220-Only anonymous FTP is allowed here - but I want only to use pure-ftpd virtual users...

[Mesqualito]

Our webshop-team needs a server to upload pictures via ftp (explicit ftp over tls, Port 21 as far as I know) with passive ftp (ports 30000 - 30009) and get them via https. Don't ask me why...

So I have been trying to set up docker via one docker-compose.yml and some Dockerfiles. And I am stuck at this pure-ftpd-image. Therefore I have some questions...

I am using stilliard/pure-ftpd:hardened. Inside the container, the ftp-server-daemon is running with:

root@6dfbbafdd741:/etc/pure-ftpd# ps faux | grep pure

/bin/sh -c /run.sh -E -c 5 -C 5 -j -R -p 30000:30009 -P $PUBLICHOST -l puredb:/etc/pure-ftpd/db/pureftpd.pdb -e "ADDED_FLAGS=-d -d -O w3c:/var/log/pure-ftpd/transfer.log"
root  7  0.0  0.0  19788  4104 ?  S 12:00 0:00 pure-ftpd (SERVER) -d -O w3c:/var/log/pure-ftpd/transfer.log --tls=1

root@6dfbbafdd741:/# echo $PUBLICHOST
localhost

...but the puredb seems to be located in /etc/pure-ftpd/, not in /etc/pure-ftpd/db/. Why?

And even with changing my Dockerfile-entry:

CMD /run.sh -E -c 5 -C 5 -j -R -p 30000:30009 -P $PUBLICHOST -l puredb:/etc/pure-ftpd/pureftpd.pdb -e "ADDED_FLAGS=-d -d -O w3c:/var/log/pure-ftpd/transfer.log"

(without adding db in the puredb-path), I always get:

Status: Connection established
Return: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Return: 220-You are user number 1 of 5 allowed.
Return: 220-Local time is now 11:57. Server port: 21.
Return: 220-Only anonymous FTP is allowed here
Return: 220-IPv6 connections are also welcome on this server.
Return: 220 You will be disconnected after 15 minutes of inactivity.
Cmd:    AUTH TLS
Return: 234 AUTH TLS OK.
Status: Initialising TLS...
Status: Check Certificates...
Status: TLS-Connection established.
Cmd:    USER [user]
Return: 421 Unable to set up secure anonymous FTP
Fail:   Connection to the server could not be established

Why is "Only anonymous FTP allowed here"? I use the -E-flag, my [user] is stored in the /etc/pure-ftpd/passwd/pureftpd.passwd-file, repeating exactly the steps you describe here on GitHub (of course with another username and pwd):

[user]:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:1000:1000::/home/ftpusers/[user]/./::::::::::::

Maybe there is some error with the -P-flag?

And the third question is: if I only want to allow pureftpd-virtual-users, can I delete PAMAuthentication in /etc/pure-ftpd/conf or set it to "no"?

The docker-container runs on CentOS 7 with kernel 4.13.2-1.el7.elrepo.x86_64, the firewall looks like:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 enp6s0
  sources:
  services: dhcpv6-client docker-registry ssh http https ftp
  ports: 30000-30009/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

and docker ps -a tells me:

CONTAINER ID        IMAGE                   COMMAND                  CREATED             STATUS              PORTS                                                      NAMES
6dfbbafdd741        gen_ftps.[xxx].net   "/bin/sh -c '/run...."   27 minutes ago      Up 26 minutes       0.0.0.0:21->21/tcp, 0.0.0.0:30000-30009->30000-30009/tcp   gen_ftps.[xxx].net_1
84b576317d74        nginx                   "nginx -g 'daemon ..."   4 hours ago         Up 4 hours          80/tcp, 443/tcp                                            gen_sslimages.[xxx].net_1
13bf2cfac987        gen_reverseproxy        "nginx -g 'daemon ..."   4 hours ago         Up 4 hours          0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp                   gen_reverseproxy_1
e05fa187eade        nginx                   "nginx -g 'daemon ..."   4 hours ago         Up 4 hours          80/tcp, 443/tcp                                            gen_www.[xxx].com_1
1a3bf3f5b90a        nginx                   "nginx -g 'daemon ..."   4 hours ago         Up 4 hours          80/tcp                                                     gen_service.[xxx].com_1

The docker-compose.yml contains (snippet):

version: '3.3'
services:
  ftps.[xxx].net:
    build: ../ftps.[xxx].net/.
    volumes:
    - type: volume
      source: vol-ssldata
      target: /home/ftpusers
      volume:
        nocopy: true
    - type: volume
      source: vol-ftpsusers
      target: /etc/pure-ftpd/passwd
      volume:
        nocopy: true
    - type: volume
      source: vol-ftplogs
      target: /var/log/pure-ftpd
      volume:
        nocopy: true
    - type: volume
      source: vol-ftp-db
      target: /etc/pure-ftpd/db
      volume:
        nocopy: true
    expose:
      - "21"
      - "30000-30009"
    networks:
    - net_ftps.[xxx].net
    ports:
      - "21:21"
      - "30000-30009:30000-30009"

[...], and I use vol-ssldata in another nginx-container for https.

As far as I can think (which can't be too far ;-) the problem lies in the pureftp-container.

Thanks for your good work and your answers in advance!

Sincerely,

Jochen

[stilliard]

Hey @Mesqualito , Thanks for reaching out about this with all this detail :). Your setup looks good, I think i know what might be causing the issues:

Ref the db and flag issues, it might be worth changing to start /usr/sbin/pure-ftpd directly rather than our run.sh script as I know we reference the db location in there too. Or if that doesn't work you could create a new Dockerfile based off this one but override the run.sh file with changes to the db path etc.

Ref the PAMAuthentication / conf change, I'm not sure that the conf files are being read but it's worth trying at least :).

Hope this helped a little.

[Mesqualito]

Thanks for your reply, I'll test your hints!

Is there no proof yet, that the config-files will be read in your hardened-branch as mentioned in https://github.com/stilliard/docker-pure-ftpd/issues/10 ?

[stilliard]

No problem, hope it helps.

Initially I just assumed the conf files were being run (never assume haha), but I later found on debian they are are first read by a wrapper script that the init system would use. Without us creating a similar wrapper or adapting the normal debian one I don't think pure-ftp would read them.

Best regards, Andrew Stilliard.

On 20 September 2017 at 11:35, Jochen notifications@github.com wrote:

Thanks for your reply, I'll test your hints!

Is there no proof yet, that the config-files will be read in your hardened-branch as mentioned in #10 https://github.com/stilliard/docker-pure-ftpd/issues/10 ?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/stilliard/docker-pure-ftpd/issues/48#issuecomment-330813300, or mute the thread https://github.com/notifications/unsubscribe-auth/AAEujpehN5YyxUV9YhulZX9ppSzIPQLVks5skOpfgaJpZM4PcXuM .

[stilliard]

Closing for now, but please re-open if you're still having any issues with this.