ProFTPD Plugin for unRAID v6.8.x


SlrG

Recommended Posts

I have ProFTPd up and running, however, I would like it to be a bit more secure.  I've read through a lot of posts about it now, and it doesn't seem to be easily implemented.

 

I have added the following to my .conf

 

SFTPEngine on

# Configure both the RSA and DSA host keys, using the same host key
# files that OpenSSH uses.

SFTPHostKey /boot/config/ssh/ssh_host_rsa_key
SFTPHostKey /boot/config/ssh/ssh_host_dsa_key
SFTPAuthMethods privatekey


SFTPAuthorizedUserKeys file:/boot/config/ssh/authorized_keys

# Enable compression
SFTPCompression delayed

 

ProFTPd Service does not start when I add the 2 hostkeys.

 

I am open to other ideas to get this working. 

 

Thanks

Link to comment

@all:

When trying things like encryption or other config changes, it essential to let proftpd check the config and report if there are problems. That helps a lot with troubleshooting.

From the shell you can do it by giving the following command:

/usr/local/SlrG-Common/usr/local/sbin# proftpd -t -c /etc/proftpd.conf

Where -t means test and -c is the path to the config file you want to test.

 

Under normal circumstances you will get one error and one warning:

Checking syntax of configuration file
2017-05-04 09:56:13,359 lafiel proftpd[17595]: mod_ctrls/0.9.5: error: unable to bind to local socket: Address already in use
2017-05-04 09:56:13,361 lafiel proftpd[17595]: warning: config file '/etc/proftpd.conf' is world-writable
Syntax check complete.

The error usally means you have proftpd already running and thus the port is in use. Or you have another ftp server or process using the port, which means proftpd can't start and you have to fix it. The warning is because the config is saved on the flash drive to preserve it when rebooting and symlinked to the config dir. Sadly the flash has a fat filesystem, which is not able to store file ownership and permissions, like linux filesystems do. It normally is no problem and can be ignored.

 

If you have setup a webserver to use the plugins config editor, it will do the above steps for you and show you if there are errors or warnings.

 

If there are other errors or warnings, you will probably have an problem and what you are trying will fail until you correct it. Please search online for solutions. I'm in no way a proftpd expert and have to do the same thing, which takes a lot of my time.

Edited by SlrG
Link to comment

@mcleanap:

The proftpd server is running as user nobody with the group users for security reasons.

 

The ssh files you are trying to access are on the flash drive /boot/config/ssh/ where they are group and world accessible (fat filesystem), so proftpd will not use them for security reasons.

 

If you use the files from /etc/ssh/, they belong to the user root. So proftpd running as nobody can't access them.


Changing the owner of the files to nobody or changing the user the proftpd server is running as, is not advisable.

 

Also on my system there is no /boot/config/authorized_keys file. Do you really have it on yours?

 

Compression doesn't seem to work, as unraid is missing zlib, so you need to remove that commands for now.

 

That is what I read from the warnings and errors proftpd gives, when testing the config like described above and by looking at the paths, ownership and permissions of the files.

 

Sadly I'm running out of time for now, so just some quick tips:

You will probably have to research how to generate your own keys to use for the sftp connection.

If you put them on the flash in /boot/config/ssh they will be copied to /etc/ssh automatically, when the server restarts. But they will have the wrong ownership and/or permissions, which you will have to correct with chown and chmod when the server starts. To do it automatically, you can add the commands to the mountscript in the proftpd plugins directory on the flash.

Edited by SlrG
Link to comment
On 4/10/2017 at 0:57 PM, SlrG said:

WTF. Now all of a sudden it stopped working for me, too. I'm not able to connect internally with FileZilla and TLS enabled. Externally with TLS works fine. And now the weird thing. Trying with FireFTP and TLS works internally but not externally. Sadly the logs don't show anything helpful.

 


# Server Settings
ServerName              ProFTPd
ServerType              standalone
DefaultServer           on
PidFile                 /var/run/ProFTPd/ProFTPd.pid

# Port 21 is the standard FTP port. You propably should not connect to the
# internet with this port. Make your router forward another port to
# this one instead.
Port                    21

# Set the user and group under which the server will run.
User                    nobody
Group                   users

# Prevent DoS attacks
MaxInstances            30

# Speedup Login
UseReverseDNS           off
IdentLookups            off

# Control Logging - comment and uncomment as needed
# If logging Directory is world writeable the server won't start!
# If no SystemLog is defined proftpd will log to servers syslog.
#SystemLog               NONE
#SystemLog               /boot/config/plugins/ProFTPd/slog
TransferLog             NONE
#TransferLog             /boot/config/plugins/ProFTPd/xferlog
WtmpLog                 NONE

