September 7, 20241 yr Im trying to setup the sftp, I get it to work but its so slooow. When using Filezilla as an client, I get pop-up that asks for what I want do with existing file (even if the file was not there in the first place) so to me it seems the sftp connection tries to upload the same file over and over. Anyone else has similar experience? edit: Ok this happens over the default ssh in Unraid too, strange edit2: Figured it out! It was because the tailscale client was on and my unraid box announced itself as an subnet-router over tailscale. I guess that made some kind of loop Edited September 8, 20241 yr by isvein
September 8, 20241 yr Another problem now If I try to use rclone from windows to this sftp container, I get the error: "Failed to calculate dst hash: failed to calculate md5 hash: failed to run "md5sum" I guess this has something to do with the ssh path config in the rclone setup, but not sure what the right path here would be. If I try with the built in ssh, it works with nothing special set in the rclone config.
October 9, 20241 yr RE: qbittorentvpn container If I have vpn set to yes, I cannot access the webgui. How do you get to the webgui when using the vpn? Here is my docker run command. .173 is my pihole, using that or 8.8.8.8 didnt make any difference. docker run -d --name='qbittorrentvpn' --net='br0' --ip='10.10.6.184' --pids-limit 2048 --privileged=true -e TZ="removed" -e HOST_OS="Unraid" -e HOST_HOSTNAME="removed" -e HOST_CONTAINERNAME="qbittorrentvpn" -e 'TCP_PORT_8080'='8080' -e 'TCP_PORT_8999'='8999' -e 'UDP_PORT_8999'='8999' -e 'WEBUI_PORT'='8080' -e 'INCOMING_PORT'='8999' -e 'VPN_ENABLED'='yes' -e 'VPN_USERNAME'='removed' -e 'VPN_PASSWORD'='removed' -e 'LAN_NETWORK'='10.10.6.0/23' -e 'NAME_SERVERS'='10.10.6.173' -e 'PUID'='99' -e 'PGID'='100' -e 'UMASK'='002' -l net.unraid.docker.managed=dockerman -l net.unraid.docker.webui='http://[IP]:[PORT:8080]/' -l net.unraid.docker.icon='https://raw.githubusercontent.com/MarkusMcNugen/docker-templates/master/qbittorrentvpn/qbittorrentvpn-icon.png' -v '/mnt/user/public/incoming/':'/downloads':'rw' -v '/mnt/cache/appdata/qbittorrentvpn':'/config':'rw' 'markusmcnugen/qbittorrentvpn'
October 16, 20241 yr On 10/9/2024 at 3:11 AM, nerbonne said: If I have vpn set to yes, I cannot access the webgui. Typically that means the vpn wasn't successfully negotiated, it's a safety feature to keep you from thinking everything is working when it's not. Take a look at the log files to see where it's getting hung up.
October 18, 20241 yr I appreciate the response, but logs indicate it is connected, and running the command "curl ifconfig.me" shows the public IP of the VPN location that I'm connected to, as expected. So I don't think that's it. 10.10.6.184 = container 10.10.6.173 = pihole 10.10.6.66 = router 10.10.6.0/23 = network Logs: dos2unix: converting file /config/openvpn/redacted.ovpn to Unix format... RTNETLINK answers: File exists groupadd: GID '100' already exists useradd: UID 99 is not unique 2024-10-18 13:18:37.714458 [info] VPN_ENABLED defined as 'yes' 2024-10-18 13:18:37.761486 [info] OpenVPN config file (ovpn extension) is located at /config/openvpn/redacted.ovpn 2024-10-18 13:18:37.815272 [info] VPN remote line defined as 'redacted 1197' 2024-10-18 13:18:37.850074 [info] VPN_REMOTE defined as 'redacted' 2024-10-18 13:18:37.883903 [info] VPN_PORT defined as '1197' 2024-10-18 13:18:37.918845 [info] VPN_PROTOCOL defined as 'udp' 2024-10-18 13:18:37.955398 [info] VPN_DEVICE_TYPE defined as 'tun0' 2024-10-18 13:18:37.990350 [info] LAN_NETWORK defined as '10.10.6.0/23' 2024-10-18 13:18:38.024742 [info] NAME_SERVERS defined as '10.10.6.173' 2024-10-18 13:18:38.058739 [info] VPN_OPTIONS not defined (via -e VPN_OPTIONS) 2024-10-18 13:18:38.093395 [info] Adding 10.10.6.173 to resolv.conf 2024-10-18 13:18:38.120715 [info] Starting OpenVPN... Fri Oct 18 13:18:38 2024 WARNING: file 'credentials.conf' is group or others accessible Fri Oct 18 13:18:38 2024 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021 Fri Oct 18 13:18:38 2024 