SFTP port 222 not working, Firewall UFW was inactive
-
@robi Is this what you mean? I'm not so well versed with iptables.
root@vmi815992:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination CLOUDRON_RATELIMIT all -- anywhere anywhere CLOUDRON all -- anywhere anywhere ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere ufw-after-logging-input all -- anywhere anywhere ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere
-
The SFTP service is run in a container, so the iptable rules are managed by docker. If you do
iptables --numeric -L DOCKER
, you will see them in the input chain'sDOCKER
chain:Chain DOCKER (2 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 172.18.0.6 tcp dpt:8000 ACCEPT tcp -- 0.0.0.0/0 172.18.0.6 tcp dpt:2004 ACCEPT tcp -- 0.0.0.0/0 172.18.0.6 tcp dpt:2003 ACCEPT tcp -- 0.0.0.0/0 172.18.0.7 tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 172.18.19.175 tcp dpt:7494
The
dpt:22
rule is the SFTP rule. We expose port 22 in thesftp
container as port 222 to outside world. You will find the translation as a NAT rule. Seeiptables -t nat -L DOCKER
:Chain DOCKER (2 references) target prot opt source destination RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere DNAT tcp -- anywhere localhost tcp dpt:8417 to:172.18.0.6:8000 DNAT tcp -- anywhere localhost tcp dpt:2004 to:172.18.0.6:2004 DNAT tcp -- anywhere localhost tcp dpt:cfinger to:172.18.0.6:2003 DNAT tcp -- anywhere anywhere tcp dpt:222 to:172.18.0.7:22 DNAT tcp -- anywhere anywhere tcp dpt:7494 to:172.18.19.175:7494
The second last rule is the NAT re-write.
-
Also, you must ideally not enable
ufw
. Docker manages iptable rules and ufw and docker don't work together (meaning, both tools are unaware of each other's existence, so you have to be very careful when updating rules).ufw also does not remove the rules when it gets disabled. The only way I know to remove all those ufw rules is by rebooting the server.
Finally, about your SFTP issue, can you please check if the SFTP service is running ? If you find the above rules missing in your iptables altogether, this is a sign that the container itself is not running (for whatever reason). If the rules are listed, then it means the SFTP service is not running properly internally. There was an issue that we saw the other day where the sftp service has errors related to SFTP key permissions. Can you please check the logs in Services -> SFTP -> logs ?
-
-
@girish said in SFTP port 222 not working, Firewall UFW was inactive:
iptables -t nat -L DOCKER
Hi! thank you very much for the detailed input. I have removed the port 222 from the ufw and then disabled ufw.
OK, Here's what I see:
root@vmi815992:~# iptables --numeric -L DOCKER Chain DOCKER (2 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 172.18.0.4 tcp dpt:8000 ACCEPT tcp -- 0.0.0.0/0 172.18.0.4 tcp dpt:2004 ACCEPT tcp -- 0.0.0.0/0 172.18.0.4 tcp dpt:2003 ACCEPT tcp -- 0.0.0.0/0 172.18.0.8 tcp dpt:9995 ACCEPT tcp -- 0.0.0.0/0 172.18.0.8 tcp dpt:9993 ACCEPT tcp -- 0.0.0.0/0 172.18.0.8 tcp dpt:4190 ACCEPT tcp -- 0.0.0.0/0 172.18.0.8 tcp dpt:2587 ACCEPT tcp -- 0.0.0.0/0 172.18.0.8 tcp dpt:2465 ACCEPT udp -- 0.0.0.0/0 172.18.16.75 udp dpt:10000 ACCEPT tcp -- 0.0.0.0/0 172.18.0.15 tcp dpt:22
and
root@vmi815992:~# iptables -t nat -L DOCKER Chain DOCKER (2 references) target prot opt source destination RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere DNAT tcp -- anywhere localhost tcp dpt:8417 to:172.18.0.4:8000 DNAT tcp -- anywhere localhost tcp dpt:2004 to:172.18.0.4:2004 DNAT tcp -- anywhere localhost tcp dpt:cfinger to:172.18.0.4:2003 DNAT tcp -- anywhere anywhere tcp dpt:pop3s to:172.18.0.8:9995 DNAT tcp -- anywhere anywhere tcp dpt:imaps to:172.18.0.8:9993 DNAT tcp -- anywhere anywhere tcp dpt:sieve to:172.18.0.8:4190 DNAT tcp -- anywhere anywhere tcp dpt:smtp to:172.18.0.8:2587 DNAT tcp -- anywhere anywhere tcp dpt:submission to:172.18.0.8:2587 DNAT tcp -- anywhere anywhere tcp dpt:submissions to:172.18.0.8:2465 DNAT udp -- anywhere anywhere udp dpt:10000 to:172.18.16.75:10000 DNAT tcp -- anywhere anywhere tcp dpt:222 to:172.18.0.15:22
And the log:
Mar 27 19:01:07 2022-03-27 18:01:07,913 INFO success: filemanager entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) Mar 27 19:01:07 2022-03-27 18:01:07,917 INFO spawned: 'proftpd' with pid 20 Mar 27 19:01:07 2022-03-27 18:01:07,940 sftp proftpd[20]: LDAPServer: parsed URL 'ldap://172.18.0.1:3002/??sub' as 'ldap://172.18.0.1:3002/??sub' Mar 27 19:01:07 2022-03-27 18:01:07,940 sftp proftpd[20]: fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 101 of '/etc/proftpd/proftpd.conf' Mar 27 19:01:08 2022-03-27 18:01:08,962 INFO success: proftpd entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) Mar 27 19:01:08 2022-03-27 18:01:08,962 INFO exited: proftpd (exit status 1; not expected) Mar 27 19:01:09 2022-03-27 18:01:09,967 INFO spawned: 'proftpd' with pid 21 Mar 27 19:01:09 2022-03-27 18:01:09,991 INFO exited: proftpd (exit status 1; not expected) Mar 27 19:01:09 2022-03-27 18:01:09,989 sftp proftpd[21]: LDAPServer: parsed URL 'ldap://172.18.0.1:3002/??sub' as 'ldap://172.18.0.1:3002/??sub' Mar 27 19:01:09 2022-03-27 18:01:09,989 sftp proftpd[21]: fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 101 of '/etc/proftpd/proftpd.conf' Mar 27 19:01:11 2022-03-27 18:01:10,999 INFO spawned: 'proftpd' with pid 22 Mar 27 19:01:11 2022-03-27 18:01:11,056 sftp proftpd[22]: LDAPServer: parsed URL 'ldap://172.18.0.1:3002/??sub' as 'ldap://172.18.0.1:3002/??sub' Mar 27 19:01:11 2022-03-27 18:01:11,056 sftp proftpd[22]: fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 101 of '/etc/proftpd/proftpd.conf' Mar 27 19:01:11 2022-03-27 18:01:11,058 INFO exited: proftpd (exit status 1; not expected) Mar 27 19:01:13 2022-03-27 18:01:13,064 INFO spawned: 'proftpd' with pid 23 Mar 27 19:01:13 2022-03-27 18:01:13,082 sftp proftpd[23]: LDAPServer: parsed URL 'ldap://172.18.0.1:3002/??sub' as 'ldap://172.18.0.1:3002/??sub' Mar 27 19:01:13 2022-03-27 18:01:13,085 INFO exited: proftpd (exit status 1; not expected) >>Mar 27 19:01:13 2022-03-27 18:01:13,083 sftp proftpd[23]: fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 101 of '/etc/proftpd/proftpd.conf' Mar 27 19:01:16 2022-03-27 18:01:16,091 INFO spawned: 'proftpd' with pid 24 Mar 27 19:01:16 2022-03-27 18:01:16,141 sftp proftpd[24]: LDAPServer: parsed URL 'ldap://172.18.0.1:3002/??sub' as 'ldap://172.18.0.1:3002/??sub' >>Mar 27 19:01:16 2022-03-27 18:01:16,141 sftp proftpd[24]: fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 101 of '/etc/proftpd/proftpd.conf' Mar 27 19:01:16 2022-03-27 18:01:16,151 INFO exited: proftpd (exit status 1; not expected) Mar 27 19:01:17 2022-03-27 18:01:17,153 INFO gave up: proftpd entered FATAL state, too many start retries too quickly Mar 28 14:35:40 [GET] /files/app-188b9a37-023d-4527-a955-e6f21227de36/ Mar 28 14:35:40 get: /mnt/appsdata/188b9a37-023d-4527-a955-e6f21227de36/data as download:false Mar 28 14:35:41 [GET] /files/app-188b9a37-023d-4527-a955-e6f21227de36/credentials.txt Mar 28 14:35:41 get: /mnt/appsdata/188b9a37-023d-4527-a955-e6f21227de36/data/credentials.txt as download:false Mar 28 18:04:07 [GET] /files/app-21c7ea06-6ede-4883-a02d-d52321727aed/ Mar 28 18:04:07 get: /mnt/appsdata/21c7ea06-6ede-4883-a02d-d52321727aed/data as download:false Mar 28 18:04:45 [GET] /files/app-21c7ea06-6ede-4883-a02d-d52321727aed/public Mar 28 18:04:45 get: /mnt/appsdata/21c7ea06-6ede-4883-a02d-d52321727aed/data/public as download:false
On the 27th it did show there are an issue :
fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 101 of '/etc/proftpd/proftpd.conf'
-
@Aizat said in SFTP port 222 not working, Firewall UFW was inactive:
fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 101 of '/etc/proftpd/proftpd.conf'
Yes, this is the issue! So, what you have to do is:
chmod 600 /home/yellowtent/platformdata/sftp/ssh/ssh_host_rsa_key
Then, just restart the SFTP service. Can you let me know if that works?
-
@Aizat said in SFTP port 222 not working, Firewall UFW was inactive:
the end result of the migration was very smooth
I suspect we have a bug in our migration+sftp permissions. I will investigate. The private key is restored with group readable permissions, so the sftp service refuses to start.
-
@girish said in SFTP port 222 not working, Firewall UFW was inactive:
chmod 600 /home/yellowtent/platformdata/sftp/ssh/ssh_host_rsa_key
YESSS!! It works! Thank you so much @girish
Amazing. Yep, now I've connected to my sftp.
I also use my ip address for the host, instead of my.domain.com because I use Cloudflare. (referring to the doc) -
-