SFTP port 222 not working, Firewall UFW was inactive

Aizat

Hi, I am not sure what's going on, but I try to deploy a lamp container, and upon realising the SFTP 222 wasn't working, I checked my system.
I am not sure when this happens, but I've upgraded to the latest Cloudron a couple of days ago, and last 2 weeks I have migrated Cloudron from a different server. I rarely use any SFTP hence which is why I only discover this issue now.
I'm using Commander One and CloudMounter on Mac, and receiving an error:
"Could not connect to host error -1." — a quick Google says: This error indicates that your web server did not accept our TCP connection request, and hence the HTTP Request could not be performed.

What I did to investigate:

1. Check telnet

oot@vmi815992:~# telnet 123.123.123.1 222
Trying 123.123.123.1...
telnet: Unable to connect to remote host: Connection refused

2. Check UFW status
   Before when I did ufw status, it returns inactive. So I enabled it.

3. UFW status verbose

root@vmi815992:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
222                        ALLOW IN    Anywhere  >>>>  (I had to add this port manually)           
222 (v6)                   ALLOW IN    Anywhere (v6)

4. SFTP still not working after I enabled this port

Shall I remove port 222 now? But most importantly why is UFW was inactive? @nebulon
Many thanks for the input.

girish

@Aizat said in SFTP port 222 not working, Firewall UFW was inactive:

fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 101 of '/etc/proftpd/proftpd.conf'

Yes, this is the issue! So, what you have to do is:

chmod 600 /home/yellowtent/platformdata/sftp/ssh/ssh_host_rsa_key

Then, just restart the SFTP service. Can you let me know if that works?

nebulon

For a start, Cloudron is not using UFW to configure iptables but uses iptables directly, so you should disable UFW again.

Now then try to run systemctl restart cloudron-firewall to reconfigure iptables for Cloudron. This should restore the iptables rules.

Aizat

@nebulon Thanks.
I have disabled UFW and I ran

systemctl restart cloudron-firewall

Next, I checked if port 222 is open:

root@vmi815992:~# iptables -L -n | grep :222

it gave no result, so I checked for port 22:

root@vmi815992:~# iptables -L -n | grep :22
           tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW recent: SET name: public-22 side: source mask: 255.255.255.255 
CLOUDRON_RATELIMIT_LOG  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW recent: UPDATE seconds: 10 hit_count: 5 name: public-22 side: source mask: 255.255.255.255
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.15          tcp dpt:22

I thought port 222 is enabled by default? Should I enable port 222 then to allow SFTP? Thanks

robi

@Aizat make sure to list the INPUT chain.

Aizat

@robi Is this what you mean? I'm not so well versed with iptables.

root@vmi815992:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
CLOUDRON_RATELIMIT  all  --  anywhere             anywhere            
CLOUDRON   all  --  anywhere             anywhere            
ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-before-input  all  --  anywhere             anywhere            
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere

scooke

@Aizat Possibly, when you migrated Cloudron from a different server, you migrated to a server that wasn't fresh? Why else would there be different settings? What else might be lurking? Better be sure, and check.

girish

The SFTP service is run in a container, so the iptable rules are managed by docker. If you do iptables --numeric -L DOCKER, you will see them in the input chain's DOCKER chain:

Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.6           tcp dpt:8000
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.6           tcp dpt:2004
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.6           tcp dpt:2003
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.7           tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            172.18.19.175        tcp dpt:7494

The dpt:22 rule is the SFTP rule. We expose port 22 in the sftp container as port 222 to outside world. You will find the translation as a NAT rule. See iptables -t nat -L DOCKER :

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
DNAT       tcp  --  anywhere             localhost            tcp dpt:8417 to:172.18.0.6:8000
DNAT       tcp  --  anywhere             localhost            tcp dpt:2004 to:172.18.0.6:2004
DNAT       tcp  --  anywhere             localhost            tcp dpt:cfinger to:172.18.0.6:2003
DNAT       tcp  --  anywhere             anywhere             tcp dpt:222 to:172.18.0.7:22
DNAT       tcp  --  anywhere             anywhere             tcp dpt:7494 to:172.18.19.175:7494

The second last rule is the NAT re-write.

girish

Also, you must ideally not enable ufw. Docker manages iptable rules and ufw and docker don't work together (meaning, both tools are unaware of each other's existence, so you have to be very careful when updating rules).

ufw also does not remove the rules when it gets disabled. The only way I know to remove all those ufw rules is by rebooting the server.

