pure-ftpd

Configuration

pure-ftpd can be setup with virtual users, that exist outside of the PAM and Unix authentication methods. They can be linked to system accounts, if desired.

First, setup and configure pure-ftpd.

Here's the generic list of settings being applied:

  • Compatability-mode for broken FTP clients
  • No anonymous user login
  • Logins only allowed through pure-ftpd user database
  • Don't allow chmod of files
  • Don't allow reading or writing dot files
Setup user authentication
ln -s /etc/pure-ftpd/conf/UnixAuthentication /etc/pure-ftpd/auth/65unix
ln -s /etc/pure-ftpd/conf/PAMAuthentication /etc/pure-ftpd/auth/70pam
ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/75puredb
Setup FTP configuration

You can see the configuration options in the pure-ftpd-wrapper man page.

cd /etc/pure-ftpd/conf
echo clf:/var/log/pure-ftpd/transfer.log > AltLog
echo yes > BrokenClientsCompatibility
echo yes > ChrootEveryone
echo yes > CustomerProof
echo yes > DontResolve
echo UTF-8 > FSCharset
echo 20 > MaxClientsNumber
echo 4 > MaxClientsPerIP
echo 1000 > MinUID
echo yes > NoAnonymous
echo yes > NoChmod
echo yes > NoTruncate
echo no > PAMAuthentication
echo 40000 50000 > PassivePortRange
echo yes > ProhibitDotFilesRead
echo yes > ProhibitDotFilesWrite
echo /etc/pure-ftpd/pureftpd.pdb > PureDB
echo 0 > TLS
echo no > UnixAuthentication
Use only pure-ftpd authentication
rm /etc/pure-ftpd/auth/{65unix,70pam}
ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/75puredb

TLS Support

TLS support works in tandem with normal FTP, being optional to use the extra security.

pure-ftpd needs a PEM file located at /etc/ssl/private/pure-ftpd.pem. The file must contain the contents of both the private key generated, and the wildcard CRT file.

cat /etc/ssl/private/private.key /etc/ssl/private/domain_dot_com.crt > /etc/ssl/private/pure-ftpd.pem

Enable optional TLS support:

echo 1 > /etc/pure-ftpd/conf/TLS

FTP Users

You can create users separate from system accounts so that they each have their own login and password. You can also create separate or connect the users to system users if you want.

Always run pure-pw mkdb after every user command.

Create an FTP user and bind them to a system account
pure-pw useradd ftp-steve -u steve -g users -d /home/steve
pure-pw mkdb
Delete an FTP user
pure-pw userdel ftp-steve
pure-pw mkdb
Show FTP user details
pure-pw show ftp-steve

IPTables

iptables must have a rule set for a port range for passive ports.

iptables -A INPUT -p tcp --match multiport --dports 40000:50000 -j ACCEPT

Notes

pure-ftpd

- all directives passed to binary as switches
- FTP accounts can be distinct from system accounts!!!
- Can setup separate FTP user passwords from system account!!
- MySQL support
- quota support
- bandwidth throttling
- CLI app to see connections, bandwidth, etc.
- restrict access to IP address ranges, or only to it's own virtual host!!
- chroot
- connection during configured time-ranges
- .ftpaccess support
- Restrict access to dot files
- can disable chmod completely
- allows symbolic links, even when chrooted
- directory aliases supported
- uploads are atomic!!

More:
RFC conformance is great, but in the real-life, there are a lot of buggy clients. It’s why Pure-FTPd has also workarounds for some versions of popular Windows clients that totally violates the FTP protocol. Pure-FTPd also works with broken home-made clients that don’t properly terminate lines.  So if your current setup works with another FTP server, you can safely move to Pure-FTPd without breaking anything or receiving customers complaints: things will work as before for them, and the migration will be transparent.

Firewalling is easy: Pure-FTPd can restrict the port range for passive connections, force the announced IP for masquerading gateways, or disable passive connections to deal with broken port forwarders.



/usr/sbin/pure-ftpd -l pam -u 1000 -E -8 UTF-8 -O clf:/var/log/pure-ftpd/transfer.log -B


-0 (zero) - while uploading a file, don't overwrite it until it's finished uploading
-A chroot everyone
-B start in background (daemon mode)
-E authenticated users only (no anonymous)
-l <auth> authentication method
-N NAT mode -- use if remote connections can't get a directory listing
-O output to file
-p <first>:<last> ports in range for passive-mode downloads
-R don't let users use chmod (for their own protection)
-u <uid> - don't allow users under uid to login
-c - max number of sessions
-C - max number of connections from one IP address
-y - max number of connections with the same user name
-Y 1 - Accept standard and encrypted sessions
-Z enable options for ISPs to protect users from doing stupid stuff (no chmod)

-0 --notruncate
-A --chrooteveryone
-B --daemonize
-E --noanonymous
-l --login pam | puredb:/etc/pureftpd.pdb
-N --natmode
-O --altlog
-p --passiveportrange <minport:maxport>
-R --nochmod
-u --minuid <uid>
-c --maxclientsnumber      <number>
-C --maxclientsperip       <number>
-y --peruserlimits         <per user max>
-x  --prohibitdotfileswrite 
-X  --prohibitdotfilesread
-Y  --tls 1
-Z  --customerproof

OS X

Finder does not allow anonymous ftp write access.

Configuration Flags

  • -0, –notruncate
  • -4, –ipv4only
  • -A, –chrooteveryone
  • -b –brokenclientscompatibility
  • -I –maxidletime <opt>
  • -M –anonymouscancreatedirs
  • -R –nochmod
  • -x –prohibitdotfileswrite
  • -X –prohibitdotfilesread
  • -Y –tls <opt>
  • -Z –customerproof

Gentoo

Gentoo configuration for pure-ftpd is located at /etc/conf.d/pure-ftpd. IS_CONFIGURED must be set to yes, and additional options can be put in MISC_OTHER.