Allow VSFTP access to /var/spool/asterisk/monitor


(Jerry Riggin) #1

I need to allow LAN server FTP or SFTP access to /var/spool/asterisk/monitor to collect recordings.
I have added a user and tried various configurations of /etc/vsftp/vsftp.conf, user_list, etc. and messing with the vsftpd and vsftpd.freepbx in /etc/pam.d, but always window up with

> 530 Login incorrect.
> Login failed.

Does anyone have the correct configuration to allow recordings to be collected by FTP or SFTP?


(Dave Burgess) #2

I know this isn’t the answer you asked for, but my experience with this is that you can set up the directory in your apache.conf file and share it out (with or without a password) with a little bit of Apache config.

The short answer is to set up a new document root in the Apache and add a virtual domain to the setup. You can also use a Redirect directive in the Apache Config to redirect “http://LAN.Local/Recordings/” to the right directory. Either way you can add the .htpasswd file you need and go to town.


(Matt Brooks) #3

Why FTP and not ssh / scp? Zero configuration needed.

https://www.ssh.com/ssh/scp/

scp -R root@hostname:/var/spool/asterisk/monitor /path/to/local/directory


(Jerry Riggin) #5

The system accessing the recordings is a .NET server, so SCP would be a more complex choice for them. (“Them” are the .NET guys.) I could not make SFTP work with a /sbin/nologin shell so we had to give them a bash shell and put them in wheel. Now it works, but the secrutiy doesn’t make me happy.


#6

Perhaps to keep your .NET guys happy, ‘mount bind’ one of their CIFS share over /var/spool/asterisk/monitor ?


(Matt Brooks) #7

I revert my answer then, I believe @cynjut has the best answer here. Give them access to the files via HTTP and see if that works for them. I just can’t willingly push anyone to a solution built on FTP/SFTP having seen multiple projects explode around it.


(Jerry Riggin) #8

Thanks, Dave. I did offer that option but they already have Filezilla jobs collecting recordings and I am barging into their existing system with a new PBX system, phasing out Avaya. However we are talking about NFS or SAMBA solution. We probably will wind up with HTTP anyway.


(Dave Burgess) #9

Their FileZilla solution should easily transition to using http from ftp as the URI. If they are on the same network, setting it up in a subdirectory under the /var/www/html root with a SymLink and allowing symlinks for this would be a simple solution. This also “can” (not recommended, but can) get rid of the the username/password requirement. Setting this up is really simple and you already have the web server running on the phone system. Adding SMB shares and FTP access are both “additional” services, so you’ll need to manage them on your own.

Setting this up with FTP is doable, and if they’re not trained well enough to be able to use the webpage, you can enable FTP and set up a symlink from the FTP root directory to the recordings root, but it’s an additional attack vector for the system. There are better ways to do this than with a 40-year-old protocol that had security tacked on at the last minute…


(Matt Brooks) #10

It looks like Filezilla supports scp: https://www.question-defense.com/2009/04/12/how-to-scp-secure-copy-with-filezilla-on-windows-xp

Of course, it looks like there is the confusion of terms SFTP and SCP, but it appears that “SFTP - SSH File Transfer Protocol” in FileZilla actually means SCP.


(Jerry Riggin) #11

Correct. The can do SCP with filezilla, but to do so they have to have a login shell and it seems they have to be in wheel, which I do not like. If I take them out of wheel, they get invalid credentials. We will be moving to HTTP.


(Dave Burgess) #12

In the HTML book, look up the “Redirect” option for the simplest solution.


(Jerry Riggin) #13

Am I missing something here? I know how to do redirects, but I don’t think Filezilla does HTTP links, and all their automated file collection jobs are Filezilla automation. I do have Filezilla working with SFTP via vsftp now, but they have to have a log shell too. So, like I said, we will be going to HTTP retrieval for simplicity.


(Dave Burgess) #14

I thought to myself, “No, I’ve used Filezilla to download http:// links before.”

Then I thought, “If only there was documentation available.”

I looked and you are right. When I was last following FileZilla Client in 2008, there was a request to add http URL processing to FileZilla, I was under the mistaken impression that it had, in fact, been added. I just checked the FAQ for FileZilla and found that, in fact, No - this feature had not been added to the system.

My mistake - sorry.

If you are still planning on using FileZilla for the download, you can enable this by modifying the /etc/vsftpd.conf file and setting it up either “per user” or as a default server. Make your root directory (either for the server or per user) to /var/spool/asterisk/monitor/ and set up the rest of the authentication and security features to taste.


(system) closed #15

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.