ProFTPD Plugin for unRAID v6.8.x


SlrG

Recommended Posts

  • 2 weeks later...
  • 2 weeks later...

I have installed the plugin without any problems.
When I establish an unencrypted connection, everything works without problems.

However, when I want to establish a TLS connection, I get an error message.

 

---------------------------
Fehler
---------------------------
Verbindung verloren.
---------------------------
Server sent passive reply with unroutable address 192.168.2.19, using host address instead.
Zeit abgelaufen (Datenverbindung)
Verzeichnisinhalt konnte nicht abgerufen werden
Fehler beim Anzeigen des Verzeichnisses „/Download“.

 

Here is the translation into English

---------------------------
Error
---------------------------
Connection lost.
---------------------------
Server sent passive reply with unroutable address 192.168.2.19, using host address instead.
Time expired (data connection)
Directory content could not be retrieved
Error displaying the directory "/Download".

 

All keys were created correctly and are also in the corresponding directories.
Here is my proftpd.config

 

# Server Settings
ServerName              ProFTPd
ServerType              standalone
DefaultServer           on
PidFile                 /var/run/ProFTPd/ProFTPd.pid

# Port 21 is the standard FTP port. You propably should not connect to the
# internet with this port. Make your router forward another port to
# this one instead.
Port                    21

# Set the user and group under which the server will run.
User                    nobody
Group                   users

# Prevent DoS attacks
MaxInstances            30

# Speedup Login
UseReverseDNS           off

# Control Logging - comment and uncomment as needed
# If logging Directory is world writeable the server won't start!
# If no SystemLog is defined proftpd will log to servers syslog.
#SystemLog               NONE
#SystemLog               /boot/config/plugins/ProFTPd/slog
TransferLog             NONE
#TransferLog             /boot/config/plugins/ProFTPd/xferlog
WtmpLog                 NONE

# As a security precaution prevent root and other users in
# /etc/ftpuser from accessing the FTP server.
UseFtpUsers             on
RootLogin               off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 000

# "Jail" FTP-Users into their home directory. (chroot)
# The root directory has to be set in the description field
# when defining an user:
# ftpuser /mnt/cache/FTP
# See README for more information.
DefaultRoot ~

# Shell has to be set when defining an user. As a security precaution
# it is set to "/bin/false" as FTP-Users should not have shell access.
# This setting makes proftpd accept invalid shells.
RequireValidShell       no

# Normally, we want files to be overwriteable.
AllowOverwrite          on

<IfModule mod_tls.c>
    TLSEngine on
    TLSLog /var/log/proftpd.tls.log
    TLSProtocol SSLv23 TLSv1
    TLSOptions NoCertRequest NoSessionReuseRequired 
    TLSRSACertificateFile /boot/config/plugins/proftpd/ssl/ftp.cert.pem
    TLSRSACertificateKeyFile /boot/config/plugins/proftpd/ssl/ftp.key.pem
    TLSVerifyClient off
    TLSRequired on
</IfModule>


# Allow to restart a download 
AllowStoreRestart              on

 

Where could the fault lie.
I am already despairing.

 

Link to comment

@eFrame

You seem to be establishing a connection in passive mode. Please make sure you define a passive port range and make sure the firewall on your router opens the passive ftp port range to your server, too. Also you probably need to set a masquerade address (your dyndns hostname or static external ip).

 

Also my usual "disclaimer". I don't recommend for the unraid server to be directly accessible from the internet. IMHO it is better to create a VPN connection to your home network and then using that to connect to your server. Then the VPN handles the encryption and FTP can be used unencrypted. This works only for your own and family devices, however and not if you need other "clients" to connect., too.

Link to comment
  • 2 weeks later...

@Mr_Jay84

You don't. The functionality is sadly broken since a long time. But you don't really need it anyway.

 

Just use the shell editor of your choice (nano, vi or mc's editor) to edit the proftpd.conf directly.

nano /etc/proftpd.conf

 

Check the changes by running:

/usr/local/SlrG-Common/usr/local/sbin/proftpd -t -c /etc/proftpd.conf

 

Which will look like this, if no errors are found (the mod_lang message can be ignored).

