Koozali.org: home of the SME Server

Setting up an I-bay for an outside user

Online TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: Setting up an I-bay for an outside user
« Reply #45 on: July 22, 2021, 12:01:44 PM »
What is the sites url?
--
qui scribit bis legit

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: Setting up an I-bay for an outside user
« Reply #46 on: July 23, 2021, 02:09:02 AM »

Online TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: Setting up an I-bay for an outside user
« Reply #47 on: July 23, 2021, 08:31:28 AM »
Made an attempt or three to your site, different users, came up OK, obviously no password etc..

I do not use letsencrypt, so its a puzzle, configured a VM with remoteuseraccess, enabled ftp in server-manager, set chroot for user, using WinSCP

FTP using TLS/SSL Explicit encryption and login was accepted, denied without the TLS/SSL

Needs a brighter spark than I..only good thing is basic Vm with defaults does what it should
--
qui scribit bis legit

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: Setting up an I-bay for an outside user
« Reply #48 on: July 23, 2021, 08:54:53 PM »
Okay Sounds Good Thanks for looking. Any Ideas of what I should try to make this work? Everything works well except FTP.......

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: Setting up an I-bay for an outside user
« Reply #49 on: July 25, 2021, 07:44:08 AM »
Okay I tried Smart FTP and it gave me an error.....

Unexpected server reply

Problem

Unexpected server reply.

HRESULT error: FTPLIB_E_WRONGREPLY (0x80043106)

Cause

This error occurs when the server returns an error reply or a reply the client did not expect. Further analysis of the server to client communication is required to determine the cause of this error.

Seems Like I have a setting wrong or I messed something up with trying to install default contribs in the software installer....

Thought I would try to reach out to the smart FTP people.

Any suggestions on what I should change on SME Server to maybe resolve the issue?

Is there some code where I could go back to the regular default contribs? I think that is where I messed up.... Because everything else works fine.....



Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Setting up an I-bay for an outside user
« Reply #50 on: July 29, 2021, 10:57:31 AM »
One thing I should mention is before I added the software to do USER Remote access to chroot a user to a certain file I didn't have this problem...

I could get in from an outside network VIA FTP.

I also installed a whole bunch of updates like an idiot because I was hoping the USER Remote access software was in the updates.

"Act in haste, repent at leisure"

Quote
So is there a command I could use to restore all previous settings without uninstalling the USER Remote access and the Lets encrypt Security Certificate?

Restore from backup and start again? Letsencrypt can be easily be re-generated.

OK, so you have been jumping wildly all over the place trying to guess your way to an answer rather than working it out methodically and finding what works and what does not.

This is fast becoming a XY problem which no one is going to be able to resolve very easily and is consuming everyones time and getting nowhere in a hurry: https://xyproblem.info/

So, first thing go right back to the start and then work your way forwards little step by little step and documenting the process accurately. No jumping around or testing things on a whim. Be precise and methodical. Use logs. Read the wiki carefully - there is a wealth of information in there so use it to educate yourself.

This was an upgrade from SME v8? I don't believe we tested this, but it should *theoretically* work but YMMV.

So run the audittools on your SME v8 install and lets see what you have in there to start with.

Run these from a terminal.

/sbin/e-smith/audittools/newrpms << May not run correctly on SME v8
/sbin/e-smith/audittools/repositories
/sbin/e-smith/audittools/templates

Then do the same thing on the v10 version - you can actually go to the server-manager and look down the bottom on the left for creating a bug report - that will do it all for you.

Put them on pastebin or somewhere - not here.

I suggest you also give some give some details about your router or whatever you have between your server and the rest of the world, and how it is set up.

Make sure you *** anything sensitive please.

Further fumbling and guessing is not going to get this fixed. This needs a professional approach now please.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Setting up an I-bay for an outside user
« Reply #51 on: July 29, 2021, 02:42:57 PM »
config show ftp

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: Setting up an I-bay for an outside user
« Reply #52 on: July 30, 2021, 04:06:21 AM »
No Problems Just working through it. Almost there.


Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Setting up an I-bay for an outside user
« Reply #53 on: August 04, 2021, 03:19:56 PM »
you must pay attention that sme only uses ftp active.

nowaday default for client is sending passive command but SME ignores it. 

Try to configure your client in active mode.  It could still fails, here is why :


it all works while the client data port is accessible. But if he is behind a NAT or firewall yhis data port will not be accessible.

if you want to use a passive mode, this needs adding extra config to the server and then there is no limit on client side.  only you will also need to open the random data port on server side firewall, adding a layer of risk, and also open those ports on your router if behind one.


This is why I suggested a lot of alternatives, because what seems simple here « i will use ftp, it is already there » is not because of all the layer to think about in term of security: ports in firewalls, data transfer mode, TLS mode.

On the other hand nextcloud or webdav is easy to install and configure on client and will always uses TLS encryption using https with no headache for firewall and ports to open. 


Online TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: Setting up an I-bay for an outside user
« Reply #54 on: August 04, 2021, 04:36:25 PM »
OP and I have been collaborating via priv messaging :-) was able to access his test setup with TLS enabled and active mode on the client, WinSCP, Filezilla and CuteFTPle. all in all a interesting knowledge upgrade :-)

It is NOT a simple point and shoot matter. Far better to find another way, it can be done but requires more than just a config setting in SM..

Security is key here....
--
qui scribit bis legit

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Setting up an I-bay for an outside user
« Reply #55 on: August 04, 2021, 06:30:15 PM »
This could lead to a wiki page on how to configure client and server depending on the network
to share this accumulated knowledge?

tls mode
active/passive
server behind NAT firewall
client behind NAT firewall
server only / server-gateway

Online TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: Setting up an I-bay for an outside user
« Reply #56 on: August 05, 2021, 12:27:47 AM »
This could lead to a wiki page on how to configure client and server depending on the network
to share this accumulated knowledge?

tls mode
active/passive
server behind NAT firewall
client behind NAT firewall
server only / server-gateway

Definetly of benefit to add to the knowledge base...and those points above are all in play, hence my comment it is no trivial matter to use ftp in a secure way, even then it still has security implicatiuons, although at least TLS is active..
--
qui scribit bis legit