenyAll
    #Want hidden folders from Hidefiles to actually be hidden, this command is necesarry
    IgnoreHidden on
  </Limit>
</Directory>

 

NOTE: If you use the block above, you will have to either enter it through console, or go through webpage but then go in through console and add \ at both points in REGEX (see point #2).

Link to comment

@dearleuk

proftpd tries to chroot to ~/ instead of /mnt/disk1/audiobook like it should. This fails and therefore the connect fails too. Did you change anything in the provided proftpd.conf? At the moment I can't say why this is happening. I'll have to think about it a little longer.

 

@Necrotic

Do you think you could delete or move the proftpdce.zip and provide a log after restarting your server?

 

Also thank you very much, for reporting the \ problem. I never tried regex paths, so I didn't notice it myself. I'll try to fix this problem in a future version.

Link to comment

Setting up SSL (YMMV, these are the settings I set for myself that I was able to get to work. Any change suggestions welcome)

 

1) Stop Proftpd (just in case)

 

2) Login through telnet and paste the following two lines in order. Please note I had to specify the config file (The default is .cnf and its been updated back to it since it seems to be working again, but on a previous edit/version it actually ended in .cfg)

mkdir /boot/config/plugins/proftpd/ssl/
openssl req -new -x509 -config /etc/ssl/openssl.cnf -days 3650 -nodes -out /boot/config/plugins/proftpd/ssl/ftp.cert.pem -keyout /boot/config/plugins/proftpd/ssl/ftp.key.pem
 

 

3) Add following to the end of your proftpd.conf

<IfModule mod_tls.c>
TLSEngine on

TLSLog /var/log/proftpd.tls.log

TLSProtocol SSLv23 TLSv1

TLSOptions NoCertRequest NoSessionReuseRequired 

TLSRSACertificateFile /boot/config/plugins/proftpd/ssl/ftp.cert.pem

TLSRSACertificateKeyFile /boot/config/plugins/proftpd/ssl/ftp.key.pem

TLSVerifyClient off

TLSRequired on

</IfModule>
 

 

4) Start Proftpd again and log in. Remember to enable TLS/SSL authentication for your client.

 

 

Edited by Necrotic
Edit: Updated the command to .cnf file per suggestions of others.
Link to comment

@dearleuk

proftpd tries to chroot to ~/ instead of /mnt/disk1/audiobook like it should. This fails and therefore the connect fails too. Did you change anything in the provided proftpd.conf? At the moment I can't say why this is happening. I'll have to think about it a little longer.

 

@Necrotic

Do you think you could delete or move the proftpdce.zip and provide a log after restarting your server?

 

Also thank you very much, for reporting the \ problem. I never tried regex paths, so I didn't notice it myself. I'll try to fix this problem in a future version.

 

Actually I fixed it by going into your PLG file and erasing the part of the sudo commands for making the directory and unziping. I restarted and it worked for me. I have very little idea of how sudo works but I kept getting messages like the following but also involving the mkdir and unzip command every time I stopped and started the process (they would stop once I extracted the files manually though).

Jun 29 16:59:25 unRAID sudo: root : TTY=pts/0 ; PWD=/etc/rc.d ; USER=root ; COMMAND=/usr/local/sbin/proftpd -c /etc/proftpd.conf
Jun 29 17:01:25 unRAID sudo: root : TTY=pts/0 ; PWD=/etc/rc.d ; USER=root ; COMMAND=/usr/local/sbin/proftpd -c /etc/proftpd.conf
Jun 29 17:12:45 unRAID sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/sbin/proftpd -c /etc/proftpd.conf
Jun 29 17:13:39 unRAID sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/sbin/proftpd -c /etc/proftpd.conf

Link to comment

@dearleuk

 

Just to be sure, please check that your config is exactly like this:

# Server Settings
ServerName              ProFTPD
ServerType              standalone
DefaultServer           on
PidFile                 /var/run/proftpd.pid

# Port 21 is the standard FTP port. You propably should not connect to the
# internet with this port. Make your router forward another port to
# this one instead.
Port                    21

# Set the user and group under which the server will run.
User                    nobody
Group                   users

# Prevent DoS attacks
MaxInstances            30

# Speedup Login
UseReverseDNS           off
IdentLookups            off 

# Control Logging - comment and uncomment as needed
# If logging Directory is world writeable the server won't start!
# If no SystemLog is defined proftpd will log to servers syslog.
#SystemLog               NONE           
#SystemLog               /boot/config/plugins/proftpd/slog
TransferLog             NONE
#TransferLog             /boot/config/plugins/proftpd/xferlog
WtmpLog                 NONE

# As a security precaution prevent root and other users in
# /etc/ftpuser from accessing the FTP server.
UseFtpUsers             on
RootLogin               off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# "Jail" FTP-Users into their home directory. (chroot)
# The root directory has to be set in the description field
# when defining an user:
# ftpuser /mnt/cache/FTP
# See README for more information.
DefaultRoot ~

# Shell has to be set when defining an user. As a security precaution
# it is set to "/bin/false" as FTP-Users should not have shell access.
# This setting makes proftpd accept invalid shells.
RequireValidShell       no

# Normally, we want files to be overwriteable.
AllowOverwrite          on

 

Then please open the /config/passwd file on your flash drive and post the line for the user you created (paul). It will not contain any password, so don't worry.

Link to comment

@Necrotic

 

sudo -u nobody mkdir ...

will execute the command given (mkdir) as user nobody. The created directory will have the user nobody as owner.

 

sudo -u root ...

will execute the command given as user root. The log messages you posted don't indicate an error and should not be responsible that the config editor didn't work for you. But I'm glad you got it working. Also thank you very much for posting the ssl instructions.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.