Pure-FTPD on Ubuntu Server 18.04

Ubuntu Linux Specific Guides
Post Reply
User avatar
dedwards
Site Admin
Posts: 70
Joined: Sat Mar 07, 2020 4:37 pm
Contact:

Pure-FTPD on Ubuntu Server 18.04

Post by dedwards »

Install ''Pure-FTPD'' with GUI

Install the pure-ftpd package and the pureadmin package from the Universe Repository.

Code: Select all

sudo apt-get install pure-ftpd
Install all dependencies

Then use your favorite text editor and open up the /etc/inetd.conf file. Comment (add a # at the start of) the line containing 'ftp' if such an entry exists. In my Ubuntu Server 18.04 installation there was no FTP entry:

Code: Select all

sudo vi /etc/inetd.conf
Verify that "STANDALONE_OR_INETD=standalone" is set in /etc/default/pure-ftpd-common file. Again, in my case it already was set correctly:

Code: Select all

sudo vi /etc/default/pure-ftpd-common
Add a "ftpgroup" in the system:

Code: Select all

sudo groupadd ftpgroup
Add a "ftpuser" user in the system:

Code: Select all

sudo useradd -g ftpgroup -d /dev/null -s /etc ftpuser
Add a virtual pure-ftpd user. I'm going to use "joe" as an example:

Code: Select all

sudo pure-pw useradd joe -u ftpuser -d /name/of/directory
where "/name/of/directory" is the directory where you want user "joe" to have FTP access. This directory is where user "joe" is going to be locked in once they log on the server with FTP. Whether you create a directory for "joe" to have access or you use an existing directory, ensure the user/group "ftpuser/ftpgroup" you created earlier is the owner of that directory as follows:

Code: Select all

chown -R ftpuser:ftpgroup /name/of/directory
Now, create the Pure-FTPD virtual user database:

Code: Select all

sudo pure-pw mkdb
Create the following symbolic links for Pure-FTPD to funtion properly:

Code: Select all

sudo ln -s /etc/pure-ftpd/pureftpd.passwd /etc/pureftpd.passwd

Code: Select all

sudo ln -s /etc/pure-ftpd/pureftpd.pdb /etc/pureftpd.pdb

Code: Select all

sudo ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/PureDB
Ensure that the file "/etc/pure-ftpd/conf/UnixAuthentication" file only contains the word "no" without the quotes of course. Again, in my Ubuntu Server 18.04 installation it was already set that way:

Code: Select all

sudo vi /etc/pure-ftpd/conf/UnixAuthentication
You may need to restart PureFTPD before changes take effect:

Code: Select all

sudo /etc/init.d/pure-ftpd restart
OPTIONS

Pure-ftpd on Ubuntu/Debian distros use the pure-ftpd-wrapper which will parse any properly named file in the "/etc/pure-ftpd/conf" directory and read the values and in turn pass to the pure-ftpd daemon. This eliminates the need editing long configuration files. There are a lot of files that can be placed in the "/etc/pure-ftpd/conf" directory for different configuration options, but I'm only going to concentrate on a handful. For a complete list of all the files refer to the following http://manpages.ubuntu.com/manpages/har ... per.8.html link.

1. PASSIVE MODE PORT NUMBER RANGE
Passive mode can be enabled by simply issuing the following from the command line for setting a range of 30000 through 31000:

Code: Select all

echo  30000 31000 > /etc/pure-ftpd/conf/PassivePortRange
2. BIND PURE-FTPD DAEMON TO SPECIFIC ADDRESS AND PORT NUMBER
If you wish to set pure-ftpd to listen to a specific port number, issue the following from the command line. In this example we set port number "666" as the FTP port:

Code: Select all

echo 192.168.xxx.xxx,666 > /etc/pure-ftpd/conf/Bind
3. DISABLE NAME RESOLUTION IN PURE-FTPD
I highly recommend you set this option in Pure-ftpd. This will disable the server trying to resolve the client's hostname. If it's not set, the server will sometimes throw a 425 Invalid Address given errors. Setting this option will fix those errors as well as speed up logins.

Code: Select all

echo 'yes' > /etc/pure-ftpd/conf/DontResolve
4. SET PASSIVE IP IN PURE-FTPD
If you are using passive FTP and you are behind a NAT, it's highly recommended that you set the public IP of your server as the passive IP Pure-FTPD as follows:

Code: Select all

echo '1.2.3.4' > /etc/pure-ftpd/conf/ForcePassiveIP
Always remember to restart pure-ftpd after each new directive.

ENABLE TLS ON PURE-FTPD
The FTP protocol in general is very insecure. The username/passwords are sent using clear text and the data transfers are also insecure. Enabling TLS will allow you to secure your FTP sessions to include the username/passwords as well as the data transfers.

1. Install OpenSSL

Code: Select all

sudo apt-get install openssl
Accept all dependencies

2. Enable TLS on pure-ftpd

If you want to have FTP AND TLS sessions, issue the following on the command line:

Code: Select all

echo 1 > /etc/pure-ftpd/conf/TLS
If you want to accept TLS sessions ONLY, issue the following on the command line:

Code: Select all

echo 2 > /etc/pure-ftpd/conf/TLS
3. Create the SSL certificate for TLS

Create a "private" directory under "/etc/ssl/" if one doesn't exist yet:

Code: Select all

mkdir /etc/ssl/private
Generate the certificate as follows:

Code: Select all

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Fill in the certificate information and restart pure-ftpd.

For 3rd party SSL certificates, enter the private key and corresponding chain certs in the following order inside /etc/ssl/private/pure-ftpd.pem:

Code: Select all

-----BEGIN RSA PRIVATE KEY-----
(Private Key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Primary SSL certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root certificate)
-----END CERTIFICATE-----
TROUBLESHOOTING

You may be given one of these warnings when trying to connect to your server:
[WARNING] Can't login as [joe]: account disabled

"Sorry, but I can't trust you"

These two warnings occur if your system set the UserID (UID) and/or GroupID (GID) associated with the ftpuser user below 1000. To see what the current values are, type the following at a shell:

Code: Select all

id ftpuser
You'll be given something similar to the following:

Code: Select all

uid=572(ftpuser) gid=972(ftpgroup) groups=972(ftpgroup)
The actual numbers don't matter much, but they should be higher then 1000 for Pure-FTPD to be happy. To fix the UserID (UID) portion, open a shell and type:

Code: Select all

sudo usermod -u 1021 -p -U ftpuser
To fix the GroupID (GID):

Code: Select all

sudo groupmod -g 1022 ftpgroup
Restart the Pure-FTPD daemon and you should be up and running.

MANAGE PURE-FTPD USERS

The commands below are for performing common tasks with the pure-ftpd user database. This assumes that "username" is the user you are managing and "/name/of/directory" is the directory you want that user to have FTP access. Remember that after every change in the pure-ftpd database, you MUST commit the changes by typing "sudo pure-pw mkdb" and always make sure that "ftpuser/ftpgroup" are the owners of whatever directory you want that user to have access:

Add Users:

Code: Select all

sudo pure-pw useradd username -u ftpuser -d /name/of/directory
Change User Password:

Code: Select all

sudo pure-pw passwd username
Show User Details:

Code: Select all

sudo pure-pw show username
Delete user:

Code: Select all

sudo pure-pw userdel username

Post Reply