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10 Fri Oct 18 13:18:38 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]redacted:1197 Fri Oct 18 13:18:38 2024 UDP link local: (not bound) Fri Oct 18 13:18:38 2024 UDP link remote: [AF_INET]redacted:1197 Fri Oct 18 13:18:38 2024 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Fri Oct 18 13:18:38 2024 [redacted] Peer Connection Initiated with [AF_INET]redacted:1197 Fri Oct 18 13:18:40 2024 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options Fri Oct 18 13:18:40 2024 OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3 Fri Oct 18 13:18:40 2024 TUN/TAP device tun0 opened Fri Oct 18 13:18:40 2024 /sbin/ip link set dev tun0 up mtu 1500 Fri Oct 18 13:18:40 2024 /sbin/ip addr add dev tun0 10.12.110.34/24 broadcast 10.12.110.255 Fri Oct 18 13:18:40 2024 WARNING: OpenVPN was configured to add an IPv6 route over tun0. However, no IPv6 has been configured for this interface, therefore the route installation may fail or may not work as expected. Fri Oct 18 13:18:40 2024 Initialization Sequence Completed 2024-10-18 13:18:43.174915 [info] WebUI port defined as 8080 2024-10-18 13:18:43.213750 [info] LAN Network defined as 10.10.6.0/23 2024-10-18 13:18:43.248406 [info] Default gateway defined as 10.10.6.66 2024-10-18 13:18:43.279792 [info] ip route defined as follows... -------------------- 0.0.0.0/1 via 10.12.110.1 dev tun0 default via 10.10.6.66 dev eth0 10.10.6.0/23 dev eth0 proto kernel scope link src 10.10.6.184 10.12.110.0/24 dev tun0 proto kernel scope link src 10.12.110.34 10.253.2.0/24 via 10.10.6.2 dev eth0 128.0.0.0/1 via 10.12.110.1 dev tun0 redacted via 10.10.6.66 dev eth0 -------------------- iptable_mangle 16384 1 ip_tables 28672 3 iptable_filter,iptable_nat,iptable_mangle x_tables 45056 16 ip6table_filter,xt_conntrack,iptable_filter,ip6table_nat,xt_tcpudp,xt_addrtype,xt_CHECKSUM,xt_nat,ip6_tables,ipt_REJECT,ip_tables,iptable_nat,ip6table_mangle,xt_MASQUERADE,iptable_mangle,xt_mark 2024-10-18 13:18:43.324846 [info] iptable_mangle support detected, adding fwmark for tables 2024-10-18 13:18:43.395795 [info] Docker network defined as 10.10.6.0/23 2024-10-18 13:18:43.504570 [info] Incoming connections port defined as 8999 2024-10-18 13:18:43.543040 [info] iptables defined as follows... -------------------- -P INPUT DROP -P FORWARD ACCEPT -P OUTPUT DROP -A INPUT -i tun0 -j ACCEPT -A INPUT -s 10.10.6.0/23 -d 10.10.6.0/23 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --sport 1197 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --sport 8080 -j ACCEPT -A INPUT -s 10.10.6.0/23 -i eth0 -p tcp -m tcp --dport 8999 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -i lo -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT -A OUTPUT -s 10.10.6.0/23 -d 10.10.6.0/23 -j ACCEPT -A OUTPUT -o eth0 -p udp -m udp --dport 1197 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m tcp --dport 8080 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m tcp --sport 8080 -j ACCEPT -A OUTPUT -d 10.10.6.0/23 -o eth0 -p tcp -m tcp --sport 8999 -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -------------------- Adding 100 group Adding 99 user 2024-10-18 13:18:43.625544 [info] UMASK defined as '002' 2024-10-18 13:18:43.665503 [info] Starting qBittorrent daemon... Logging to /config/qBittorrent/data/logs/qbittorrent-daemon.log. 2024-10-18 13:18:44.707726 [info] qBittorrent PID: 188 2024-10-18 13:18:44.718303 [info] Started qBittorrent daemon successfully... Edited October 18, 20241 yr by nerbonne
October 27, 20241 yr Just use the right container and update it ? binhex/arch-qbittorrentvpn thats the container I use and it's up to date
November 3, 20241 yr Hi friends. I have been using this container for a while. I installed it from the apps store. Inoticed I am now not able to edit its settings via the webui anymore. It shows 3rd party. Not sure what changed and figured I would check to see if there is a workaround to editing the containers settings. I have never used docker compose and am not sure how or why this container shows 3rd party now.