# As a security precaution prevent root and other users in
# /etc/ftpuser from accessing the FTP server.
UseFtpUsers             on
RootLogin               off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# "Jail" FTP-Users into their home directory. (chroot)
# The root directory has to be set in the description field
# when defining an user:
# ftpuser /mnt/cache/FTP
# See README for more information.
DefaultRoot ~

# Shell has to be set when defining an user. As a security precaution
# it is set to "/bin/false" as FTP-Users should not have shell access.
# This setting makes proftpd accept invalid shells.
RequireValidShell       no

# Normally, we want files to be overwriteable.
AllowOverwrite          on

<Directory /mnt/cache/FTP>
  UserOwner nobody
  GroupOwner users
  Umask 000
</Directory>

<IfModule mod_tls.c>
  TLSEngine                  on
  TLSLog                     /var/log/proftpd-tls.log
  TLSProtocol                SSLv3 TLSv1
  TLSOptions NoSessionReuseRequired
  TLSRSACertificateFile      /boot/config/plugins/ProFTPd/proftpd.cert.pem
  TLSRSACertificateKeyFile   /boot/config/plugins/ProFTPd/proftpd.key.pem
  TLSVerifyClient            off
  TLSRequired                on
  TLSMasqueradeAddress       xxx.ddns.net
</IfModule>

PassivePorts		     60000 60100

 

 

Did you ever get this working internally?  I am facing the same issue.

Link to comment

@mcleanap:

It depends. On what you want. I found it would work using FileZilla when connecting from external sources. And it worked using FireFTP using internal ones. So using different clients for different access types could be a solution.

 

Also you could set TLSRequired to off and then you will be able to connect without TLS internally, which should be much less a security risk.

 

Also I would recommend setting up a vpn connection to your private network and use ftp within that to connect to the server and not make the ftp server freely accessible from the net. That depends on what you want to do however.

 

Also the sftp connection is still possible. I was able to get it to work using the tips I gave you above. But I only tested it internally for now. I did not have the time to test it externally, too.

Edited by SlrG
Link to comment

To enable sftp:

open a shell on your unraid server and issue the following commands

cd /etc/ssh
ssh-keygen

Enter the name of the keyfile (sftp_rsa_key) and no passphrase.

You will get two files sftp_rsa_key and sftp_rsa_key.pub. The public key needs to be converted to another format to make it usable by proftpd:

ssh-keygen -e -f sftp_rsa_key.pub | sudo tee sftp_user_keys

You will get a new file sftp_user_keys. Now the owner and permissions will need to be changed:

chown nobody:users sftp_rsa_key sftp_rsa_key.pub sftp_user_keys
chmod 600 sftp_rsa_key sftp_rsa_key.pub sftp_user_keys 

Now to make your system restore the correct permissions of this keys on boot you will need to modify the mountscript:

nano /boot/config/plugins/ProFTPd/mountscript.sh

Insert the following lines:

chown nobody:users /etc/ssh/sftp_rsa_key /etc/ssh/sftp_rsa_key.pub /etc/ssh/sftp_user_keys
chmod 600 /etc/ssh/sftp_rsa_key /etc/ssh/sftp_rsa_key.pub /etc/ssh/sftp_user_keys

Now edit your proftpd.conf file and insert:

<IfModule mod_sftp.c>
        SFTPEngine on
        Port 2222
        SFTPLog /var/log/sftp.log

        SFTPHostKey /etc/ssh/sftp_rsa_key
        SFTPAuthorizedUserKeys file:/etc/ssh/sftp_user_keys

        SFTPAuthMethods publickey

        SFTPKeyBlacklist none
        SFTPDHParamFile /usr/local/SlrG-Common/usr/local/etc/dhparams.pem
</IfModule>

Don't forget to restart the proftpd server to enable the changes.

 

You need to copy the sftp_rsa_key and take it with you, to access your server. If you are using FileZilla to connect, the file needs to be converted to a usable format and stored in FileZillas settings.

