Pure-FTPD on Ubuntu Server 10.04

Ubuntu Linux Specific Guides
Post Reply
User avatar
dedwards
Site Admin
Posts: 69
Joined: Wed Mar 15, 2006 8:28 pm
Contact:

Pure-FTPD on Ubuntu Server 10.04

Post by dedwards » Wed Sep 01, 2010 9:01 am

Install ''Pure-FTPD'' with GUI

Install the pure-ftpd package and the pureadmin package from the Universe Repository.

Code: Select all

sudo apt-get install pure-ftpd


Install all dependencies

Then use your favorite text editor and open up the /etc/inetd.conf file. Comment (add a # at the start of) the line containing 'ftp' if such an entry exists. In my Ubuntu Server 10.04 installation there was no FTP entry:

Code: Select all

sudo vi /etc/inetd.conf


Verify that "STANDALONE_OR_INETD=standalone" is set in /etc/default/pure-ftpd-common file. Again, in my case it already was set correctly:

Code: Select all

sudo vi /etc/default/pure-ftpd-common


Add a "ftpgroup" in the system:

Code: Select all

sudo groupadd ftpgroup


Add a "ftpuser" user in the system:

Code: Select all

sudo useradd -g ftpgroup -d /dev/null -s /etc ftpuser


Add a virtual pure-ftpd user. I'm going to use "joe" as an example:

Code: Select all

sudo pure-pw useradd joe -u ftpuser -d /name/of/directory


where "/name/of/directory" is the directory where you want user "joe" to have FTP access. This directory is where user "joe" is going to be locked in once they log on the server with FTP. Whether you create a directory for "joe" to have access or you use an existing directory, ensure the user/group "ftpuser/ftpgroup" you created earlier is the owner of that directory as follows:

Code: Select all

chown -R ftpuser:ftpgroup /name/of/directory


Now, create the Pure-FTPD virtual user database:

Code: Select all

sudo pure-pw mkdb


Create the following symbolic links for Pure-FTPD to funtion properly:

Code: Select all

sudo ln -s /etc/pure-ftpd/pureftpd.passwd /etc/pureftpd.passwd


Code: Select all

sudo ln -s /etc/pure-ftpd/pureftpd.pdb /etc/pureftpd.pdb


Code: Select all

sudo ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/PureDB


Ensure that the file "/etc/pure-ftpd/conf/UnixAuthentication" file only contains the word "no" without the quotes of course. Again, in my Ubuntu Server 10.04 installation it was already set that way:

Code: Select all

sudo vi /etc/pure-ftpd/conf/UnixAuthentication


You may need to restart PureFTPD before changes take effect:

Code: Select all

sudo /etc/init.d/pure-ftpd restart


OPTIONS

Pure-ftpd on Ubuntu/Debian distros use the pure-ftpd-wrapper which will parse any properly named file in the "/etc/pure-ftpd/conf" directory and read the values and in turn pass to the pure-ftpd daemon. This eliminates the need editing long configuration files. There are a lot of files that can be placed in the "/etc/pure-ftpd/conf" directory for different configuration options, but I'm only going to concentrate on a handful. For a complete list of all the files refer to the following http://manpages.ubuntu.com/manpages/hardy/man8/pure-ftpd-wrapper.8.html link.

1. PASSIVE MODE PORT NUMBER RANGE
Passive mode can be enabled by simply issuing the following from the command line for setting a range of 30000 through 31000:

Code: Select all

echo  30000 31000 > /etc/pure-ftpd/conf/PassivePortRange


2. BIND PURE-FTPD DAEMON TO SPECIFIC ADDRESS AND PORT NUMBER
If you wish to set pure-ftpd to listen to a specific port number, issue the following from the command line. In this example we set port number "666" as the FTP port:

Code: Select all

echo 192.168.xxx.xxx,666 > /etc/pure-ftpd/conf/Bind


3. DISABLE NAME RESOLUTION IN PURE-FTPD
I highly recommend you set this option in Pure-ftpd. This will disable the server trying to resolve the client's hostname. If it's not set, the server will sometimes throw a 425 Invalid Address given errors. Setting this option will fix those errors as well as speed up logins.

Code: Select all

echo 'yes' > /etc/pure-ftpd/conf/DontResolve


Always remember to restart pure-ftpd after each new directive.

ENABLE TLS ON PURE-FTPD
The FTP protocol in general is very insecure. The username/passwords are sent using clear text and the data transfers are also insecure. Enabling TLS will allow you to secure your FTP sessions to include the username/passwords as well as the data transfers.

1. Install OpenSSL

Code: Select all

sudo apt-get install openssl


Accept all dependencies

2. Enable TLS on pure-ftpd

If you want to have FTP AND TLS sessions, issue the following on the command line:

Code: Select all

echo 1 > /etc/pure-ftpd/conf/TLS


If you want to accept TLS sessions ONLY, issue the following on the command line:

Code: Select all

echo 2 > /etc/pure-ftpd/conf/TLS


3. Create the SSL certificate for TLS

Create a "private" directory under "/etc/ssl/" if one doesn't exist yet:

Code: Select all

mkdir /etc/ssl/private


Generate the certificate as follows:

Code: Select all

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem


Fill in the certificate information and restart pure-ftpd.

For 3rd party SSL certificates, enter the private key and corresponding chain certs in the following order inside /etc/ssl/private/pure-ftpd.pem:

Code: Select all

-----BEGIN RSA PRIVATE KEY-----
(Private Key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Primary SSL certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root certificate)
-----END CERTIFICATE-----


TROUBLESHOOTING

You may be given one of these warnings when trying to connect to your server:
[WARNING] Can't login as [joe]: account disabled

"Sorry, but I can't trust you"

These two warnings occur if your system set the UserID (UID) and/or GroupID (GID) associated with the ftpuser user below 1000. To see what the current values are, type the following at a shell:

Code: Select all

id ftpuser


You'll be given something similar to the following:

Code: Select all

uid=572(ftpuser) gid=972(ftpgroup) groups=972(ftpgroup)


The actual numbers don't matter much, but they should be higher then 1000 for Pure-FTPD to be happy. To fix the UserID (UID) portion, open a shell and type:

Code: Select all

sudo usermod -u 1021 -p -U ftpuser


To fix the GroupID (GID):

Code: Select all

sudo groupmod -g 1022 ftpgroup


Restart the Pure-FTPD daemon and you should be up and running.

MANAGE PURE-FTPD USERS

The commands below are for performing common tasks with the pure-ftpd user database. This assumes that "username" is the user you are managing and "/name/of/directory" is the directory you want that user to have FTP access. Remember that after every change in the pure-ftpd database, you MUST commit the changes by typing "sudo pure-pw mkdb" and always make sure that "ftpuser/ftpgroup" are the owners of whatever directory you want that user to have access:

Add Users:

Code: Select all

sudo pure-pw useradd username -u ftpuser -d /name/of/directory


Change User Password:

Code: Select all

sudo pure-pw passwd username


Show User Details:

Code: Select all

sudo pure-pw show username


Delete user:

Code: Select all

sudo pure-pw userdel username
Post Reply