ProFTPD Plugin for unRAID v6.8.x


SlrG

Recommended Posts

@Gee1

<Directory /mnt/cache/FTP/test>
    <Limit WRITE>
      DenyAll
    </Limit>
</Directory>
<Directory /mnt/cache/FTP/test/movies>
    <Limit WRITE>
      AllowAll
    </Limit>
</Directory>
<Directory /mnt/cache/FTP/test/sf>
    <Limit WRITE>
      AllowAll
    </Limit>
</Directory>

Should give your users readonly access to the test directory and full access to movies and sf. Sadly I found no way to allow access to all subfolders. In theory there is the /* wildcard described in the link I gave you, but it does work too well and allows access in the root folder, too.

 

@Squazz

Using the first directory section only, will give you users readonly access and prevent them from writing.

 

EDIT: Forgot to say, this needs to be put into your /etc/proftpd.conf.

Edited by SlrG
added comment
Link to comment
  • 2 weeks later...

Hello,

 

I am currently having issues getting sftp setup.  I got it working before, but now Proftpd won't load, so I revisisted your steps.  I created an ssh key and followed that guide, and that did not work, I remembered something about having to do it on another linux machine, so I created a new key and followed the steps again.   Unraid Version 6.8.0 and Ubuntu 19.10 for ssh-key gen and Plugin Version: 2020.03.10.1.

 

I am currently getting the following errors - 

 

proftpd -t -c /etc/proftpd.conf
Checking syntax of configuration file
2020-05-22 14:59:08,550 Tower proftpd[5571]: mod_ctrls/0.9.5: error: unable to bind to local socket: Address already in use
2020-05-22 14:59:11,638 Tower proftpd[5571] 127.0.0.1: mod_lang/1.1: unable to scan the localised files in '/usr/local/share/locale': No such file or directory

Wrong passphrase for this key.  Please try again.

Wrong passphrase for this key.  Please try again.

Wrong passphrase for this key.  Please try again.
2020-05-22 14:59:11,645 Tower proftpd[5571] 127.0.0.1: mod_sftp/1.0.0: error reading passphrase for SFTPHostKey '/etc/ssh/sftp_rsa_key': (unknown)
2020-05-22 14:59:11,645 Tower proftpd[5571] 127.0.0.1: mod_sftp/1.0.0: unable to use key in SFTPHostKey '/etc/ssh/sftp_rsa_key', exiting

 

Just in case heres my proftpd.conf 

 

# Server Settings
ServerName              ProFTPd
ServerType              standalone
DefaultServer           on
PidFile                 /var/run/ProFTPd/ProFTPd.pid

# Port 21 is the standard FTP port. You propably should not connect to the
# internet with this port. Make your router forward another port to
# this one instead.
Port                    21

# Set the user and group under which the server will run.
User                    nobody
Group                   users

# Prevent DoS attacks
MaxInstances            30

# Speedup Login
UseReverseDNS           off
IdentLookups            off

# Control Logging - comment and uncomment as needed
# If logging Directory is world writeable the server won't start!
# If no SystemLog is defined proftpd will log to servers syslog.
#SystemLog               NONE
#SystemLog               /boot/config/plugins/ProFTPd/slog
TransferLog             NONE
#TransferLog             /boot/config/plugins/ProFTPd/xferlog
WtmpLog                 NONE

# As a security precaution prevent root and other users in
# /etc/ftpuser from accessing the FTP server.
UseFtpUsers             on
RootLogin               off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# "Jail" FTP-Users into their home directory. (chroot)
# The root directory has to be set in the description field
# when defining an user:
# ftpuser /mnt/cache/FTP
# See README for more information.
DefaultRoot ~

# Shell has to be set when defining an user. As a security precaution
# it is set to "/bin/false" as FTP-Users should not have shell access.
# This setting makes proftpd accept invalid shells.
RequireValidShell       no

# Normally, we want files to be overwriteable.
AllowOverwrite          on

<IfModule mod_sftp.c>

        SFTPEngine on
        Port 2222
        SFTPLog /var/log/sftp.log

        SFTPHostKey /etc/ssh/sftp_rsa_key
        SFTPAuthorizedUserKeys file:/etc/ssh/sftp_user_keys

        SFTPAuthMethods publickey

        SFTPKeyBlacklist none
        SFTPDHParamFile /usr/local/SlrG-Common/usr/local/etc/dhparams.pem

</IfModule>

Edited by jareth
Link to comment

@jareth

I have no answer yet. I don't use sftp or ssl myself and need to setup it again, to test. Sadly my personal life is very busy at the moment.

 

@jeffreywhunter

If I would try at the moment, I would probably go with wireguard. I was using OpenVPN for a while. Other than that, I don't really know other solutions.

 

@kricker

This should be possible. Either define your user with ftpuser in description only, so it won't get jailed and has access to all unRAID, or use the mountscript to mount your outside disk into an folder your user can access.

Link to comment
On 5/25/2020 at 4:03 PM, SlrG said:

 

@kricker

This should be possible. Either define your user with ftpuser in description only, so it won't get jailed and has access to all unRAID, or use the mountscript to mount your outside disk into an folder your user can access.

I tried setting the users directory to that disk mount point such as ftpuser /mnt/disks/test, but that didn't seem to work. The users account still went to /mnt/usr and saw all the shares as normal. I'll try those two options you mentioned. Thanks!

 

I think I must have something in my config file keeping everyone jailed to /mn/usr, because setting anyone to just ftpuser has the same result. I'll do some diggining.

Edited by kricker
Link to comment

@kricker

It won't really help you, if I say it works for me, but maybe I can describe my setup a bit.

 

I have a ssd drive outside my array which is mounted to /mnt/appdrive in my go file. So I'm not using unassigned devices, though I have that installed, too. I have it this way a long time, as it was the only way as the plugin did not exist then - but I don't think it matters in what way the disk is mounted - though the time of the mount could matter. I did not investigate if the go file or the plugin will mount earlier.

 

When I put ftpuser /mnt/appdrive as comment and restart the plugin it works fine and jails that user into the appdrive folder.

 

What I did notice however is, that it takes quite a bit of time for the jail to take effect. So maybe give it a minute after putting the comment and restarting the plugin and give it another minute, before trying to login.

Link to comment
  • 2 weeks later...

I use the Dark skin on Unraid. But when i loadup proftpd it has a white background and cant read anything on it.

 

 

Locally i got it working  i can connect to the ftp and all.

 

But from extern i cant connect to it.

 

The way my setup is and it worked and works currently for other things.

 

i use PFsense and made an alias and have a few ip's in there and only those ips can connect to the ftp.

i want to move from my Qnap FTP to my Unraid proftpd ftp.  everything works except connections from extern.

Edited by KoNeko
new problem
Link to comment

@KoNeko

Yes, only the white theme is supported currently. As the plugins settings are very much setup and forget and you have it running locally already, there is nothing in the plugins settings, you could change to make external connections work. The restart button is probably the most needed function after initial setup and that should be readable and usable in the black theme, too.  Supporting the themes is still on my TODO list, but sadly I have no time to work on it for the foreseeable future. Sorry for the inconvenience. :(

 

Regarding the external connection, do you have the default proftpd.conf file or have you made changes to use encrypted ftp? If you did not, it is probably solely a firewall problem as it is working locally already. Is the pfSense firewall the only one filtering external access to your home network? Nothing on your cable router (or whatever you are using to connect)? If port 21 is available properly, it might be, that you need to define a passive port range in your proftpd.conf and allow that too, in the firewall. I have no pfSense, so I can't tell you how to do it.

p.s. Don't forget to restart the proftpd service, after changing the proftpd.conf, or the change will have no immediate effect.

Edited by SlrG
added p.s.
Link to comment
1 hour ago, SlrG said:

@KoNeko

Yes, only the white theme is supported currently. As the plugins settings are very much setup and forget and you have it running locally already, there is nothing in the plugins settings, you could change to make external connections work. The restart button is probably the most needed function after initial setup and that should be readable and usable in the black theme, too.  Supporting the themes is still on my TODO list, but sadly I have no time to work on it for the foreseeable future. Sorry for the inconvenience. :(

 

Regarding the external connection, do you have the default proftpd.conf file or have you made changes to use encrypted ftp? If you did not, it is probably solely a firewall problem as it is working locally already. Is the pfSense firewall the only one filtering external access to your home network? Nothing on your cable router (or whatever you are using to connect)? If port 21 is available properly, it might be, that you need to define a passive port range in your proftpd.conf and allow that too, in the firewall. I have no pfSense, so I can't tell you how to do it.

p.s. Don't forget to restart the proftpd service, after changing the proftpd.conf, or the change will have no immediate effect.

it isnt a big problem like you said its only if you want to start/restart the server. and it isnt a very high prio to fix that either :)

 

Yes i figured that out that i had to add the passive port in the config. I ran multiple proftp server but never had to do this So was a bit confused. :)

i wanted to edit my post that i had it fixed but it was already too late here and went to sleep.

Link to comment

Having issues connecting to FTP via filezilla or other apps (like iOS FTP photo transfer).

 

I'm using NoIP on my raid box and have a DDNS setup. I've confirmed that my ddns address is resolving into my router.

 

Also confirmed that port 21 is open on my WAN using a port check tool. Someone mentioned in a previous post about not opening port 21, but rather opening a different port, than re-directing that to port 21 on my raid. If I open port xxxx on my router, how do I then specify that I want those requests going to port 21 on my unraid box?

 

Validated via command line on my local machine that the FTP daemon is running by doing ftp 192.xxx.xx.xxx to check that FTP is running on my raid box. I can login with the specified ftpuser name and password and received a code 230 from command line that I was able to get in.

 

My syslog / diagnostics is attached.

 

Thanks in advance for any help! Reason I use FTP is via an iOS app (mebiaFTP) to transfer all media files from our phones into the unraid media library.

 

 

unraid-diagnostics-20200614-1453.zip

Link to comment
10 hours ago, pixelgraft said:

If I open port xxxx on my router, how do I then specify that I want those requests going to port 21 on my unraid box?

Different for every router, but when you open up port xxxx you hopefully should have some kind of  "from port" and "to port" option.  xxxx would be in "from" and 21 would be in "to".  Then, all traffic coming in on port xxxx would go to your unraid IP on port 21.   Hard to say without seeing the router what the actual settings are (or if it's configured elsewhere in a port forwarding section, or if it supports it in the first place - should do).

Link to comment

Completely understand - thank you for the detailed reply. I used to have this feature, but now my ISP Comcast locked that down in the router and forces me to use their silly web interface in the customer portal. I can only setup the "to" port. No longer a from and to. I'll reach out to them.

Link to comment

@Karatekid

Sadly no. :( You could try to enable debug logging in your /etc/proftpd.conf file, by adding:

DebugLevel 10

Afterwards restart the ProFTPd server in the plugins settings and after trying duplicati again, check your syslog if it contains something more useful info on why it breaks.

Link to comment
  • 1 month later...

I've installed this plugin in the past on another server, but on the server I'm currently setting up I'm getting the following error.

plugin: installing: https://github.com/SlrG/unRAID/raw/master/Plugins/ProFTPd.plg
plugin: downloading https://github.com/SlrG/unRAID/raw/master/Plugins/ProFTPd.plg
plugin: downloading: https://github.com/SlrG/unRAID/raw/master/Plugins/ProFTPd.plg ... done
Cleaning up previous install files...
Executing selfremoval commands if present...
...Cleanup complete!
Downloading any missing plugin files...
Latest plugin control files downloading
...Unable to download missing plugin control files. Aborting install
plugin: run failed: /bin/bash retval: 1

I found a previous reply in this thread that seemed like it would be the fix, but the provided links don't seem to work anymore.

Quote

It seems the download of the plugin control files fails from github. Please download them manually from here into /boot/config/plugins/ProFTPd. Manually create the directory if it does not exist. If the dependency download fails too, download the file manually from here. Afterwards the plugin should install I think. If not, please report again.

 

Any insights that could help get me back on the right path?

 

Link to comment

Well if the download fails, it is often because of dns or firewall issues. Can you download things from github to the server manually from the command line with wget? Are there any error messages if you try? The current download paths are:

https://github.com/SlrG/unRAID/raw/master/Plugins/ProFTPd.plg

https://github.com/SlrG/unRAID/raw/master/AppSupport/ProFTPd/ProFTPd-SlrG-Control-1.7.tar.gz

https://github.com/SlrG/unRAID/raw/master/AppSupport/ProFTPd/ProFTPd-SlrG-Dependency-1.7_x64.tar.gz

If you download the last two into /boot/config/plugins/ProFTPd, it should start working, too.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.