This is an old revision of the document!


FTPD

VSFTPD

Configuration is in /etc/vsftpd/vsftpd.conf

PAM module is in /etc/pam.d/ftpd It uses pam_require and is limited to users in ftp-users group.

Feature Configuration Default
chroot users chroot_local_user NO
Passive support pasv_enable YES
Allow chmod chmod_enable YES
Directory listing allowed dirlist_enable YES
Enable downloads download_enable YES
Hide user and group information hide_ids NO
Allow local users to login local_enable NO
Recursive ls support ls_recurse_enable NO
tcp_wrappers support tcp_wrappers NO
Allow write access write_enable NO
Minimum PASV port pasv_min_port 0
Maximum PASV port pasv_max_port 0
FTPS
SSL support ssl_enable NO

Pure-FTPD

Pure-FTPD is setup to accept SSL/TLS connections if requested. It is using the digitaltrike.com wildcard SSL certificate as well.

Configuration is located at /etc/conf.d/pure-ftpd

Feature Configuration
Chroot everyone, but root -A
Compatability hacks -b
Daemonize -B
Max # of clients -c #
Max # connections per IP -C #
Anonymous connections only -e
Authenticated users only -E
Don't resolve host names -H
PAM authentication -l pam
Disallow chmod -R
Disallow reading/writing to dotfiles -X
Miscellaneous safeguards -Z
Active / Passive Modes
NAT mode (force active mode) -N
Passive mode port range -p first:last
IP address to reply to PASV/EPSV/SPSV -P ip address or host
FTPS
Disable SSL/TLS (default) -Y 0
Accept normal and SSL/TLS sessions -Y 1
Require SSL/TLS to connect -Y 2
Require SSL/TLS for everything -Y 3

SSL

By default, Pure-FTPD looks for an SSL certificate at /etc/ssl/private/pure-ftpd.pem

The format of the file is:

-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: from_cert_provider.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: from_cert_provider.crt)
-----END CERTIFICATE-----

To create a self-signed certificate, you can use the following commands :

mkdir -p /etc/ssl/private

openssl req -x509 -nodes -newkey rsa:1024 -keyout \
  /etc/ssl/private/pure-ftpd.pem \
  -out /etc/ssl/private/pure-ftpd.pem

chmod 600 /etc/ssl/private/*.pem

Notes

Sometimes Pure-FTPD will not kill stop with the init script, so you will have to manually kill the process.

Important: The FTP server can run in either active OR passive mode, but not both.

Client Support

  • Add a user to ftp-users
  • Users are chroot'ed to their home directory
  • For Filezilla, use FTPES - FTP over explicit TLS/SSL
  • For Cyberduck, use FTPS
  • If testing internally, be sure to get on a public network first, otherwise the PASV requests will seek to use an internal IP address on the subnet.

Notes

FTPD is simple to secure with SSL, and lock down with chroots.

Filezilla is buggy, plain and simple. I've read a lot of forum posts where users have tweaked their setups to work with it, and Filezilla still does not work properly. The developer usually cites firewall or SSL issues as the reasons.

Your best bet for providing support is to disable PASV tranfer support in the server.