mcleanap Posted May 4, 2017 Share Posted May 4, 2017 I have ProFTPd up and running, however, I would like it to be a bit more secure. I've read through a lot of posts about it now, and it doesn't seem to be easily implemented. I have added the following to my .conf SFTPEngine on # Configure both the RSA and DSA host keys, using the same host key # files that OpenSSH uses. SFTPHostKey /boot/config/ssh/ssh_host_rsa_key SFTPHostKey /boot/config/ssh/ssh_host_dsa_key SFTPAuthMethods privatekey SFTPAuthorizedUserKeys file:/boot/config/ssh/authorized_keys # Enable compression SFTPCompression delayed ProFTPd Service does not start when I add the 2 hostkeys. I am open to other ideas to get this working. Thanks Quote Link to comment
SlrG Posted May 4, 2017 Author Share Posted May 4, 2017 (edited) @all: When trying things like encryption or other config changes, it essential to let proftpd check the config and report if there are problems. That helps a lot with troubleshooting. From the shell you can do it by giving the following command: /usr/local/SlrG-Common/usr/local/sbin# proftpd -t -c /etc/proftpd.conf Where -t means test and -c is the path to the config file you want to test. Under normal circumstances you will get one error and one warning: Checking syntax of configuration file 2017-05-04 09:56:13,359 lafiel proftpd[17595]: mod_ctrls/0.9.5: error: unable to bind to local socket: Address already in use 2017-05-04 09:56:13,361 lafiel proftpd[17595]: warning: config file '/etc/proftpd.conf' is world-writable Syntax check complete. The error usally means you have proftpd already running and thus the port is in use. Or you have another ftp server or process using the port, which means proftpd can't start and you have to fix it. The warning is because the config is saved on the flash drive to preserve it when rebooting and symlinked to the config dir. Sadly the flash has a fat filesystem, which is not able to store file ownership and permissions, like linux filesystems do. It normally is no problem and can be ignored. If you have setup a webserver to use the plugins config editor, it will do the above steps for you and show you if there are errors or warnings. If there are other errors or warnings, you will probably have an problem and what you are trying will fail until you correct it. Please search online for solutions. I'm in no way a proftpd expert and have to do the same thing, which takes a lot of my time. Edited May 4, 2017 by SlrG Quote Link to comment
SlrG Posted May 4, 2017 Author Share Posted May 4, 2017 (edited) @mcleanap: The proftpd server is running as user nobody with the group users for security reasons. The ssh files you are trying to access are on the flash drive /boot/config/ssh/ where they are group and world accessible (fat filesystem), so proftpd will not use them for security reasons. If you use the files from /etc/ssh/, they belong to the user root. So proftpd running as nobody can't access them. Changing the owner of the files to nobody or changing the user the proftpd server is running as, is not advisable. Also on my system there is no /boot/config/authorized_keys file. Do you really have it on yours? Compression doesn't seem to work, as unraid is missing zlib, so you need to remove that commands for now. That is what I read from the warnings and errors proftpd gives, when testing the config like described above and by looking at the paths, ownership and permissions of the files. Sadly I'm running out of time for now, so just some quick tips: You will probably have to research how to generate your own keys to use for the sftp connection. If you put them on the flash in /boot/config/ssh they will be copied to /etc/ssh automatically, when the server restarts. But they will have the wrong ownership and/or permissions, which you will have to correct with chown and chmod when the server starts. To do it automatically, you can add the commands to the mountscript in the proftpd plugins directory on the flash. Edited May 4, 2017 by SlrG Quote Link to comment
mcleanap Posted May 6, 2017 Share Posted May 6, 2017 On 4/10/2017 at 0:57 PM, SlrG said: WTF. Now all of a sudden it stopped working for me, too. I'm not able to connect internally with FileZilla and TLS enabled. Externally with TLS works fine. And now the weird thing. Trying with FireFTP and TLS works internally but not externally. Sadly the logs don't show anything helpful. # Server Settings ServerName ProFTPd ServerType standalone DefaultServer on PidFile /var/run/ProFTPd/ProFTPd.pid # Port 21 is the standard FTP port. You propably should not connect to the # internet with this port. Make your router forward another port to # this one instead. Port 21 # Set the user and group under which the server will run. User nobody Group users # Prevent DoS attacks MaxInstances 30 # Speedup Login UseReverseDNS off IdentLookups off # Control Logging - comment and uncomment as needed # If logging Directory is world writeable the server won't start! # If no SystemLog is defined proftpd will log to servers syslog. #SystemLog NONE #SystemLog /boot/config/plugins/ProFTPd/slog TransferLog NONE #TransferLog /boot/config/plugins/ProFTPd/xferlog WtmpLog NONE # As a security precaution prevent root and other users in # /etc/ftpuser from accessing the FTP server. UseFtpUsers on RootLogin off # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 # "Jail" FTP-Users into their home directory. (chroot) # The root directory has to be set in the description field # when defining an user: # ftpuser /mnt/cache/FTP # See README for more information. DefaultRoot ~ # Shell has to be set when defining an user. As a security precaution # it is set to "/bin/false" as FTP-Users should not have shell access. # This setting makes proftpd accept invalid shells. RequireValidShell no # Normally, we want files to be overwriteable. AllowOverwrite on <Directory /mnt/cache/FTP> UserOwner nobody GroupOwner users Umask 000 </Directory> <IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd-tls.log TLSProtocol SSLv3 TLSv1 TLSOptions NoSessionReuseRequired TLSRSACertificateFile /boot/config/plugins/ProFTPd/proftpd.cert.pem TLSRSACertificateKeyFile /boot/config/plugins/ProFTPd/proftpd.key.pem TLSVerifyClient off TLSRequired on TLSMasqueradeAddress xxx.ddns.net </IfModule> PassivePorts 60000 60100 Did you ever get this working internally? I am facing the same issue. Quote Link to comment
SlrG Posted May 7, 2017 Author Share Posted May 7, 2017 (edited) @mcleanap: It depends. On what you want. I found it would work using FileZilla when connecting from external sources. And it worked using FireFTP using internal ones. So using different clients for different access types could be a solution. Also you could set TLSRequired to off and then you will be able to connect without TLS internally, which should be much less a security risk. Also I would recommend setting up a vpn connection to your private network and use ftp within that to connect to the server and not make the ftp server freely accessible from the net. That depends on what you want to do however. Also the sftp connection is still possible. I was able to get it to work using the tips I gave you above. But I only tested it internally for now. I did not have the time to test it externally, too. Edited May 7, 2017 by SlrG Quote Link to comment
SlrG Posted May 7, 2017 Author Share Posted May 7, 2017 (edited) To enable sftp: open a shell on your unraid server and issue the following commands cd /etc/ssh ssh-keygen Enter the name of the keyfile (sftp_rsa_key) and no passphrase. You will get two files sftp_rsa_key and sftp_rsa_key.pub. The public key needs to be converted to another format to make it usable by proftpd: ssh-keygen -e -f sftp_rsa_key.pub | sudo tee sftp_user_keys You will get a new file sftp_user_keys. Now the owner and permissions will need to be changed: chown nobody:users sftp_rsa_key sftp_rsa_key.pub sftp_user_keys chmod 600 sftp_rsa_key sftp_rsa_key.pub sftp_user_keys Now to make your system restore the correct permissions of this keys on boot you will need to modify the mountscript: nano /boot/config/plugins/ProFTPd/mountscript.sh Insert the following lines: chown nobody:users /etc/ssh/sftp_rsa_key /etc/ssh/sftp_rsa_key.pub /etc/ssh/sftp_user_keys chmod 600 /etc/ssh/sftp_rsa_key /etc/ssh/sftp_rsa_key.pub /etc/ssh/sftp_user_keys Now edit your proftpd.conf file and insert: <IfModule mod_sftp.c> SFTPEngine on Port 2222 SFTPLog /var/log/sftp.log SFTPHostKey /etc/ssh/sftp_rsa_key SFTPAuthorizedUserKeys file:/etc/ssh/sftp_user_keys SFTPAuthMethods publickey SFTPKeyBlacklist none SFTPDHParamFile /usr/local/SlrG-Common/usr/local/etc/dhparams.pem </IfModule> Don't forget to restart the proftpd server to enable the changes. You need to copy the sftp_rsa_key and take it with you, to access your server. If you are using FileZilla to connect, the file needs to be converted to a usable format and stored in FileZillas settings. Edited May 8, 2017 by SlrG fixed typo Quote Link to comment