April 8, 20251 yr Quote SFTP Overview: Easy to use SFTP (SSH File Transfer Protocol) server with OpenSSH and Fail2ban installed for extra hardening against brute force attacks. Forked from atmoz/sftp. Reason: I was using atmoz/sftp as an sftp docker container exposed to the internet for some friends to access and realized there was no banning mechanism included. I was getting hammered by brute force attacks so I forked his github repo and modified the image to include fail2ban, made some entrypoint modifications so files can be easily added/edited/viewed from the /config volume. Base: phusion/baseimage:master-amd64 Size: 357MB Application: https://www.openssh.com/ Application Version: Latest when docker was built on 03/22/2021 Docker Hub: https://hub.docker.com/r/markusmcnugen/sftp/ Github: https://github.com/MarkusMcNugen/docker-sftp Note: Please read the Github or Docker Hub descriptions. While this container is easy to use, it does require some small configuration. Note 2: NOT affected by the recent CVE-2021-3449 vulnerability with OpenSSL. This container runs OpenSSL 1.1.1f. Only versions 1.1.1h-1.1.1j were vulnerable per Ars Technica Thought I'd chime in and add some fixes as I still use this sftp docker... It is quite robust... and fixes a sftp case file access issue... Mainly due to age of last build date. a simlar guide was made here for another client: The reason for the post is that there are issues with the jail.conf and additionally hardening may be wanted for users who continue to use the sftp docker image... as I was getting this in the docker logs: 025-04-08 19:58:21,410 fail2ban.configreader [69]: ERROR No section: 'Definition' 2025-04-08 19:58:21,411 fail2ban.configreader [69]: ERROR No section: 'Definition' 2025-04-08 19:58:21,411 fail2ban.configreader [69]: ERROR No section: 'Definition' 2025-04-08 19:58:21,411 fail2ban.configreader [69]: ERROR No section: 'Definition' 2025-04-08 19:58:21,411 fail2ban.configreader [69]: ERROR No section: 'Definition' 2025-04-08 19:58:21,412 fail2ban.configreader [69]: ERROR No section: 'Definition' 2025-04-08 19:58:21,412 fail2ban.configreader [69]: ERROR No section: 'Definition' 2025-04-08 19:58:21,412 fail2ban.configreader [69]: ERROR No section: 'Definition' 2025-04-08 19:58:21,412 fail2ban.configreader [69]: ERROR No section: 'Definition' 2025-04-08 19:58:21,412 fail2ban.configreader [69]: ERROR No section: 'Definition' 2025-04-08 19:58:21,412 fail2ban.configreader [69]: ERROR No section: 'Definition' 2025-04-08 19:58:21,508 fail2ban [69]: ERROR NOK: ("int() argument must be a string, a bytes-like object or a number, not 'NoneType'",) Tue 08 Apr 2025 02:58:21 PM CDT [info] Existing fail2ban.conf found. Copying to container filesystem! Tue 08 Apr 2025 02:58:21 PM CDT [info] Existing jail.conf found. Copying to container filesystem! Tue 08 Apr 2025 02:58:21 PM CDT [info] Existing sshd_config found. Copying to container filesystem For additional Hardening and fixes I decided to edit the openssh sshd server config... my sshd_config file updates are: # Secure SSHD Configuration # Based on best practices and secure defaults # Protocol and Key Settings Protocol 2 HostKey /config/sshd/keys/ssh_host_ed25519_key HostKey /config/sshd/keys/ssh_host_rsa_key KexAlgorithms curve25519-sha256,[email protected] Ciphers [email protected],[email protected] MACs hmac-sha2-512,hmac-sha2-256 # Authentication PermitRootLogin no #PasswordAuthentication no # Disable password authentication (use keys only) #PubkeyAuthentication yes # Enable public key authentication AuthorizedKeysFile %h/.ssh/authorized_keys # Login Grace and Timeouts LoginGraceTime 0 # Allow 30 seconds to authenticate MaxAuthTries 2 # Limit failed login attempts #MaxSessions 2 # Restrict