Edited by SlrG
fixed typo
Link to comment
To enable sftp:
open a shell on your unraid server and issue the following commands
cd /etc/sshssh-keygen

Enter the name of the keyfile (sftp_rsa_key) and no passphrase.
You will get two files sftp_rsa_key and sftp_rsa_key.pub. The public key needs to be converted to another format to make it usable by proftpd:

ssh-keygen -e -f sftp_rsa_key.pub | sudo tee sftp_user_keys

You will get a new file sftp_user_keys. Now the owner and permissions will need to be changed:

chown nobody:users sftp_rsa_key sftp_rsa_key.pub sftp_user_keyschmod 600 sftp_rsa_key sftp_rsa_key.pub sftp_user_keys 

Now to make your system restore the correct permissions of this keys on boot you will need to modify the mountscript:

nano /boot/config/plugins/ProFTPd/mountscript.sh

Insert the following lines:

chown nobody:users /etc/ssh/sftp_rsa_key /etc/ssh/sftp_rsa_key.pub /etc/ssh/sftp_user_keyschmod 600 /etc/ssh/sftp_rsa_key /etc/ssh/sftp_rsa_key.pub /etc/ssh/sftp_user_keys

Now edit your proftpd.conf file and insert:

<IfModule mod_sftp.c>       SFTPEngine on       Port 2222       SFTPLog /var/log/sftp.log       SFTPHostKey /etc/ssh/sftp_rsa_key       SFTPAuthorizedUserKeys file:/etc/ssh/sftp_user_keys       SFTPAuthMethods publickey       SFTPKeyBlacklist none       SFTPDHParamFile /usr/local/SlrG-Common/usr/local/etc/dhparams.pem</IfModule>

Don't forget to restart the proftpd server to enable the changes.
 
You need to copy the sftp_rsa_key and take it with you, to access your server. If you are using FileZilla to connect, the file needs to be converted to a usable format and stored in FilzeZillas settings.



This is great. I will give it a shot later today.

I'm looking at a way to move back ups of cpanel from a web host. It's the only reason I want to open this up.

Sent from my SM-G930W8 using Tapatalk

Link to comment

@SlrG  Beauty!  This works - internally and externally. 

 

Now, I have to figure out why WHMEasyBackup is failing.  I did use that private key in cpanel SSH Access.  I think that's all I need, but will continue to work on this.

 

Huge Thanks!

Link to comment
  • 1 month later...

Hi, Im having some problems getting the app to run and wouldnt mind some help. :)

 

I have Apache installed and working with no problems.

 

When I try and start Proftpd it keeps coming back with an error on the bottom of the screen as seen in the pic.

 

Any ideas what im doing wrong?

 

Hoping its a easy fix as im not overly smart when it comes to using telnet.

 

 

error.jpg

Link to comment
On 11.4.2017 at 5:14 PM, dannygonzalez0861 said:

Oh wow I got it working!  I enabled the built in FTP server from unRAID first and then installed the plugin.  Service started right up!

In newer versions of unRAID, the integrated FTP server is disabled by default, while the plugin expects it to be enabled. The installation doesn't work correctly and the plugin fails to work, too. Please remove the plugin, enable unRAIDs integrated FTP and then reinstall the plugin. I was not yet able to fix this bug, but I will in the future. For now this should get you going as a workaround.

 

Link to comment

@MickMorley

I tried to use the docker apache when it was made available and I failed, too. I'm using the plugin version now and that works fine. I believe the reason why the dockers fail is, because they block access to files outside of the defined web folder for valid security reasons. Sadly this is something the config editor needs to work, as the proftpd.conf is in /etc/ on your unRAID.

 

If you don't want to use the apache plugin instead, please disable the config editor. You don't really need it. You can always use nano in a console to edit the proftpd.conf or use winscp if you like a more graphical editor. Don't forget to restart the service afterwards for the changes to get applied.

 

On a side note, you seem to be using an older version of my the proftpd plugin. The config editor has been renamed from proftpdce.php to ConfEdit.php. You should not get the old name with the newest version. If you are using the newest please tell me, I'll have to recheck the source code, then to make sure I did not miss some old reference in there.

Edited by SlrG
spelling corrected
Link to comment
15 hours ago, SlrG said:

@MickMorley

I tried to use the docker apache when it was made available and I failed, too. I'm using the plugin version now and that works fine. I believe the reason why the dockers fail is, because they block access to files outside of the defined web folder for valid security reasons. Sadly this is something the config editor needs to work, as the proftpd.conf is in /etc/ on your unRAID.

 

If you don't want to use the apache plugin instead, please disable the config editor. You don't really need it. You can always use nano in a console to edit the proftpd.conf or use winscp if you like a more graphical editor. Don't forget to restart the service afterwards for the changes to get applied.