Checking syntax of configuration file
2022-02-09 17:42:39,824 lafiel proftpd[18318] 127.0.0.1: mod_lang/1.1: unable to scan the localised files in '/usr/local/share/locale': No such file or directory

 

Restart the ProFTPd server afterwards in the plugins settings or from the shell for the changes to take effect.

/etc/rc.d/rc.ProFTPd restart

 

  • Thanks 1
Link to comment
  • 2 weeks later...

Hello,

 

Hope someone can help me i installed the package and I created the user I can access it locally but i want to allow access for a friends folder without using vpn so in the conf file i added and also port forward 21 and port range 60000-65535

 

I have also verifed using a port checker that those ports are open

 

it works locally I can login just my friend cant externally 

 

MasqueradeAddress       216.***.**.***
PassivePorts 60000 65535

 

Status:	Connecting to **********:21...
Status:	Connection established, waiting for welcome message...
Status:	Insecure server, it does not support FTP over TLS.
Status:	Logged in
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/" is the current directory
Command:	TYPE I
Response:	200 Type set to I
Command:	PASV
Response:	227 Entering Passive Mode (***,***,*,***,253,190).
Command:	MLSD
Error:	The data connection could not be established: ECONNREFUSED - Connection refused by server
Status:	Disconnected from server

 

 

Link to comment
  • 1 month later...
  • 5 months later...

Unsure what happened but after updating from 6.7 to 6.10 my proftpd stopped giving me permissions in completely random shares (3 out of 5). after some messing around I noticed that the shares I was given permissions to were ones listed as 'public' and the other ones the permissions got removed. To fix this I went to Tools > New Permissions, set disks to all, and User Shares to the effected shares and hit start (even though they say this is for upgrading from pre-5.0).

 

I don't think this is specifically a proftpd thing but since it's the first time I noticed it when using proftpd and I spent so long looking at my proftpd settings trying to fix it some other people might as well so figured I would post it here in case some other people are searching around for it. (I saw absolutely no help googling on any forum about this issue, maybe I got unlucky and it was just me)

Link to comment
  • 3 weeks later...

i can't thank you enough for this plugin. this is the only FTP plugin or docker app that i could find that actually works. other apps worked inconsistently, allowed FTP users root access event though they were configured to only use a specific folder, stored files in the "appdata" folder instead of a share, etc. they are all terrible. except this one. this is a god send. thank you 

 

i'm using this to record surveillance camera footage about a dozen cameras in 4 different locations. using unraid 6.11.0. webserver doesn't work but i don't care. was never going to use it anyway.

Edited by solomonshv
  • Like 1
Link to comment
  • 1 month later...

 So connecting to ProFTP with passive mode is flummoxing me yet again and I just can't understand why. I just made a few small edits to my conf file for folder access and things got messed up, so I started from scratch.

 

I have this in my .conf file:

# Server Settings
ServerName              ProFTPd
ServerType              standalone
DefaultServer           on
PidFile                 /var/run/ProFTPd/ProFTPd.pid


# using a DNS name
MasqueradeAddress xxxxxx.duckdns.org

# NAT ports should be safe...
PassivePorts 60000 65535

 

When connecting from an FTP application like FileZilla I get this error and it fails to list the directories even though the user was able to log in:

Quote

Command:    MLSD
Error:    The data connection could not be established: ECONNREFUSED - Connection refused by server

 

I have ports 60000-60005 open on my router. I had to open them each separately as Google's Home app on Android is broken and does not allow entering a range.

 

I had this same issue in the past and never could figure out how/why it just started working when the configuration is exactly the same.

 

Oddly enough I can use the site net2ftp.com and can connect to ProFTP without issues.

 

EDIT:

Okay. I figured out the issue but I do not know the networking voodoo behind it.

Since I can only enter one port at a time in my broken Google Home App I only entered from 60000-60005. Once I changed the range in the conf to just be those ports it worked perfectly.

