no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


pure-ftpd [2015/06/01 23:19] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +====== pure-ftpd ======
  
 +  * [[http://www.pureftpd.org/project/pure-ftpd|pure-ftpd]]
 +
 +==== Configuration ====
 +
 +pure-ftpd can be setup with virtual users, that exist outside of the PAM and Unix authentication methods.  They can be linked to system accounts, if desired.
 +
 +First, setup and configure pure-ftpd.
 +
 +Here's the generic list of settings being applied:
 +
 +  * Compatability-mode for broken FTP clients
 +  * No anonymous user login
 +  * Logins only allowed through pure-ftpd user database
 +  * Don't allow chmod of files
 +  * Don't allow reading or writing dot files
 +
 +== Setup user authentication ==
 +
 +
 +<code>
 +ln -s /etc/pure-ftpd/conf/UnixAuthentication /etc/pure-ftpd/auth/65unix
 +ln -s /etc/pure-ftpd/conf/PAMAuthentication /etc/pure-ftpd/auth/70pam
 +ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/75puredb
 +</code>
 +
 +== Setup FTP configuration ==
 +
 +You can see the configuration options in the ''pure-ftpd-wrapper'' man page.
 +
 +<code>
 +cd /etc/pure-ftpd/conf
 +echo clf:/var/log/pure-ftpd/transfer.log > AltLog
 +echo yes > BrokenClientsCompatibility
 +echo yes > ChrootEveryone
 +echo yes > CustomerProof
 +echo yes > DontResolve
 +echo UTF-8 > FSCharset
 +echo 20 > MaxClientsNumber
 +echo 4 > MaxClientsPerIP
 +echo 1000 > MinUID
 +echo yes > NoAnonymous
 +echo yes > NoChmod
 +echo yes > NoTruncate
 +echo no > PAMAuthentication
 +echo 40000 50000 > PassivePortRange
 +echo yes > ProhibitDotFilesRead
 +echo yes > ProhibitDotFilesWrite
 +echo /etc/pure-ftpd/pureftpd.pdb > PureDB
 +echo 0 > TLS
 +echo no > UnixAuthentication
 +</code>
 +
 +== Use only pure-ftpd authentication ==
 +
 +<code>
 +rm /etc/pure-ftpd/auth/{65unix,70pam}
 +ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/75puredb
 +</code>
 +
 +==== TLS Support ====
 +
 +TLS support works in tandem with normal FTP, being optional to use the extra security.
 +
 +pure-ftpd needs a PEM file located at ''/etc/ssl/private/pure-ftpd.pem'' The file must contain the contents of both the private key generated, and the wildcard CRT file.
 +
 +<code>
 +cat /etc/ssl/private/private.key /etc/ssl/private/domain_dot_com.crt > /etc/ssl/private/pure-ftpd.pem
 +</code>
 +
 +Enable optional TLS support:
 +
 +<code>
 +echo 1 > /etc/pure-ftpd/conf/TLS
 +</code>
 +
 +==== FTP Users ====
 +
 +You can create users separate from system accounts so that they each have their own login and password.  You can also create separate or connect the users to system users if you want.
 +
 +Always run ''pure-pw mkdb'' after every user command.
 +
 +== Create an FTP user and bind them to a system account ==
 +
 +<code>
 +pure-pw useradd ftp-steve -u steve -g users -d /home/steve
 +pure-pw mkdb
 +</code>
 +
 +== Delete an FTP user ==
 +
 +<code>
 +pure-pw userdel ftp-steve
 +pure-pw mkdb
 +</code>
 +
 +== Show FTP user details ==
 +
 +<code>
 +pure-pw show ftp-steve
 +</code>
 +
 +=== IPTables ===
 +
 +iptables must have a rule set for a port range for passive ports.
 +
 +<code>
 +iptables -A INPUT -p tcp --match multiport --dports 40000:50000 -j ACCEPT
 +</code>
 +
 +=== Notes ===
 +
 +<code>
 +pure-ftpd
 +
 +- all directives passed to binary as switches
 +- FTP accounts can be distinct from system accounts!!!
 +- Can setup separate FTP user passwords from system account!!
 +- MySQL support
 +- quota support
 +- bandwidth throttling
 +- CLI app to see connections, bandwidth, etc.
 +- restrict access to IP address ranges, or only to it's own virtual host!!
 +- chroot
 +- connection during configured time-ranges
 +- .ftpaccess support
 +- Restrict access to dot files
 +- can disable chmod completely
 +- allows symbolic links, even when chrooted
 +- directory aliases supported
 +- uploads are atomic!!
 +
 +More:
 +RFC conformance is great, but in the real-life, there are a lot of buggy clients. It’s why Pure-FTPd has also workarounds for some versions of popular Windows clients that totally violates the FTP protocol. Pure-FTPd also works with broken home-made clients that don’t properly terminate lines.  So if your current setup works with another FTP server, you can safely move to Pure-FTPd without breaking anything or receiving customers complaints: things will work as before for them, and the migration will be transparent.
 +
 +Firewalling is easy: Pure-FTPd can restrict the port range for passive connections, force the announced IP for masquerading gateways, or disable passive connections to deal with broken port forwarders.
 +
 +
 +
 +/usr/sbin/pure-ftpd -l pam -u 1000 -E -8 UTF-8 -O clf:/var/log/pure-ftpd/transfer.log -B
 +
 +
 +-0 (zero) - while uploading a file, don't overwrite it until it's finished uploading
 +-A chroot everyone
 +-B start in background (daemon mode)
 +-E authenticated users only (no anonymous)
 +-l <auth> authentication method
 +-N NAT mode -- use if remote connections can't get a directory listing
 +-O output to file
 +-p <first>:<last> ports in range for passive-mode downloads
 +-R don't let users use chmod (for their own protection)
 +-u <uid> - don't allow users under uid to login
 +-c - max number of sessions
 +-C - max number of connections from one IP address
 +-y - max number of connections with the same user name
 +-Y 1 - Accept standard and encrypted sessions
 +-Z enable options for ISPs to protect users from doing stupid stuff (no chmod)
 +
 +-0 --notruncate
 +-A --chrooteveryone
 +-B --daemonize
 +-E --noanonymous
 +-l --login pam | puredb:/etc/pureftpd.pdb
 +-N --natmode
 +-O --altlog
 +-p --passiveportrange <minport:maxport>
 +-R --nochmod
 +-u --minuid <uid>
 +-c --maxclientsnumber      <number>
 +-C --maxclientsperip       <number>
 +-y --peruserlimits         <per user max>
 +-x  --prohibitdotfileswrite 
 +-X  --prohibitdotfilesread
 +-Y  --tls 1
 +-Z  --customerproof
 +</code>
 +
 +=== OS X ===
 +
 +Finder does not allow anonymous ftp write access.
 +
 +==== Configuration Flags ====
 +
 +  * -0, --notruncate
 +  * -4, --ipv4only
 +  * -A, --chrooteveryone
 +  * -b      --brokenclientscompatibility
 +  * -I      --maxidletime   <opt>
 +  * -M      --anonymouscancreatedirs
 +  * -R      --nochmod
 +  * -x      --prohibitdotfileswrite
 +  * -X      --prohibitdotfilesread
 +  * -Y      --tls   <opt>
 +  * -Z      --customerproof
 +
 +==== Gentoo ====
 +
 +Gentoo configuration for pure-ftpd is located at ''/etc/conf.d/pure-ftpd'' ''IS_CONFIGURED'' must be set to ''yes'', and additional options can be put in ''MISC_OTHER''.

Trace:

Navigation
QR Code
QR Code pure-ftpd (generated for current page)