Finally, about your SFTP issue, can you please check if the SFTP service is running ? If you find the above rules missing in your iptables altogether, this is a sign that the container itself is not running (for whatever reason). If the rules are listed, then it means the SFTP service is not running properly internally. There was an issue that we saw the other day where the sftp service has errors related to SFTP key permissions. Can you please check the logs in Services -> SFTP -> logs ?

Aizat

@girish said in SFTP port 222 not working, Firewall UFW was inactive:

iptables -t nat -L DOCKER

Hi! thank you very much for the detailed input. I have removed the port 222 from the ufw and then disabled ufw.

OK, Here's what I see:

root@vmi815992:~# iptables --numeric -L DOCKER
Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.4           tcp dpt:8000
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.4           tcp dpt:2004
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.4           tcp dpt:2003
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.8           tcp dpt:9995
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.8           tcp dpt:9993
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.8           tcp dpt:4190
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.8           tcp dpt:2587
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.8           tcp dpt:2465
ACCEPT     udp  --  0.0.0.0/0            172.18.16.75         udp dpt:10000
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.15          tcp dpt:22

and

root@vmi815992:~# iptables -t nat -L DOCKER
Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
DNAT       tcp  --  anywhere             localhost            tcp dpt:8417 to:172.18.0.4:8000
DNAT       tcp  --  anywhere             localhost            tcp dpt:2004 to:172.18.0.4:2004
DNAT       tcp  --  anywhere             localhost            tcp dpt:cfinger to:172.18.0.4:2003
DNAT       tcp  --  anywhere             anywhere             tcp dpt:pop3s to:172.18.0.8:9995
DNAT       tcp  --  anywhere             anywhere             tcp dpt:imaps to:172.18.0.8:9993
DNAT       tcp  --  anywhere             anywhere             tcp dpt:sieve to:172.18.0.8:4190
DNAT       tcp  --  anywhere             anywhere             tcp dpt:smtp to:172.18.0.8:2587
DNAT       tcp  --  anywhere             anywhere             tcp dpt:submission to:172.18.0.8:2587
DNAT       tcp  --  anywhere             anywhere             tcp dpt:submissions to:172.18.0.8:2465
DNAT       udp  --  anywhere             anywhere             udp dpt:10000 to:172.18.16.75:10000
DNAT       tcp  --  anywhere             anywhere             tcp dpt:222 to:172.18.0.15:22

And the log:

Mar 27 19:01:07 2022-03-27 18:01:07,913 INFO success: filemanager entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
Mar 27 19:01:07 2022-03-27 18:01:07,917 INFO spawned: 'proftpd' with pid 20
Mar 27 19:01:07 2022-03-27 18:01:07,940 sftp proftpd[20]: LDAPServer: parsed URL 'ldap://172.18.0.1:3002/??sub' as 'ldap://172.18.0.1:3002/??sub'
Mar 27 19:01:07 2022-03-27 18:01:07,940 sftp proftpd[20]: fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 101 of '/etc/proftpd/proftpd.conf'
Mar 27 19:01:08 2022-03-27 18:01:08,962 INFO success: proftpd entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
Mar 27 19:01:08 2022-03-27 18:01:08,962 INFO exited: proftpd (exit status 1; not expected)
Mar 27 19:01:09 2022-03-27 18:01:09,967 INFO spawned: 'proftpd' with pid 21
Mar 27 19:01:09 2022-03-27 18:01:09,991 INFO exited: proftpd (exit status 1; not expected)
Mar 27 19:01:09 2022-03-27 18:01:09,989 sftp proftpd[21]: LDAPServer: parsed URL 'ldap://172.18.0.1:3002/??sub' as 'ldap://172.18.0.1:3002/??sub'
Mar 27 19:01:09 2022-03-27 18:01:09,989 sftp proftpd[21]: fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 101 of '/etc/proftpd/proftpd.conf'
Mar 27 19:01:11 2022-03-27 18:01:10,999 INFO spawned: 'proftpd' with pid 22
Mar 27 19:01:11 2022-03-27 18:01:11,056 sftp proftpd[22]: LDAPServer: parsed URL 'ldap://172.18.0.1:3002/??sub' as 'ldap://172.18.0.1:3002/??sub'
Mar 27 19:01:11 2022-03-27 18:01:11,056 sftp proftpd[22]: fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 101 of '/etc/proftpd/proftpd.conf'
Mar 27 19:01:11 2022-03-27 18:01:11,058 INFO exited: proftpd (exit status 1; not expected)
Mar 27 19:01:13 2022-03-27 18:01:13,064 INFO spawned: 'proftpd' with pid 23
Mar 27 19:01:13 2022-03-27 18:01:13,082 sftp proftpd[23]: LDAPServer: parsed URL 'ldap://172.18.0.1:3002/??sub' as 'ldap://172.18.0.1:3002/??sub'
Mar 27 19:01:13 2022-03-27 18:01:13,085 INFO exited: proftpd (exit status 1; not expected)
>>Mar 27 19:01:13 2022-03-27 18:01:13,083 sftp proftpd[23]: fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 101 of '/etc/proftpd/proftpd.conf'
Mar 27 19:01:16 2022-03-27 18:01:16,091 INFO spawned: 'proftpd' with pid 24
Mar 27 19:01:16 2022-03-27 18:01:16,141 sftp proftpd[24]: LDAPServer: parsed URL 'ldap://172.18.0.1:3002/??sub' as 'ldap://172.18.0.1:3002/??sub'
>>Mar 27 19:01:16 2022-03-27 18:01:16,141 sftp proftpd[24]: fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 101 of '/etc/proftpd/proftpd.conf'
Mar 27 19:01:16 2022-03-27 18:01:16,151 INFO exited: proftpd (exit status 1; not expected)
Mar 27 19:01:17 2022-03-27 18:01:17,153 INFO gave up: proftpd entered FATAL state, too many start retries too quickly
Mar 28 14:35:40 [GET] /files/app-188b9a37-023d-4527-a955-e6f21227de36/
Mar 28 14:35:40 get: /mnt/appsdata/188b9a37-023d-4527-a955-e6f21227de36/data as download:false
Mar 28 14:35:41 [GET] /files/app-188b9a37-023d-4527-a955-e6f21227de36/credentials.txt
Mar 28 14:35:41 get: /mnt/appsdata/188b9a37-023d-4527-a955-e6f21227de36/data/credentials.txt as download:false
Mar 28 18:04:07 [GET] /files/app-21c7ea06-6ede-4883-a02d-d52321727aed/
Mar 28 18:04:07 get: /mnt/appsdata/21c7ea06-6ede-4883-a02d-d52321727aed/data as download:false
Mar 28 18:04:45 [GET] /files/app-21c7ea06-6ede-4883-a02d-d52321727aed/public
Mar 28 18:04:45 get: /mnt/appsdata/21c7ea06-6ede-4883-a02d-d52321727aed/data/public as download:false

On the 27th it did show there are an issue :

fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 101 of '/etc/proftpd/proftpd.conf'

Aizat

@scooke it was fresh, I only setup my ssh and followed exactly whatever was in the docs, the end result of the migration was very smooth, no problems at all. I have never tried any SFTP prior to the migration so I would not be sure.

girish

@Aizat said in SFTP port 222 not working, Firewall UFW was inactive:

fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 101 of '/etc/proftpd/proftpd.conf'

Yes, this is the issue! So, what you have to do is:

chmod 600 /home/yellowtent/platformdata/sftp/ssh/ssh_host_rsa_key

Then, just restart the SFTP service. Can you let me know if that works?

girish

@Aizat said in SFTP port 222 not working, Firewall UFW was inactive:

the end result of the migration was very smooth

I suspect we have a bug in our migration+sftp permissions. I will investigate. The private key is restored with group readable permissions, so the sftp service refuses to start.

Aizat

@girish said in SFTP port 222 not working, Firewall UFW was inactive:

chmod 600 /home/yellowtent/platformdata/sftp/ssh/ssh_host_rsa_key

YESSS!! It works! Thank you so much @girish
Amazing. Yep, now I've connected to my sftp.
I also use my ip address for the host, instead of my.domain.com because I use Cloudflare. (referring to the doc)

Aizat

@girish yup, I think that's it. Worthwhile to put that in the docs for now, just in case somebody searching for a solution quickly (if they don't find this post).

girish

@Aizat This was a bug in the restore code . I have fixed this now for the next release - https://git.cloudron.io/cloudron/box/-/commit/529f6fb2cd945fb5cbba30ae10dfb3776b0150b2