How to access Plesk Backup (Server Repository) via FTP Client

[toby07801]

I host a number of large sites (20GB+) on my VPS server running Centos6 and Plesk Panel 12. Due to the large sites I don't want to keep multiple backups on the actual server because it would take too much disk space. When I create a backup to the server's repository all is good, but when I click the green arrow to download the backup it takes a long time and then it fails with a timeout error. On some smaller sites it takes a while but eventually downloads the tar.

So my question: Is it possible to access the Server Repository via FTP? How and where would I set this up? Presumably it would be a better way to download these large archive files?

 

[UFHH01]

I prefer using SFTP - Clients and connect to the servers over additional users chrooted to the Server-Backup-Repository defined in "/etc/psa/psa.conf". I suggest using a client with synch options, so you don't really have to click around a lot.

 

[toby07801]

Thanks for your reply.

I've managed to connect by creating a new user in the Centos User Manager and setting it's home directory to be /var/lib/pas/dumps/ which is where Plesk Panel stores the client backup dumps. I can connect with that FTP account and see the files that are stored there but when I try to download any of them I get a permissions denied error in Filezilla.

Please could you take me through this step by step in a little more detail? I'm still very new to this system and not fully confident in setting everything up.

When creating a new user for this purpose it asked me to define a Primary Group and a Login Shell, which are currently set to "psaftp" and "/sbin/nologin" but there are many other options. What is the significance of this and what options should I set here. bearing in mind I just want the user to have full FTP access to that directory and all of its subdirectories and nothing else?

Your help would be much appreciated!

 

[UFHH01]

Hi toby,

if you are unsure, which permissions you should have, to fully access folders and files ( with write and read permissions ), you would choose the command "ls -l /folder". In your case you would like to know the permissions from "/etc/var/psa", to see the permissions of "dumps". Afterwards you add this group to the newly created user.

Additional notes:
Due to the case, that files and folders inside of "/var/lib/psa/dumps/" are created with root:root - permissions you could consider adding the group root as well to that special user, but please make sure, that the password has a good strength and will be changed frequently, is not a common name and your SFTP - client uses only secure connections while connecting to your server. To avoid that the user reaches any other folders on your server, edit the file "/etc/passwd" and change the chroot - directory of that user to: USERNAME:x:XXXX:XXXX::/var/lib/psa/dumps:/bin/false ( this is an example, so XXXX are placeholders and should not be changed in the /etc/passwd - file! ).

 

[toby07801]

Thank you so much! I followed your instructions and added "root" to the user's groups and I am now able to download these files without problems!

I've also edited /etc/passwd as per your instructions and changed that user's end of the line to USERNAME:x:XXXX:XXXX::/var/lib/psa/dumps:/bin/false.
The only question that remains is: If that actually did what you intended to do, (i.e. prevent this user accessing anything else) should I still be able to see the folders outside of dumps? Because that is what is happening. Filezilla still lets me navigate the entire server tree all the way up to /.

 

[UFHH01]

Well, the group root has more priviliges than any other group... so no... the user might navigate all over the system if he is in this group. If you want to be sure, that the user is not at all able to navigate outside, you have to modify the files and folders as well to his permissions and remove the group psaadm and root again, but this might cause problems in the Plesk Panel, as well that it might cause Plesk failures in case of restores and stuff...

Another way would be to copy the Plesk folder "dumps" to another path ( i.e. the home-directory "/home/USERNAME" - and you might do this with a crontab - job and the command "rsync -r" ) and change the permissions afterwards to the users permission with the same crontab, but I don't know if you have enough space on your hdd to do that.

You should ask yourself, WHO has access to the SFTP - account. If it is only you, or you and the systemadmins, there is no security issue with the first suggestion. But if non-admins have access to this SFTP-user, you should consider suggestion no. 2.

 

[toby07801]

Makes sense! Thank you! It would be only myself so I guess I don't need to freak out too much. It would only be of concern if someone managed to get hold of the user details.

The bit I've had trouble with is to connect with SFTP as you suggested. Plain FTP connection works but when I change the mode in Filezilla to SFTP I received these responses:

Status: Connecting to xxx.xxx.xxx.xxx
Response: fzSftp started
Command: open "[email protected]" 22
Command: Pass: ******************
Status: Connected to xxx.xxx.xxx.xxx
Error: Connection closed by server with exitcode 1
Error: Could not connect to server

Do I need to make changes server-side to allow SFTP?

 

[UFHH01]

Oh... I forgot...sorry ^^

The setting "bin/false" doesn't allow FTP over ssh... so you have to modify the line to "/bin/bash" , "bin/sh" or similar accepted environments on your server.

The correct entry with SFTP - access would then be for example:

USERNAME:x:XXXX:XXXX::/var/lib/psa/dumps:/bin/bash​

 

[toby07801]

Yep that did the trick! I'm happy! Thank you so much for helping me!