concurrent sessions # Connection Settings UseDNS no AllowTcpForwarding no GatewayPorts no PermitTunnel no # SFTP and Chroot Jail Subsystem sftp internal-sftp ForceCommand internal-sftp ChrootDirectory %h AllowAgentForwarding no # Logging and Monitoring SyslogFacility AUTH LogLevel INFO # Detailed logging for debugging and monitoring # Additional Security #ClientAliveInterval 300 # Disconnect idle clients after 5 minutes #ClientAliveCountMax 2 # Allow two keep-alive messages before disconnection #AllowUsers sftpuser # Restrict access to specific users (modify as needed) DenyUsers root # Explicitly deny root login # Host Key Algorithms (Optional: Ensure older clients can connect) HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256 -This SSH Conifg kills connect to it and making a tunnel to access other things outside for the openssh server running in the docker container... this also enforces the Home directory for users created via the user config: admin:password:1000:100 where a docker variable is added to point to /home/username/something this way when a ftp client like FileZilla connects, the only folder the user has access to is something... So, due to recent error in log... I decide to pull form some documentation to harden and secure fail2ban https://www.the-art-of-web.com/system/fail2ban-filters/ I decided to make and add filters to better use fail 2 ban. example layout: This required a few edits to the config files... sshd_conf fail2ban and jail and the adaptation of a new filter file. Some example config layouts and hardening steps to make the system more secure... Fail2ban updated config: [DEFAULT] # Logging loglevel = INFO # General log level (use DEBUG for troubleshooting) logtarget = /config/fail2ban/fail2ban.log # Log output location # Socket and PID syslogsocket = auto socket = /var/run/fail2ban/fail2ban.sock pidfile = /var/run/fail2ban/fail2ban.pid # Database dbfile = /config/fail2ban/fail2ban.sqlite3 # Persistent database for bans dbpurgeage = 7d # Remove bans older than 1 day dbmaxmatches = 10 # Max matches per ticket in database # Threading (default settings for your environment) # stacksize = 0 #Fix Error definnition filter.d = /config/fail2ban/filter.d * Note the bottom option change. We tell fail2ban to use are custom path found on unraid but in container path /config Jail updated config: [DEFAULT] ignoreip = 127.0.0.1/8 192.168.0.0/16 bantime = 86400 findtime = 600 maxretry = 3 backend = polling usedns = warn logencoding = auto enabled = false filter = %(__name__)s destemail = root@localhost sender = root@localhost mta = sendmail protocol = tcp chain = INPUT port = ssh banaction = iptables-multiport action = %(banaction)s[name=sshd, port=ssh, protocol=tcp] [sshd] enabled = true port = ssh logpath = /var/log/auth.log backend = polling --The default jail.config is ok but has alot of extra stuff in it and other changes i wanted to ban block for longer was added. I only want the sftp server from openssh and have that protected via fail2ban... in the fail2ban folder, as seen in the picture: mkdir -p ./appdata\sftp\fail2ban\filter.d --Using your path for the appdata where sftp stores its container /config... Inside this folder, we make a filler config for sshd. so inside the filter.d a sshd.conf should contain: [Definition] failregex = ^%(__prefix_line)sFailed password for .* from <HOST> port .