Help to setup FTP

Status
Not open for further replies.

QRikard

Cadet
Joined
Jun 6, 2014
Messages
9
Hi

I have spent all day trying to set up an FTP server on my FreeNAS without success. I would really appreciate some help, i'm a beginner to FTP and networks so please start with the simple problems and explain in detail when possible.

In short my goal is to share many/large files in a simple way with a group of (non technical) people without exposing the rest of my personal files or creating security holes to my server or local network, the security of the shared FTP folder is not as critical (private but non-sensitive files). So i'm open to suggestions for something else than FTP if it makes my life easier and solves the task.
Also tried to use the routers own FTP solution without any success (managed to create local connection).

Some progress i managed to connect to the FTP locally using anonymous authentication but never using my own or the new FTPuser account. I'm using filezilla for the connection but have also tried FireFTP (no difference).
Hostname freenas.local
Build FreeNAS-9.2.1.5-RELEASE-x64 (80c1d35)
I know version is starting to get old but it's been stable so far hence no reason to upgrade.

My computer and server are on the same local network, both with fixed IP addresses set by the router (Asus AC66u with Merlin installed).
I think i have set up port forwarding correctly in the router and set up the dynamic DNS (using no-ip.com). More on that later if i understand it correctly it's better/easier to get the FTP to work properly locally first so lets start there.

This is the error message i get from filezilla when connecting to the freenas local ip address:
Status: Connecting to "local server ip address":"server ftp port number"
Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Command: USER FTPuser
Response: 331 Password required for FTPuser
Command: PASS ******
Response: 530 Login incorrect.
Error: Critical error: Could not connect to server

So something is wrong with the user account. Same username and password are entered both in freenas when creating the user and in filezilla. So it's not a simple typo.

I have typed in the username and password multiple times and no change, so it must be some setting causing the login to fail.
Set the local port number in filezilla to the same number in freenas FTP setting.
Disabled root and anonymous login and enabled local login, enabled always chroot.
 

snaptec

Guru
Joined
Nov 30, 2015
Messages
502
Is the user in the right groups?
Are the permissions on the shared dataset ok?
Please do. Not use plain ftp.
We have 2017... Go with ftps or sftp.
First answer the above question and later add security - please


Gesendet von iPhone mit Tapatalk
 

QRikard

Cadet
Joined
Jun 6, 2014
Messages
9
I actually started for the SFTP but didn't get it to work. As i understand it i only need to enable SSH on the freenas to get sftp to work but there was no field to set folders there and from what i remember from a few years ago SSH went directly into root and i don't want users to have access there that's one reason why i went for the FTP solution, secondly that the GUI interface looked simpler for plain FTP (not that it helped)...

If you have time please guide me towards a more secure and longterm solution.

Now to answer your questions:
My folder structure looks like this: Volume/Share/FTP, each level has one group with the same/similar name
Is the user in the right groups? - FTPuser it set to the volume, share and ftp group
Are the permissions on the shared dataset ok? - The FTP folder i intend to share has read/write/executable rights for owner (my personal user) and ftp group (nothing for other)
The volume folder has only read and executable rights for owner, group and other
The Share folder has read, write and executable rights for all owner, group and other users. Below this level (in parallel with FTP folder) is where i have all separate folders (documents/photos) with limited permissions for files so only the right users can access them. Can't remember exactly but i think there was some issues during setup that forced me to set wide rights on the top level for everything to work.
 

Robert Trevellyan

Pony Wrangler
Joined
May 16, 2014
Messages
3,778
I actually started for the SFTP but didn't get it to work. As i understand it i only need to enable SSH on the freenas to get sftp to work but there was no field to set folders there and from what i remember from a few years ago SSH went directly into root and i don't want users to have access there that's one reason why i went for the FTP solution
By default, when you login with SSH (and therefore with SFTP), you end up in the home folder of the user you logged in with. You only end up in /root if you login with the root user.
 

QRikard

Cadet
Joined
Jun 6, 2014
Messages
9
By default, when you login with SSH (and therefore with SFTP), you end up in the home folder of the user you logged in with. You only end up in /root if you login with the root user.
Thanks i used root user last time.
Then i can direct the ftp user to the correct folder easily. I assume permission on the other folders will stop the user from going into my other private files but what commands can the ftpuser execute and how do i limit that (is it required)? Or is root access required for all commands that cause havoc?

