Setup Pure-FTPd With TLS on Debian 9

Published on: Fri, Sep 8, 2017 at 5:58 pm EST
Debian Linux Guides Security System Admin

Pure-FTPd is a fast and lightweight FTP server built with security in mind. In this tutorial, I am going to show you how to install and use Pure FTP in 4 easy steps. This guide explains how to install Pure FTPd on Debian 9.

Step one - Installation

Pure-FTPd is in Debian's stable repository, so there is no need to add any additional repositories to your system.

Run the following command with root privileges:

apt install -y pure-ftpd-common pure-ftpd 

Step two - Configuration

There are many options you can use to change the application's behavior. These options could be applied to Pure-FTPd's daemon at startup or you could make them persistent by creating the necessary files inside the conf directory.

We want to:

  • Create virtual users.
  • Create home directories for users automatically.
  • Limit (chroot) users to only have access to their own home directory.

Enable Pure-FTPd's database and disable PAM and Unix authentication to enable virtual users:

ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/50pure
echo no > /etc/pure-ftpd/conf/PAMAuthentication
echo no > /etc/pure-ftpd/conf/UnixAuthentication

Set Pure-FTPd to create home directories for users at their first login:

echo "yes" > /etc/pure-ftpd/conf/CreateHomeDir

Chroot everyone.

echo "yes" > /etc/pure-ftpd/conf/ChrootEveryone

If you are interested to learn about other options, visit the official documentation page.

Step three - Create users

Pure-FTPd can handle virtual-users, which means they are kept in Pure-FTPd's database and are not related to Linux system users.

In order for Pure-FTPd to manage files with virtual-users we need to create a Linux user and group in which all virtual users will be associated. All virtual users can use the same system user and group as long as they have been chrooted.

Run the following commands to create the system user and group:

groupadd ftpusr
useradd -g ftpusr -d /dev/null -s /etc ftpusr

Note: We don't want this user to have a home directory or login capability.

Create our FTP root directory:

mkdir /home/FTP

Create a virtual-user in Pure-FTPd:

pure-pw useradd alex -u ftpusr -g ftpusr -d /home/FTP/alex 

We have added our first virtual-user (alex) and associated it with system user/group (ftpusr). All files that you write with alex will be owned by ftpusr on the system.

Update Pure-FTPd's database:

pure-pw mkdb

Check the user's information:

pure-pw show alex

Login              : alex
Password           : <encrypted password>
UID                : 1000 (ftpusr)
GID                : 1000 (ftpusr)
Directory          : /home/FTP/alex/./
Full name          : 
Download bandwidth : 0 Kb (unlimited)
Upload   bandwidth : 0 Kb (unlimited)
Max files          : 0 (unlimited)
Max size           : 0 Mb (unlimited)
Ratio              : 0:0 (unlimited:unlimited)
Allowed local  IPs : 
Denied  local  IPs : 
Allowed client IPs : 
Denied  client IPs : 
Time restrictions  : 0000-0000 (unlimited)
Max sim sessions   : 0 (unlimited)

To make life easier, use the following script to add FTP accounts:

echo -e  '#!/bin/bash\nread -p "Enter UserName: " usrname\npure-pw useradd $usrname -u ftpusr -g ftpusr -d /home/FTP/$usrname && pure-pw mkdb'  > /usr/sbin/ftp-createacc

chmod u+x /usr/sbin/ftp-createacc

Now, creating FTP accounts is simple:

ftp-createacc

Enter UserName: mike
Password: 
Enter it again:

Step four - TLS support

First, we need to install OpenSSL.

apt install -y openssl

Force Pure-FTPd to use TLS, or we can make it optional which means both insecure and TLS connections are accepted

# force TLS
echo 2 > /etc/pure-ftpd/conf/TLS

# insecure + TLS
echo 1 > /etc/pure-ftpd/conf/TLS

Create a directory to store our keys.

mkdir -p /etc/ssl/pure-ftpd

Generate a bundle key (private key and public key).

openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Restart the pure-ftpd daemon.

systemctl restart pure-ftpd

If you have a firewall installed on your system, or your server is behind NAT, you must define passive ports in Pure-FTPd and open the these ports in your firewall, otherwise you will receive errors such as these:

Server sent passive reply with unroutable address. Passive mode failed.

Failed to retrieve directory listing.

500 I won't open a connection to 192.168.1.4 (only to 10.10.10.10).

Set passive ports in Pure-FTPd:

echo "40110 42210" > /etc/pure-ftpd/conf/PassivePortRange

Restart pure-ftpd to apply the change.

systemctl restart pure-ftpd

In your firewall, open the incoming port range from 40110 to 42210, protocol TCP.

FTP is insecure by nature, but it is also fast and easy to setup. For a more secure solution, use SFTP instead.

Want to contribute ?

You could earn up to $300 by adding new articles