 

On a side note, you seem to be using an older version of my the proftpd plugin. The config editor has been renamed from proftpdce.php to ConfEdit.php. You should not get the old name with the newest version. If you are using the newest please tell me, I'll have to recheck the source code, then to make sure I did not miss some old reference in there.

 

 

@SlrG 

Thank you for clarifying.  I tried to search this topic for the keywords but couldn't find anything.  I double checked and I am using version 2017.07.12.  I just installed it yesterday.  ConfEdit.php is being populated on the Apache webroot folder but it looks like there are still references to the old variables. 

Link to comment

@MickMorley

The bug should be fixed now. Please update the plugin and delete the ProFTPd folder from your web server directory. Then restart the service and the fixed editor should be saved into your web server directory. Thank you very much for finding and reporting this bug.

Edited by SlrG
Link to comment

Thank you for this addin! Got myself up and running pretty quickly! Although I checked the unraid log and saw something I am unsure what to think of it. Any comments? Thanks guys!

 

Jul 22 14:45:24 Tower proftpd[58261]: 127.0.0.1 (130.255.140.28[130.255.140.28]) - crypt(3) failed: Invalid argument
Jul 22 14:45:24 Tower proftpd[58261]: 127.0.0.1 (130.255.140.28[130.255.140.28]) - USER ftp (Login failed): Incorrect password
Jul 23 01:14:46 Tower proftpd[48276]: 127.0.0.1 (93.72.240.7[93.72.240.7]) - USER admin: no such user found from 93.72.240.7 [93.72.240.7] to 192.168.1.3:21

Both the IP addresses trace to RIPE (RIPE Network Coordination Center) in the Ukraine...I have also been camping since 7/21 to about 1300 today (7/23)

Link to comment

@geonerdist

There is someone trying to hack into your server. Mostly these are automatic scripts that someone setup, that crawl the net looking for servers on standard ports and trying known user and password combinations on them.

 

Which port did you open on your router to forward it to your server? If you openend 21 I would ASAP change that to some other port above 49151 eg, 49221 or something. That will probably stop those login attempts. The port the proftpd server is running on, can stay 21. That does not matter. Just Forward from 49221 on the router to 21 on the server. Also make sure, you have secure usernames and passwords. No admin admin or something. :)

 

If you want more security, don't open the ftp port on the router but use an vpn connection to connect to your private network from the outside and then you can access your PC's from there.

Link to comment

@SlrG

That is what I figured. Before I opened the port I ensured the username/password is not some generic thing. I setup the FTP server w/ port forwarding since sometimes I transfer stuff to home from work or one of my volunteer gigs and can't use my VPN to get access. Thanks for the port tip. I did not think of that, thanks again! Any explanation why you choose something over 49151? 

 

Disregard, a quick google says that 0-49151 are system, user, or registered ports while beyond 4915 are dynamic or private ports. 

Edited by geonerdist
Link to comment

I'm using latest version of Proftpd for access to my server from my backup software (Goodsync, latest version).  All is working as it should, except I see a couple errors in my syslog everytime I open an FTP connection.  But the connection works just fine.

 

Jul 29 08:13:18 HunterNAS proftpd[29300]: 127.0.0.1 (192.168.29.11[192.168.29.11]) - error: /boot/config/plugins/ProFTPd is a world-writable directory
Jul 29 08:13:18 HunterNAS proftpd[29300]: 127.0.0.1 (192.168.29.11[192.168.29.11]) - unable to open TransferLog '/boot/config/plugins/ProFTPd/xferlog': No such file or directory

Not sure what the first error indicates, it shows as a 'red' error in the syslog.

I've looked into the second error on my flash drive, the directory did not exist, given the boot directory is created every startup, do I need to insert a go file statement to create the directory?

 

Log attached just FYI...

 

Thanks in advance!

hunternas-diagnostics-20170729-0831.zip

Link to comment
3 minutes ago, jeffreywhunter said:

Jul 29 08:13:18 HunterNAS proftpd[29300]: 127.0.0.1 (192.168.29.11[192.168.29.11]) - error: /boot/config/plugins/ProFTPd is a world-writable directory

File is stored on the flash drive (FAT32), so everything is world-writable.

4 minutes ago, jeffreywhunter said:

Jul 29 08:13:18 HunterNAS proftpd[29300]: 127.0.0.1 (192.168.29.11[192.168.29.11]) - unable to open TransferLog '/boot/config/plugins/ProFTPd/xferlog': No such file or directory

 

Looks like there's no log of the old transfers being saved.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.