I need to allow LAN server FTP or SFTP access to /var/spool/asterisk/monitor to collect recordings.
I have added a user and tried various configurations of /etc/vsftp/vsftp.conf, user_list, etc. and messing with the vsftpd and vsftpd.freepbx in /etc/pam.d, but always window up with
> 530 Login incorrect.
> Login failed.
Does anyone have the correct configuration to allow recordings to be collected by FTP or SFTP?
I know this isnât the answer you asked for, but my experience with this is that you can set up the directory in your apache.conf file and share it out (with or without a password) with a little bit of Apache config.
The short answer is to set up a new document root in the Apache and add a virtual domain to the setup. You can also use a Redirect directive in the Apache Config to redirect âhttp://LAN.Local/Recordings/â to the right directory. Either way you can add the .htpasswd file you need and go to town.
The system accessing the recordings is a .NET server, so SCP would be a more complex choice for them. (âThemâ are the .NET guys.) I could not make SFTP work with a /sbin/nologin shell so we had to give them a bash shell and put them in wheel. Now it works, but the secrutiy doesnât make me happy.
I revert my answer then, I believe @cynjut has the best answer here. Give them access to the files via HTTP and see if that works for them. I just canât willingly push anyone to a solution built on FTP/SFTP having seen multiple projects explode around it.
Thanks, Dave. I did offer that option but they already have Filezilla jobs collecting recordings and I am barging into their existing system with a new PBX system, phasing out Avaya. However we are talking about NFS or SAMBA solution. We probably will wind up with HTTP anyway.
Their FileZilla solution should easily transition to using http from ftp as the URI. If they are on the same network, setting it up in a subdirectory under the /var/www/html root with a SymLink and allowing symlinks for this would be a simple solution. This also âcanâ (not recommended, but can) get rid of the the username/password requirement. Setting this up is really simple and you already have the web server running on the phone system. Adding SMB shares and FTP access are both âadditionalâ services, so youâll need to manage them on your own.
Setting this up with FTP is doable, and if theyâre not trained well enough to be able to use the webpage, you can enable FTP and set up a symlink from the FTP root directory to the recordings root, but itâs an additional attack vector for the system. There are better ways to do this than with a 40-year-old protocol that had security tacked on at the last minuteâŚ
Of course, it looks like there is the confusion of terms SFTP and SCP, but it appears that âSFTP - SSH File Transfer Protocolâ in FileZilla actually means SCP.
Correct. The can do SCP with filezilla, but to do so they have to have a login shell and it seems they have to be in wheel, which I do not like. If I take them out of wheel, they get invalid credentials. We will be moving to HTTP.
Am I missing something here? I know how to do redirects, but I donât think Filezilla does HTTP links, and all their automated file collection jobs are Filezilla automation. I do have Filezilla working with SFTP via vsftp now, but they have to have a log shell too. So, like I said, we will be going to HTTP retrieval for simplicity.
I thought to myself, âNo, Iâve used Filezilla to download http:// links before.â
Then I thought, âIf only there was documentation available.â
I looked and you are right. When I was last following FileZilla Client in 2008, there was a request to add http URL processing to FileZilla, I was under the mistaken impression that it had, in fact, been added. I just checked the FAQ for FileZilla and found that, in fact, No - this feature had not been added to the system.
My mistake - sorry.
If you are still planning on using FileZilla for the download, you can enable this by modifying the /etc/vsftpd.conf file and setting it up either âper userâ or as a default server. Make your root directory (either for the server or per user) to /var/spool/asterisk/monitor/ and set up the rest of the authentication and security features to taste.