mathz.nu Asterisk Blacklist Hobby webbhotell

2009/06/29

pure-ftpd-mysql

Filed under: Server — Mathz @ 21:56

How to install and configure pure-ftpd

This is how to install and configure the pure-ftpd ftp server on your Ubuntu or Debian server or workstation.
First use apt to download and install the pure-ftpd package – it is available from default repositories :

root@box:~# apt-get install pure-ftpd
.
.
.
Setting up pure-ftpd (1.0.21-11ubuntu1) ...
Starting ftp server: Running: /usr/sbin/pure-ftpd -l pam -u 1000 -E -O clf:/var/log/pure-ftpd/transfer.log -B

As the latest line of apt output tells us, the server is already started with some default options passed to the binary via the command line.

The way to configure pure-ftpd is quite different from to other Debian / Ubuntu software. When installed as a service and started during the init process, pure-ftpd is invoked by a script called pure-ftpd-wrapper. What’s unusual is that instead of reading a single configuration file for all options, the script uses a directory full of one-line files. Let’s have a look in /etc/pure-ftpd/conf :

root@box:~# cd /etc/pure-ftpd/conf/
root@box:/etc/pure-ftpd/conf# ls -la
total 24K
-rw-r--r-- 1 root 36 2007-06-22 02:01 AltLog
-rw-r--r-- 1 root 5 2007-06-22 02:01 MinUID
-rw-r--r-- 1 root 4 2007-06-22 02:01 NoAnonymous
-rw-r--r-- 1 root 4 2007-06-22 02:01 PAMAuthentication
-rw-r--r-- 1 root 28 2007-06-22 02:01 PureDB
-rw-r--r-- 1 root 3 2007-06-22 02:01 UnixAuthentication

Each of those files describes a command-line option of the pure-ftpd server. For example, the file AltLog contains the format of, and path to, the tranfer log file :

root@box:/etc/pure-ftpd/conf# cat AltLog
clf:/var/log/pure-ftpd/transfer.log

Let’s now set some of the basic options by editing those one-liners (our server will listen to port 21 on all available interfaces, and will use IP 12.34.56.78 and ports 4500-4600 for passive mode – don’t forget to forward those from your NAT router if you are behind one):

root@box:/etc/pure-ftpd/conf# echo ,21 > Bind
root@box:/etc/pure-ftpd/conf# echo 12.34.56.78 > ForcePassiveIP
root@box:/etc/pure-ftpd/conf# echo 4500 4600 > PassivePortRange

Now for some recommended security stuff :

root@box:/etc/pure-ftpd/conf# echo yes > ChrootEveryone
root@box:/etc/pure-ftpd/conf# echo yes > ProhibitDotFilesRead
root@box:/etc/pure-ftpd/conf# echo yes > ProhibitDotFilesWrite
root@box:/etc/pure-ftpd/conf# echo yes > NoChmod
root@box:/etc/pure-ftpd/conf# echo yes > BrokenClientsCompatibility

Let’s also set some limits to avoid abuse :

root@box:/etc/pure-ftpd/conf# echo 4 > MaxClientsPerIP
root@box:/etc/pure-ftpd/conf# echo 20 > MaxClientsNumber

Now the important thing we need to decide is what user authorization method(s) our server will support. Options include Unix Authentication (anyone with a login account on the server will have ftp access), but I chose PureDB authentication, which involves a dedicated pure-ftpd “virtual users” base.
So let’s disable Unix and PAM auth, set the path to the PureDB user file, and add PureDB as an auth method by linking to it from the /etc/pure-ftpd/auth directory :

root@box:/etc/pure-ftpd/conf# echo no > PAMAuthentication
root@box:/etc/pure-ftpd/conf# echo no > UnixAuthentication
root@box:/etc/pure-ftpd/conf# echo /etc/pure-ftpd/pureftpd.pdb > PureDB
root@box:/etc/pure-ftpd/conf# ln -s /etc/pure-ftpd/conf/PureDB ../auth/50pure

Let’s now create a (system) user and group that will be bound to all ftp virtual users. For security reasons, that special user should have no home directory (-d /bin/null) and no shell access (-s /bin/false) :

root@box:/etc/pure-ftpd/conf# groupadd -g 2001 ftpgroup
root@box:/etc/pure-ftpd/conf# useradd -u 2001 -s /bin/false -d /bin/null -c "pureftpd user" -g ftpgroup ftpuser

We can now use the pure-pw command to add our first virtual user (don’t forget the “pure-pw mkdb” command : it is required to commit/confirm changes to the user file)

root@box:/etc/pure-ftpd/conf# pure-pw useradd myfirstuser -u ftpuser -d /var/ftp/public/
Password:
Enter it again:
root@box:/etc/pure-ftpd/conf# pure-pw mkdb

Let’s add TLS/SSL support and generate a private certificate (you will be asked to provide some information to put in the cert)
root@box:/etc/pure-ftpd/conf# apt-get install openssl
root@box:/etc/pure-ftpd/conf# echo 1 > TLS
root@box:/etc/pure-ftpd/conf# openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Generating a 1024 bit RSA private key
.
.
.
root@box:/etc/pure-ftpd/conf# chmod 600 /etc/ssl/private/pure-ftpd.pem

Let’s finally restart the server with our all-new config :

root@box:/etc/pure-ftpd/conf# /etc/init.d/pure-ftpd restart
Restarting ftp server: Running: /usr/sbin/pure-ftpd -l puredb:/etc/pure-ftpd/pureftpd.pdb -X -b -u 1000 -C 4 -E -S ,21 -x -c 20 -R -A -p 4500:4600 -O clf:/var/log/pure-ftpd/transfer.log -Y 1 -P 12.34.56.78 -B

All done ! Enjoy a simple, robust and secure ftp server.

How to configure pure-ftpd-mysql on ubuntu: http://www.ubuntu-howto.info/howto/how-to-install-and-configure-pure-ftpd

5 Comments »

  1. This internet site just created my week! I had been searching around for details on this. I’m glad now that I ran across this webpage. Woohoo!

    Comment by ANCHORS IN WEBSITE LIST — 2011/02/12 @ 05:31

  2. thanks, and keep up the great work

    Comment by Dulce Lancaster — 2011/02/26 @ 04:17

  3. I like the blog, but could not find how to subscribe to receive the updates by email.

    Comment by Louvenia Nalepka — 2011/02/28 @ 16:43

  4. i think you have a nice page here… today was my first time coming here.. i just happened to discover it performing a google search. anyway, fantastic post.. i’ll be bookmarking this page for certain.

    Comment by Silvia Manzer — 2011/03/01 @ 13:45

  5. Nice post. The information presented here was the greatest I could find all day long, and I have been searching tough on the Web. I think you ought to put this up on a big social bookmarking site, you will find that it spreads like wildfire – Cheers – dave

    Comment by Christin Reefer — 2011/03/02 @ 08:19

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress