Pure ftpd in linux

Pure-FTPd

Pure-FTPd is an FTP server designed with security in mind.

Contents

Installation

Configuration

Pure-FTPd configuration is completely done with its startup arguments.

There is a wrapper script, which reads /etc/pure-ftpd/pure-ftpd.conf . It then starts Pure-FTPd with the corresponding arguments.

Set up virtual users

With Pure-FTPd, it is possible to use virtual users instead of real system users.

The available users need to be provided by one ore more backends. See backends.

For simplicity and demonstration purposes, the PureDB backend will be used. Uncomment the following two lines:

Now only authenticated users can connect. To add users to the PureDB we need to create a /etc/passwd -like file which is then used to create the PureDB.

To create, view, or modify the /etc/pureftpd.passwd file, we use the pure-pw command.

This creates the user someuser which runs as the FTP system user. By default, the user is chrooted to /srv/ftp . In the event that that’s undesirable, replace -d with -D .

The virtual users running as the FTP system users can not log in by default. To change that behavior, set the option MinUID in /etc/pure-ftpd.conf to 14 (UID of the ftp user).

We also need to list the shell of the FTP system user in /etc/shells .

Before this account is usable, we need to commit our changes:

The virtual user can now access everything in /srv/ftp .

The command pure-pw mkdb creates the file mentioned earlier called /etc/pureftpd.pdb , which houses all information related to your virtual users. There is no need to restart your service when issuing this command as it is updated on the fly and changes take effect immediately.

Changing user password

For example, to change a user’s password, type the command:

Afterwards, commit your changes by updating /etc/pureftpd.pdb :

Removing user

To remove a user, type the command:

The user’s home directory is not removed via this command; therefore, it must be removed manually.

Checking user settings

To check a user’s current account settings, type the command:

Backends

You need to specify one or more backends. If you specify more than one, Pure-FTPd will respect the order in which they are specified. It will use the first backend which contains the requested user.

Available backends are:

Set up TLS

Create a certificate

Refer to the documentation for more information. The short version is this:

Источник

Techexistence

An small cookbook

25 января 2013 г.

Установка и настройка Pure-FTPD (Pure FTP)

Здесь я опишу подробный способ установки FTP-сервера Pure-FTPD и помогу вам избежать проблем, с которыми столкнулся сам: из-за не окрепшей дружбы с линуксом, или не очевидных и не описанных нюансов в установке и настройке.

Устанавливаем обычную версию (еще бывает mysql):
apt-get install pure-ftpd-common pure-ftpd

Здесь важно отметить, что после установки сервис запускается автоматически с параметрами по умолчанию. Остановка, старт или перезапуск:
/etc/init.d/pure-ftpd stop
/etc/init.d/pure-ftpd start
или
/etc/init.d/pure-ftpd restart

Далее мы должны создать группу пользователей FTP и пользователя, который будет находиться в этой группе, и под которым будут работать все пользователи FTP как виртуальные (не нужно плодить реальных пользователей в системе — удобно)
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser

Теперь можно добавить виртуального пользователя:
pure-pw useradd remote -u ftpuser -g ftpgroup -d /home/pubftp/remote -N 10

Где remote — имя пользователя для доступа к FTP, а /home/pubftp/remote — персональная директория, с которой он будет работать. -N 10 задает квоту в 10МБ (ограничение на использование дискового пространства). Эту директорию не нужно создавать вручную, т.к. она появится автоматически (параметр задается при конфигурировании, об этом чуть позже) при первом подключении и обмене данными с сервером.

Так же после первого выполнения этой команды создается файл, который будет хранить данные для доступа пользователей.

Список существующих пользователей:
pure-pw list

Подробная информация о пользователе:
pure-pw show remote


Удаление пользователя — когда-нибудь может пригодиться, но не сейчас:
pure-pw userdel remote

Источник

How to Set Up a Secure FTP Server with Pure-FTPd on Ubuntu

Pure-FTPd is a free open-source FTP server designed with security in mind. In this tutorial, we are going to take a look at how to set up a secure FTP server on Ubuntu server with Pure-FTPd and how to enforce TLS encryption.

Note: This tutorial works on all current Ubuntu releases, including Ubuntu 20.04, 18.04, and 21.04.

Pure-FTPd Features:

• It supports SSL/TLS encryption and thus passwords and commands can be protected.
• It can run on most Unix-like systems: Linux, BSDs, Solaris, Darwin, HPUX, AIX, and even iPhone.
• Available in 21 languages.
• Allows you to monitor active sessions.
• Supports a virtual quota system.
• And much more

For a complete list of features, please go to Pure-FTPd official website.

Step 1: Install Pure-FTPd on Ubuntu Server

It’s in the software repository, so issue the following command to install the FTP server.

Once installed, Pure-FTPd will be automatically started, as can be seen with this command:

preset: enabled indicates it will auto-start at system boot time. If it’s not running, star it with:

And it’s listening on TCP port 21, which is the control port, as can be seen with

Anonymous access is disabled by default. From now on you can use your system account to login, but plain text FTP is insecure and strongly discouraged. To have a secure FTP server, we need to encrypt communication with TLS.

Step 2: Enforce TLS Encryption

To enable both plain-text and TLS encryption, run the following command, which create the /etc/pure-ftpd/conf/TLS file and put number 1 into the file.

But it’s recommended to disable plain-text and use TLS encryption only, so put the number 2 to the file instead.

Now we enforced TLS, we need to obtain a valid TLS certificate. A self-signed certificate is not recommended because users will see warning like the screenshot below.

