ProFTPD Plugin for unRAID v6.8.x


SlrG

Recommended Posts

Ok I deleted ProFTP and restarted the server. I can regular FTP into the server now with all of my users after I add them to the list. But SSH isn't working for any of my users.

I made some users for testing before I deleted the plugin and made another one after.

 

'offroadguy56' has ftpuser description and was made before restart.

'smurf' has no description and was made before restart.

'test' has no description and was made after restart.

 

This is probably beyond the scope of the plugin thread but this is the log I see when attempting SSH connection with any user:

Jul 23 23:47:23 UR-SERVER sshd[11681]: Connection from 192.168.1.150 port 52457 on 192.168.1.151 port 22 rdomain ""
Jul 23 23:47:25 UR-SERVER sshd[11681]: User test from 192.168.1.150 not allowed because not listed in AllowUsers
Jul 23 23:47:25 UR-SERVER sshd[11681]: Postponed keyboard-interactive for invalid user test from 192.168.1.150 port 52457 ssh2 [preauth]
Jul 23 23:47:26 UR-SERVER sshd[11687]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.150  user=test
Jul 23 23:47:28 UR-SERVER sshd[11681]: error: PAM: Authentication failure for illegal user test from 192.168.1.150
Jul 23 23:47:28 UR-SERVER sshd[11681]: Failed keyboard-interactive/pam for invalid user test from 192.168.1.150 port 52457 ssh2
Jul 23 23:47:28 UR-SERVER sshd[11681]: Postponed keyboard-interactive for invalid user test from 192.168.1.150 port 52457 ssh2 [preauth]
Jul 23 23:47:32 UR-SERVER sshd[11681]: Connection closed by invalid user test 192.168.1.150 port 52457 [preauth]
Jul 23 23:49:00 UR-SERVER sshd[12036]: Connection from 192.168.1.150 port 52535 on 192.168.1.151 port 22 rdomain ""
Jul 23 23:49:01 UR-SERVER sshd[12036]: User test from 192.168.1.150 not allowed because not listed in AllowUsers
Jul 23 23:49:01 UR-SERVER sshd[12036]: Postponed keyboard-interactive for invalid user test from 192.168.1.150 port 52535 ssh2 [preauth]
Jul 23 23:49:02 UR-SERVER sshd[12040]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.150  user=test
Jul 23 23:49:04 UR-SERVER sshd[12036]: error: PAM: Authentication failure for illegal user test from 192.168.1.150
Jul 23 23:49:04 UR-SERVER sshd[12036]: Failed keyboard-interactive/pam for invalid user test from 192.168.1.150 port 52535 ssh2
Jul 23 23:49:04 UR-SERVER sshd[12036]: Postponed keyboard-interactive for invalid user test from 192.168.1.150 port 52535 ssh2 [preauth]

 

I was actually hoping to make use of SFTP and the folder restrictions ProFTP offers. I don't want family members seeing the entirety of the server folder structure. And I did want to temporarily open FTP access over internet to get friend's backups on my drives. If you have a better solution than encrypting their iso and using SFTP, let me know. The only thing I can think of is running Synology in a VM and leveraging their software.

 

To sum up, SSH is not working (except for root in the webUI), FTP is working with default service, I want SFTP for temporary use across internet, I would like to have folder restrictions for users.

 

Sorry for all the trouble. This stuff is super cool but still new to me and I would like to do it as properly as I can.

 

Thanks.

Link to comment
Posted (edited)

@offroadguy56

Ah I see. I had only tested with root and as that worked I falsely assumed it would work with other users, too. Further testing shows that it would be possible to enable ssh for other users, but it is a complicated multi step process and it would also be reset each boot, so it would require scripting to restore its state and so all in all it is probably too much hassle.

 

The synology in a vm idea sounds very cool. A quick search shows they seem to support FTPS and SFTP and access management for the users. Though such a solution will obviously not be endorsed by Synology without buying their hardware.

 

If you want to continue with the ssh idea, there is the "openssh-server" docker in unraids community applications.  If I understand it correctly, this will enable ssh for one user per container and this user will only be able to access what you mount into the container. So you should be able to configure a secure backup access for your friends.

 

Looking at ftp again, that you can use it now is thanks to unraids internal ftp server, as you already noted. The drawback is, that it is unencrypted ftp and always gives access to the complete server.

 

I wrote the proftpd plugin and use it myself for my home network only. Basically it provides unencrypted FTP (like the stock ftp service) but with the added benefit of being able to jail the users into home directories they cant leave and so only have access to what I want them to. While it is possible to open this up to the internet it is in no way recommended because of the default unencrypted connections.

 

Proftpd can be configured to use FTPS or SFTP, but it is sadly complicated and while there are some tips in this thread how to do it, there are cases where it doesn't work and I sadly don't have the time to fully support other users in how to set it up.

Edited by SlrG
typo
  • Thanks 1
Link to comment
  • 1 month later...

I think I had a similar issue in the past. If I recall properly... I manually removed the plugin and it's configuration file from my flash drive. I made sure to get everything related to the plugin and old copies in the plugins-old-versions folder and the plugins-removed folder. Then I rebooted unRaid and reinstalled the plugin from community applications .

Link to comment

@Flemming

The "Plugin file missing" under Information indicates a failed uninstallation. On why this happened, I have no idea. To get back to a clean state I would the recommend the manual removal and reinstallation described by @kricker.

 

If you have the time to experiment, what happens if you click "update plugin"?

Link to comment

It was under failed plugins.

I got it working by deleting, rebooting and reinstalling :)

Now I can access my FTP with WinCSP, but not with my Reolink IP-cameras 🙄 Even with same settings

 

Looks like this is a common problem with Reolink/ProFTPd 

Edited by Flemming
Link to comment
On 9/3/2021 at 3:12 PM, SlrG said:

@Flemming

Are there any error messages in the syslog when trying to connect?

After may hours of troubleshooting I found out that the problem is in my firewall, between the two VLAN's/networks.

I have now allowed traffic between them and it works.

 

In the future I want to limit my ports, do you have any information about what ports are being in use in Active and/or Passive mode?

image.png

Link to comment
  • 3 weeks later...

Hello to all. i installed ftp and created an account. i tried to access via ftp and it works but the user has full access to all folders. Someone explain to me step by step what I need to do to set user "x" to read only this path "/ mnt / user / Download" and deny access to everything else. thanks and sorry if I asked a question already asked.

Link to comment

@Berto90vi

In unraids user creation screen open your user "x" and put "ftpuser /mnt/user/Download" (without the double quotes) into the Description field. Then apply and restart the proftpd plugin. This will jail the user x into the given directory. It will still have read and write access, however. If you want to restrict that, you will need to configure limits in your proftpd.conf.

Link to comment

@master00

Not within the scope of this plugin. If you setup a vm and install gadmin-proftpd as gui this will come with gprostats as statistics generator. Also there might be other ftp servers more capable but not necessarily free.

 

@kricker

The easiest way would be to restore a backup, if you have.

 

Otherwise as there is no recycle bin you can only search and try some linux ways to restore your data.

 

First make sure nothing is written to your array anymore or you will risk the deleted data being overwritten!

 

I had successes using testdisk and photorec on standalone machines, but never had to try on an unraid machine yet. (see this article for other tools: https://www.journaldev.com/36900/top-best-linux-data-recovery-tools)

 

Make sure however, you mount another disk outside of your array as target for all write operations or again you will risk the deleted data being overwritten. Also you will probably need to know on which exact disk the data you want to recover was and then let the tools work on that disk.

 

I hope this ideas are useful, but I fear the chance to recover the data is very slim. 😟

 

 

 

 

  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.