Found this example for the auxiliary parameter in the manual for FTP "<Limit DELE> DenyAll </Limit>" which blocks the user from deleting files. That would be nice for the SFTP as well, it feels safer if everyone can only read and add files not delete.
 

QRikard

Cadet
Joined
Jun 6, 2014
Messages
9
For the FTPuser i have set shell to scponly now (limits to sftp scp but apparently it's still possible to work around but better than nothing).
I have set the home folder to volume/share/FTP/FTPuser (for some reason the home folder cant be the FTP folder, the system always adds another folder named FTPuser below).

SSH is enabled and in the settings i have disabled root login using password and enabled password authentication. TCP port forwarding is disabled (should it be?) No advanced parameters are set

When trying to connect using filezilla sftp with local ip adress, port, FTP user with password i only get this error message:
Status: Connecting to IP address...
Response: fzSftp started, protocol_version=7
Command: open "FTPuser@IP_address PORT
Error: Server unexpectedly closed network connection
Error: Could not connect to server
I have tried with root (before disabling it) my user and the FTP user but always same error.

When executing "tail -f /var/log/messages" in freenas shell i get this (messages come several times just pasted two here)
Jan 6 10:22:23 freenas ntpd_initres[2283]: host name not found: 2.freebsd.pool.ntp.org
Jan 6 10:30:58 freenas sshd[18399]: fatal: matching cipher is not supported: aes256-gcm@openssh.com [preauth]

In filezilla server type is set to default and charset to autoteect (utf-8)
 

QRikard

Cadet
Joined
Jun 6, 2014
Messages
9
Found the issue after a lot of wasted time debugging my hardware/settings...
My ISP uses private IP-addresses (NAT (something CGN?)). In order to get a public IP i need to sign a new contract costing me around 10 $/month.
 

SweetAndLow

Sweet'NASty
Joined
Nov 6, 2013
Messages
6,421
Found the issue after a lot of wasted time debugging my hardware/settings...
My ISP uses private IP-addresses (NAT (something CGN?)). In order to get a public IP i need to sign a new contract costing me around 10 $/month.
That seems very strange and I suspect your problem is somewhere else.
 

QRikard

Cadet
Joined
Jun 6, 2014
Messages
9
That seems very strange and I suspect your problem is somewhere else.
Sadly not, called the ISP and they are aware of the problem and refuses to solve it simply because the internet service is included in my apartment rent. If i were to sign my own internet contract directly with them it wouldn't be any problem at all to fix (give me a public IP). What it all boils down to is the limited number of IPv4 addresses, so they have a system to use few addresses to the world and thereby leaving me stuck without IP since i'm behind their walls.
 

pschatz100

Guru
Joined
Mar 30, 2014
Messages
1,184
Sadly not, called the ISP and they are aware of the problem and refuses to solve it simply because the internet service is included in my apartment rent. If i were to sign my own internet contract directly with them it wouldn't be any problem at all to fix (give me a public IP).
The solution is beyond the scope of this forum. I suggest you use Dropbox, or something similar, and be done with it. Keep things simple, especially for your non-technical users.
 

tvsjr

Guru
Joined
Aug 29, 2015
Messages
959
Sadly not, called the ISP and they are aware of the problem and refuses to solve it simply because the internet service is included in my apartment rent. If i were to sign my own internet contract directly with them it wouldn't be any problem at all to fix (give me a public IP). What it all boils down to is the limited number of IPv4 addresses, so they have a system to use few addresses to the world and thereby leaving me stuck without IP since i'm behind their walls.
Carrier-grade NAT, or CGNAT. Not too surprising considering IPv4 exhaustion. Even if you had a real public IP, it would likely still be dynamic, which isn't optimal for hosting.

We're way off-topic here, but I get around this (and still keep my actual hosting environment at home) by running a cheap VPS at Linode. On the VPS, I installed PFSense and configured an OpenVPN tunnel back home. Certain IPs/ports are forwarded to another PFSense firewall at home. The home firewall also has dual Internet connections via cable modem and an LTE router (backup only). So, at "consumer" rates plus $14/mo. for the VPS, I have 4 public IPs and redundant connectivity. The VPS is in the same city, so it's about 8ms latency... I'm not gaming, so an 8ms increase in latency doesn't matter to me.
 

snaptec

Guru
Joined
Nov 30, 2015
Messages
502
You could also use IPV6 only or buy a vpn connection from someone if you don't want a complete VPS.
You can drop me a PM if you are interested in a VPN with public IP.
 
Status
Not open for further replies.
Top