Edited by kricker
Link to comment

@kricker

I'm glad you got it working. 😀 The number of ports in the range should match the range of ports opened in your router.

 

Of course it would be possible to open more ports than proftpd needs, but that wouldn't really make sense. And going the other way round and declaring ports as open, that really are not, is not advised either. It increases the chance the connection fails, as AFAIK the passive ports are opened randomly and not in order starting with the lowest one.

  • Like 1
Link to comment

I managed to run the SFTP modul.

However when I set it to listen on port 21 (FTP) and 2222 (STP) at the same time I get this error message:

Server refused public-key signature despite accepting key! 

 

Quote

<IfModule mod_sftp.c>
<VirtualHost 0.0.0.0>
        SFTPEngine on
        Port 2222
        SFTPLog /var/log/sftp.log

        SFTPHostKey /etc/ssh/sftp_rsa_key
        SFTPAuthorizedUserKeys file:/etc/ssh/sftp_user_keys

        SFTPAuthMethods publickey

        SFTPKeyBlacklist none
        SFTPDHParamFile /usr/local/SlrG-Common/usr/local/etc/dhparams.pem
</VirtualHost>
</IfModule>

 

2022-11-25 02:06:07,858 mod_sftp/1.0.1[3957]: handling connection from SSH2 client 'FileZilla_3.60.1'
2022-11-25 02:06:07,861 mod_sftp/1.0.1[3957]:  + Session key exchange: ecdh-sha2-nistp256
2022-11-25 02:06:07,861 mod_sftp/1.0.1[3957]:  + Session server hostkey: rsa-sha2-512
2022-11-25 02:06:07,861 mod_sftp/1.0.1[3957]:  + Session client-to-server encryption: aes256-ctr
2022-11-25 02:06:07,861 mod_sftp/1.0.1[3957]:  + Session server-to-client encryption: aes256-ctr
2022-11-25 02:06:07,861 mod_sftp/1.0.1[3957]:  + Session client-to-server MAC: hmac-sha2-256
2022-11-25 02:06:07,861 mod_sftp/1.0.1[3957]:  + Session server-to-client MAC: hmac-sha2-256
2022-11-25 02:06:07,861 mod_sftp/1.0.1[3957]:  + Session client-to-server compression: none
2022-11-25 02:06:07,861 mod_sftp/1.0.1[3957]:  + Session server-to-client compression: none
2022-11-25 02:06:07,876 mod_sftp/1.0.1[3957]: sending acceptable userauth methods: publickey
2022-11-25 02:06:07,877 mod_sftp/1.0.1[3957]: public key SHA256 fingerprint: 96:65:54:f3:a7:5c:48:01:45:e9:b9:8f:51:4b:e3:4f:d9:7e:26:48:39:8b:99:62:88:c2:39:4c:a2:38:8b:dd
2022-11-25 02:06:07,877 mod_sftp/1.0.1[3957]: sending publickey OK
2022-11-25 02:06:07,901 mod_sftp/1.0.1[3957]: public key SHA256 fingerprint: 96:65:54:f3:a7:5c:48:01:45:e9:b9:8f:51:4b:e3:4f:d9:7e:26:48:39:8b:99:62:88:c2:39:4c:a2:38:8b:dd
2022-11-25 02:06:07,901 mod_sftp/1.0.1[3957]: authentication for user 'test' failed: Invalid shell

 

Edited by PlanetDyna
Link to comment

@PlanetDyna

That looks as if you didn't add the keyword "ftpuser" in the comment field of your user test, or didn't restart the plugin after creating the user.  The plugin prevents "normal" users without the keyword from logging in via FTP by assigning an invalid shell for security reasons.

Link to comment

@PlanetDyna

Looking at your config and the error message a bit more, I would try to add "RequireValidShell no" to your virtual server config, as the global one probably doesn't carry over. Also following proftpds example sftp conf from here, I would try to remove the "SFTPAuthMethods publickey" clause and add "MaxLoginAttempts 6".

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.