mcleanap Posted May 7, 2017 Share Posted May 7, 2017 To enable sftp: open a shell on your unraid server and issue the following commandscd /etc/sshssh-keygen Enter the name of the keyfile (sftp_rsa_key) and no passphrase. You will get two files sftp_rsa_key and sftp_rsa_key.pub. The public key needs to be converted to another format to make it usable by proftpd:ssh-keygen -e -f sftp_rsa_key.pub | sudo tee sftp_user_keys You will get a new file sftp_user_keys. Now the owner and permissions will need to be changed:chown nobody:users sftp_rsa_key sftp_rsa_key.pub sftp_user_keyschmod 600 sftp_rsa_key sftp_rsa_key.pub sftp_user_keys Now to make your system restore the correct permissions of this keys on boot you will need to modify the mountscript:nano /boot/config/plugins/ProFTPd/mountscript.sh Insert the following lines:chown nobody:users /etc/ssh/sftp_rsa_key /etc/ssh/sftp_rsa_key.pub /etc/ssh/sftp_user_keyschmod 600 /etc/ssh/sftp_rsa_key /etc/ssh/sftp_rsa_key.pub /etc/ssh/sftp_user_keys Now edit your proftpd.conf file and insert:<IfModule mod_sftp.c> SFTPEngine on Port 2222 SFTPLog /var/log/sftp.log SFTPHostKey /etc/ssh/sftp_rsa_key SFTPAuthorizedUserKeys file:/etc/ssh/sftp_user_keys SFTPAuthMethods publickey SFTPKeyBlacklist none SFTPDHParamFile /usr/local/SlrG-Common/usr/local/etc/dhparams.pem</IfModule> Don't forget to restart the proftpd server to enable the changes. You need to copy the sftp_rsa_key and take it with you, to access your server. If you are using FileZilla to connect, the file needs to be converted to a usable format and stored in FilzeZillas settings.This is great. I will give it a shot later today. I'm looking at a way to move back ups of cpanel from a web host. It's the only reason I want to open this up. Sent from my SM-G930W8 using Tapatalk Quote Link to comment
mcleanap Posted May 8, 2017 Share Posted May 8, 2017 @SlrG Beauty! This works - internally and externally. Now, I have to figure out why WHMEasyBackup is failing. I did use that private key in cpanel SSH Access. I think that's all I need, but will continue to work on this. Huge Thanks! Quote Link to comment
SlrG Posted May 8, 2017 Author Share Posted May 8, 2017 I'm glad the unRAID part works fine. Sadly I have no idea regarding WHMEasyBackup, as I have never used this. Quote Link to comment
JWMutant Posted June 16, 2017 Share Posted June 16, 2017 Hi, Im having some problems getting the app to run and wouldnt mind some help. I have Apache installed and working with no problems. When I try and start Proftpd it keeps coming back with an error on the bottom of the screen as seen in the pic. Any ideas what im doing wrong? Hoping its a easy fix as im not overly smart when it comes to using telnet. Quote Link to comment
SlrG Posted June 16, 2017 Author Share Posted June 16, 2017 On 11.4.2017 at 5:14 PM, dannygonzalez0861 said: Oh wow I got it working! I enabled the built in FTP server from unRAID first and then installed the plugin. Service started right up! In newer versions of unRAID, the integrated FTP server is disabled by default, while the plugin expects it to be enabled. The installation doesn't work correctly and the plugin fails to work, too. Please remove the plugin, enable unRAIDs integrated FTP and then reinstall the plugin. I was not yet able to fix this bug, but I will in the future. For now this should get you going as a workaround. Quote Link to comment
MickMorley Posted July 18, 2017 Share Posted July 18, 2017 (edited) I am using the apache-php docker and getting errors when trying to edit the config file. It is looking for a proftpdce.php file that does not exist. This happens after selecting Check & Save. Edited July 18, 2017 by MickMorley more info Quote Link to comment
