cant sftp into dev wordpress

chris

trying to gain sftp access to a WordPress (Developer) app and my connection is refused or my pass is not working

Tried via two different clients (cyberduck and forklift) and i tried direct via terminal sftp command. i can hit the server in terminal, but get Permission denied, please try again the password i am using is the same i login into my cloudron instance. (i do have 2factor auth on for my account, i am the admin). in the clients i get connection refused.

i tried in v7.4.3 of cloudron and i just updated to v7.5 and tried again, same issue.

girish

@chris please check if the SFTP port 222 is open in your cloud firewall (not the server, but anything that might be in the front like EC2 Security Group). If you use Cloudflare, you have to disable proxying because Cloudflare won't proxy SFTP traffic.

Finally, please note the username is different for each app. See https://docs.cloudron.io/apps/#ftp-access . It will show a popup with the username.

chris

i think you are right @girish , i thought i tested for open port before posting, but apparently not. running the following command and i see failed: Connection refused

nc -zv IPADDRESS 222

i will reach out to my host next.

girish

@chris I would also double check if the sftp service is working. Services -> sftp. Is that green?

chris

Hi @girish
i checked with my host, they are not blocking 222, i do use cloudflare, but i dont proxy through it, and to be safe i paused cloudflare on the domain, still not able to SFTP.

when i log into the server as root from my terminal, and run nc -zv localhost 222 , i see Connection to localhost 222 port [tcp/*] succeeded! not sure if that is the best way to see if 222 is open or not.

however, if i check from a online port scanner, i see 222 is closed. eg https://portchecker.co/checking

yes services -> sftp is green

any other suggestions?

girish

@chris Mmm, I am out of ideas. If not using Cloudflare and if you don't use a Cloud firewalls, then it's not clear why port 222 will be blocked. Can you send us an email to support@cloudron.io with the domain/IP and we can check it from here.

chris

yes. done. thanks for taking a look into this @girish

girish

It seems the internal SFTP server does not start up with. It errors with:

2023-07-18 17:59:26,556 sftp proftpd[20]: LDAPServer: parsed URL 'ldap://172.18.0.1:3002/??sub' as 'ldap://172.18.0.1:3002/??sub'
2023-07-18 17:59:26,557 sftp proftpd[20]: fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 77 of '/etc/proftpd/proftpd.conf'
2023-07-18 17:59:26,559 INFO exited: proftpd (exit status 1; not expected)
2023-07-18 17:59:28,563 INFO spawned: 'proftpd' with pid 21

And indeed, the keys are world readable:

root@xx:/home/yellowtent/platformdata/sftp/ssh# ls -l
total 16
-rw------- 1 yellowtent yellowtent  419 Jul 14 22:50 ssh_host_ed25519_key
-rw-r--r-- 1 yellowtent yellowtent  110 Jul 14 22:50 ssh_host_ed25519_key.pub
-rw-r--r-- 1 yellowtent yellowtent 1679 Jul 14 22:50 ssh_host_rsa_key
-rw-r--r-- 1 yellowtent yellowtent  408 Jul 14 22:50 ssh_host_rsa_key.pub

A chmod o-r,g-r ssh_host_rsa_key does the trick. @chris can you check now?

girish

The file is created here with the correct perms. Not sure how it changed later.

chris

Thank you @girish - yes. that worked! I can sftp into the app
And i am so glad you took the time to review and fix the issue.