Step 3: Obtain a Trusted TLS Certificate from Let’s Encrypt

Run the following command to install Let’s Encrypt client (certbot) from the default Ubuntu repository.

I recommend using the standalone or webroot plugin to obtain TLS certificate for Pure-FTPd.

Standalone Plugin

If there’s no web server running on your Ubuntu server, you can use the standalone plugin. Run the following command. Don’t forget to set DNS A record for your sub-domain.

• certonly : Obtain a certificate but don’t install it.
• —standalone : Use the standalone plugin to obtain a certificate
• —preferred-challenges http : Perform http-01 challenge to validate our domain, which will use port 80.
• —agree-tos : Agree to Let’s Encrypt terms of service.
• —email : Email address is used for account registration and recovery.
• -d : Specify your domain name.

As you can see from the following screenshot, I successfully obtained the certificate.

Using webroot Plugin

If your Ubuntu server has a web server, then it’s a good idea to use the webroot plugin to obtain a certificate because the webroot plugin works with pretty much every web server and we don’t need to install the certificate in the web server.

First, you need to create a virtual host for ftp.example.com .

Apache

If you are using Apache, then

And paste the following lines into the file.

Save and close the file. Then create the web root directory.

Set www-data (Apache user) as the owner of the web root.

Enable this virtual host.

Reload Apache for the changes to take effect.

Once virtual host is created and enabled, run the following command to obtain Let’s Encrypt certificate using webroot plugin.

Nginx

If you are using Nginx, then

Paste the following lines into the file.

Save and close the file. Then create the web root directory.

Set www-data (Nginx user) as the owner of the web root.

Reload Nginx for the changes to take effect.

Once virtual host is created and enabled, run the following command to obtain Let’s Encrypt certificate using webroot plugin.

Step 4: Install the Certificate

Pure-FTPd requires that the certificate and private key are combined into one file named pure-ftpd.pem and stored under /etc/ssl/private/ directory.

Change to the /etc/letsencrypt/live/ftp.example.com/ directory.

You can use cat command to combine two files into one like below.

Make sure only the root user can read the file.

we need to generate the Diffie-Hellman parameter with:

If your server has a single CPU core, then this is going to take a long time (about 10 minutes).

Once that’s done, restart Pure-FTPd.

Check the status to see if it’s running.

Now you can connect to your FTP server over TLS.

If you use Nautilus file manager to connect to FTP server via plain text ftp:// protocol

The connection will be refused.

Instead of ftp:// , you must use ftps:// .

By default, FTP users will be brought to the / root directory on the server.

Please note that Filezilla doesn’t trust any certificate (self-signed or CA-signed) by default. Users must choose to trust certificate for themselves.

FileZilla Unknown Certificate Warning

And you need to use the FTP explicit TLS protocol ( ftpes://ftp.example.com ) in Filezilla.

Auto-Renew TLS Certificate

You can create Cron job to automatically renew TLS certificate. Simply open root user’s crontab file.

Add the following line at the bottom of the file.

It’s necessary to reload pure-ftpd to make it pick up the new certificate and private key.

Wrapping Up

I hope this tutorial helped you set up a secure FTP server with Pure-FTPd on Ubuntu. As always, if you found this post useful, then subscribe to our free newsletter. You can also follow us on Twitter or like our Facebook page.

[Total: 4 Average: 5 ]

7 Responses to “How to Set Up a Secure FTP Server with Pure-FTPd on Ubuntu”

What port should I open in firewall?

You should open port 20 and 21. For example, use UFW.

ports 20 and 21 are used for when FTP is in the active mode. some clients behind firewalls out of their own reach however will find they need passive mode, and then you need to open just port 21/tcp and a range of ports on the high end, to get ftp working. but you would need to tell pure-ftpd about it like so:

This writes a port range 55521-55522 into the file PassivePortRange, in our example pure-ftpd would have two ports to connect two times to (a) client(s) at max. If you want to have more connections, just add some more ports to the range. like write “55521 55530” if you want to have 10 ports, which pure-ftpd will then be able to choose randomly for sessions.

Hope that helps someone.
h08

then restart the service

make sure you open the ports you gave pure-ftpd for passive connections in your firewall, like Xiao Guo An explained above.

Hi Xiao, do you have a tutorial for setting up FTP server on Ubuntu 18.04 or Debian 10?

best regards,
Wesley Santos

This tutorial works on all current Ubuntu releases. It might also work on Debian 10 without changing anything in the commands.

The tutorial helps a lot, unfortunately, I am struggling with getting a valid certificate from Letsencrypt. I am using the Nginx-stack and receive the following error when requesting a certificate:

I have set up a valid DNS-A record and it is up and running (I replaced the original domain with mydomain.com for this comment)

http-01 challenge for sftp.mydomain.com
Using the webroot path /var/www/Pure-FTPd for all unmatched domains.
Waiting for verification…
Challenge failed for domain sftp.mydomain.com
http-01 challenge for sftp.mydomain.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
– The following errors were reported by the server:

Domain: sftp.mydomain.com
Type: unauthorized
Detail: Invalid response from
https://sftp.mydomain.com/.well-known/acme-challenge/eQwg9ieTsV-4uCuStdRYXXXXXXXXXNy64AlqopMMlY0
[XX.XXX.XXX.XX]: “\r\n 404 Not
Found \r\n\r\n

404 Not
Found

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

——————-
How can I proceed in this case? I guess the issue stems somehow from the fact that I am using the same server for an Iredmail mailserver and so I guess port 80 is already used by the mail application (though it is using another domain name) and cannot be used again. I hardly ever use Nginx for I tend to use Apache normally, so I am really struggling here at the moment. Any help is highly appreciated.

Источник