SlrG Posted July 18, 2017 Author Share Posted July 18, 2017 (edited) @MickMorley I tried to use the docker apache when it was made available and I failed, too. I'm using the plugin version now and that works fine. I believe the reason why the dockers fail is, because they block access to files outside of the defined web folder for valid security reasons. Sadly this is something the config editor needs to work, as the proftpd.conf is in /etc/ on your unRAID. If you don't want to use the apache plugin instead, please disable the config editor. You don't really need it. You can always use nano in a console to edit the proftpd.conf or use winscp if you like a more graphical editor. Don't forget to restart the service afterwards for the changes to get applied. On a side note, you seem to be using an older version of my the proftpd plugin. The config editor has been renamed from proftpdce.php to ConfEdit.php. You should not get the old name with the newest version. If you are using the newest please tell me, I'll have to recheck the source code, then to make sure I did not miss some old reference in there. Edited July 18, 2017 by SlrG spelling corrected Quote Link to comment
MickMorley Posted July 19, 2017 Share Posted July 19, 2017 15 hours ago, SlrG said: @MickMorley I tried to use the docker apache when it was made available and I failed, too. I'm using the plugin version now and that works fine. I believe the reason why the dockers fail is, because they block access to files outside of the defined web folder for valid security reasons. Sadly this is something the config editor needs to work, as the proftpd.conf is in /etc/ on your unRAID. If you don't want to use the apache plugin instead, please disable the config editor. You don't really need it. You can always use nano in a console to edit the proftpd.conf or use winscp if you like a more graphical editor. Don't forget to restart the service afterwards for the changes to get applied. On a side note, you seem to be using an older version of my the proftpd plugin. The config editor has been renamed from proftpdce.php to ConfEdit.php. You should not get the old name with the newest version. If you are using the newest please tell me, I'll have to recheck the source code, then to make sure I did not miss some old reference in there. @SlrG Thank you for clarifying. I tried to search this topic for the keywords but couldn't find anything. I double checked and I am using version 2017.07.12. I just installed it yesterday. ConfEdit.php is being populated on the Apache webroot folder but it looks like there are still references to the old variables. Quote Link to comment
SlrG Posted July 19, 2017 Author Share Posted July 19, 2017 Okay. Thank you for the information. I'll try to fix the error and release a new version soon. It will still not work with the docker apache versions however, as I don't know how I could possibly fix that. Quote Link to comment
SlrG Posted July 19, 2017 Author Share Posted July 19, 2017 (edited) @MickMorley The bug should be fixed now. Please update the plugin and delete the ProFTPd folder from your web server directory. Then restart the service and the fixed editor should be saved into your web server directory. Thank you very much for finding and reporting this bug. Edited July 19, 2017 by SlrG Quote Link to comment
geonerdist Posted July 23, 2017 Share Posted July 23, 2017 Thank you for this addin! Got myself up and running pretty quickly! Although I checked the unraid log and saw something I am unsure what to think of it. Any comments? Thanks guys! Jul 22 14:45:24 Tower proftpd[58261]: 127.0.0.1 (130.255.140.28[130.255.140.28]) - crypt(3) failed: Invalid argument Jul 22 14:45:24 Tower proftpd[58261]: 127.0.0.1 (130.255.140.28[130.255.140.28]) - USER ftp (Login failed): Incorrect password Jul 23 01:14:46 Tower proftpd[48276]: 127.0.0.1 (93.72.240.7[93.72.240.7]) - USER admin: no such user found from 93.72.240.7 [93.72.240.7] to 192.168.1.3:21 Both the IP addresses trace to RIPE (RIPE Network Coordination Center) in the Ukraine...I have also been camping since 7/21 to about 1300 today (7/23) Quote Link to comment
SlrG Posted July 24, 2017 Author Share Posted July 24, 2017 @geonerdist There is someone trying to hack into your server. Mostly these are automatic scripts that someone setup, that crawl the net looking for servers on standard ports and trying known user and password combinations on them. Which port did you open on your router to forward it to your server? If you openend 21 I would ASAP change that to some other port above 49151 eg, 49221 or something. That will probably stop those login attempts. The port the proftpd server is running on, can stay 21. That does not matter. Just Forward from 49221 on the router to 21 on the server. Also make sure, you have secure usernames and passwords. No admin admin or something. If you want more security, don't open the ftp port on the router but use an vpn connection to connect to your private network from the outside and then you can access your PC's from there. Quote Link to comment
geonerdist Posted July 25, 2017 Share Posted July 25, 2017 (edited) @SlrG That is what I figured. Before I opened the port I ensured the username/password is not some generic thing. I setup the FTP server w/ port forwarding since sometimes I transfer stuff to home from work or one of my volunteer gigs and can't use my VPN to get access. Thanks for the port tip. I did not think of that, thanks again! Any explanation why you choose something over 49151? Disregard, a quick google says that 0-49151 are system, user, or registered ports while beyond 4915 are dynamic or private ports. Edited July 25, 2017 by geonerdist Quote Link to comment
SlrG Posted July 25, 2017 Author Share Posted July 25, 2017 @geonerdist Yes, that is the reason. 1 Quote Link to comment
jeffreywhunter Posted July 29, 2017 Share Posted July 29, 2017 I'm using latest version of Proftpd for access to my server from my backup software (Goodsync, latest version). All is working as it should, except I see a couple errors in my syslog everytime I open an FTP connection. But the connection works just fine. Jul 29 08:13:18 HunterNAS proftpd[29300]: 127.0.0.1 (192.168.29.11[192.168.29.11]) - error: /boot/config/plugins/ProFTPd is a world-writable directory Jul 29 08:13:18 HunterNAS proftpd[29300]: 127.0.0.1 (192.168.29.11[192.168.29.11]) - unable to open TransferLog '/boot/config/plugins/ProFTPd/xferlog': No such file or directory Not sure what the first error indicates, it shows as a 'red' error in the syslog. I've looked into the second error on my flash drive, the directory did not exist, given the boot directory is created every startup, do I need to insert a go file statement to create the directory? Log attached just FYI... Thanks in advance! hunternas-diagnostics-20170729-0831.zip Quote Link to comment
Squid Posted July 29, 2017 Share Posted July 29, 2017 3 minutes ago, jeffreywhunter said: Jul 29 08:13:18 HunterNAS proftpd[29300]: 127.0.0.1 (192.168.29.11[192.168.29.11]) - error: /boot/config/plugins/ProFTPd is a world-writable directory File is stored on the flash drive (FAT32), so everything is world-writable. 4 minutes ago, jeffreywhunter said: Jul 29 08:13:18 HunterNAS proftpd[29300]: 127.0.0.1 (192.168.29.11[192.168.29.11]) - unable to open TransferLog '/boot/config/plugins/ProFTPd/xferlog': No such file or directory Looks like there's no log of the old transfers being saved. Quote Link to comment
jeffreywhunter Posted July 29, 2017 Share Posted July 29, 2017 So the world-writable is not really an error...just a warning that its exposed and in the case of unraid does not matter? So should I just put a go statement to create the directory on boot? Quote Link to comment
Squid Posted July 29, 2017 Share Posted July 29, 2017 3 minutes ago, jeffreywhunter said: So should I just put a go statement to create the directory on boot? IDK You tell me.... Quote Link to comment
jeffreywhunter Posted July 29, 2017 Share Posted July 29, 2017 4 minutes ago, Squid said: IDK You tell me.... LOL, not being the developer, I have no idea. It does not seem to matter, so live and let live I guess... Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.