* ssh2$ ^%(__prefix_line)sROOT LOGIN REFUSED FROM <HOST>$ ignoreregex = Since this is the error in the log... and the other mutple lines are due to other services mentioned in the jail I got rid of them as the docker is only running sshd, fail2ban and syslog-ng This should help others in securing the sftp docker... More focusing on sshd and using sftp only... in teh sshd_config more breakdown examples: bantime = 86400 # <-- ban duration (in seconds) findtime = 600 # <-- time window to detect retries (in seconds) maxretry = 3 # <-- how many failures before banning So I set it to be banned for 1 day 86400 seconds = 24 hours and To find repeat dos attacks 600 seconds (10 minutes) Worth command console in docker and run to unban a IP fail2ban-client set sshd unbanip x.x.x.x If you need to unban a good ip the command above will assist... this docker still runs well after all theses years... the docker uses: root@SFTP:/# openssl version OpenSSL 1.1.1f 31 Mar 2020 root@SFTP:/# root@SFTP:/# fail2ban-client version 0.11.1 Given the age I may make a fork and rebuild the sftp docker
April 10, 20251 yr On 4/8/2025 at 4:23 PM, bmartino1 said: Thought I'd chime in and add some fixes as I still use this sftp docker... ... I decided to fork, maintain and update the sftp docker from this repo the docker is now live in Unraid CA. https://github.com/bmartino1/docker-sftp This is the only one I have fork and will fork to maintain.
July 17, 2025Jul 17 Has anyone else's torrent client stopped working? This has been working fine for ages but it just stopped working yesterday. I can't access the webui although the docker container will start. If I access the logs I see the following error repeating. I'm not sure if the IP address it is failing to connect to is with my VPN. I'm using NordVPN to pass traffic through. Thu Jul 17 18:29:46 2025 TCP: connect to [AF_INET]X.XXX.XXX.XXX:XXX failed: Connection timed outThu Jul 17 18:29:46 2025 SIGUSR1[connection failed(soft),init_instance] received, process restarting
August 7, 2025Aug 7 Hey there folks, I'm having an issue that maybe one of you can resolve, I run this as my main vpn coverage, which means that in order for the arr* suite to see it, I need to put them on the same custom br0 network the qbit is on.This has lead to two issues that I perceive as related:i) my plex app cannot be reached by overseerr/ tautulli as it takes a lot of effort to add it to the br0 network that I don't totally understand because my knowledge of networking is VERY limited, I've built all this from scratch, but my understanding of the core principals is weak. My workaround was to connect to plex remotely (this server on the list of plex servers was the only one that overseer / tautulli connect to of the many listed) which is a different ip than the rest of my unraid server obviously.2) yesterday I set up slskd, lidarr and soularr. Lidarr and soularr are on the br0 network for qbitorrent, slskd is set to bridge mode, because if I put it on the br0 network it will not start, with no option to edit the ips and ports in the unraid docker template at least to my knowledges (it lets me map ports from what I can tell, but not ips). Soulseeker is set up correctly as far as I can see, I can reach the ip its on from my local browser, but i suspect it is unable to be reached by the soulseeker app, which has its own ips. The error it throws is as follows:ConnectionError(e, request=request) requests.exceptions.ConnectionError: HTTPConnectionPool(host='192.168.2.10', port=5030): Max retries exceeded with url: /api/v0/searches (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x1508b4efbf90>: Failed to establish a new connection: [Errno 113] No route to host'))anyone have any suggestions on how to get the br0 network in this repository to see slskd?Thanks in advance for any suggestions!!
October 10, 2025Oct 10 Hey i noticed that when i install the crushFTP container on my unraid server that the container only gets 512 MB of memory and sometimes i get alerts that memory is full. How can i increase this to 4096 MB.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.