Solved SFTP connects to 202 but not 222

drpaneas

How to reproduce:

I have the following sshd configuration:

• Use keys insteas of password
• Disable root login
• Change port to 202
• Allow only user 'drpaneas' to login

I am now able to SFTP into the server, by loading my private key to Filezilla and accessing the SSH port (that is 202).

According to https://docs.cloudron.io/apps/#ftp-access there is a docker container running an SFTP server where I should be able to connect using my Cloudron username/password at port 222. This is not happening though.

This is the container I think:

6cd9eeefdf5b        cloudron/sftp:3.0.0         "/app/code/start.sh"     19 hours ago        Up 2 minutes        0.0.0.0:222->22/tcp                                            sftp

Is this normal?

nebulon

So the sshd itself on the server is not related to the sftp service running to get ftp access into the app. They are separate. SFTP auth is based on username@appdomain + password and not with keys. Generally we try to provide a system where SSH into the server is really only needed to troubleshoot and fix things. The ftp service itself is for webdev use-case mostly and thus also uses a different auth to be able to let that be configured via the dashboard.

girish

@drpaneas Does telnet to port 222 work? Replace 1.2.3.4 with your Cloudron IP below. If it doesn't connect, then it indicates most likely some firewall issue. Do you have some Cloud firewall in front of your server? If so, you might have to unblock port 222.

$ telnet 1.2.3.4 222
Trying 1.2.3.4...
Connected to 1.2.3.4.
Escape character is '^]'.
SSH-2.0-mod_sftp/0.9.9
4iOӤ�]N���R��Q��ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,rsa1024-sha1ssh-rsa�aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,blowfish-ctr,blowfish-cbc,cast128-cbc,arcfour256,arcfour128,3des-ctr,3des-cbc�aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,blowfish-ctr,blowfish-cbc,cast128-cbc,arcfour256,arcfour128,3des-ctr,3des-cbcjhmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,umac-64@openssh.comjhmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,umac-64@openssh.com�zlib@openssh.com,zlib,none�zlib@openssh.com,zlib,noneO�

drpaneas

@girish yes telnet works and I get the same reply as yours

Also:

# lsof -i:222
COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
docker-pr 20793 root    4u  IPv6 369319      0t0  TCP *:222 (LISTEN)

# ps aux | grep 20793
root       20793  0.0  0.0 622784  3968 ?        Sl   19:46   0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 222 -container-ip 172.18.0.7 -container-port 22

girish

@drpaneas Ah ok, I think what you were probably looking for is to understand if the SSH and SFTP are the same server. As @nebulon said, they are completely different. SSH can be on any port. SFTP is run on specific port 222 and doesn't use ssh keys and instead uses cloudron directory for authentication. If you don't use SFTP, you can simple firewall off that port.

drpaneas

@girish yup I got it now. all clear Thanks everyone

Aizat

@girish Hi, I'm having a problem I did try telnet

root@vmi815992:~# telnet 123.123.123.1 222
Trying 123.123.123.1...
telnet: Unable to connect to remote host: Connection refused

Do I need to manually open port 222? I thought it was open by default for SFTP.

girish

@Aizat Let's discuss at https://forum.cloudron.io/topic/6719/sftp-port-222-not-working-firewall-ufw-was-inactive