Article

Table of Contents
Theme:
Was this article helpful?

2  out of  3 found this helpful

Try Vultr Today with

$50 Free on Us!

Get started now
Want to contribute?

You could earn up to $600 by adding new articles.

Learn more!

Setup Pure-FTPd With TLS on Debian 9

Last Updated: Fri, Sep 8, 2017
Debian Linux Guides Security System Admin
Archived content

This article is outdated and may not work correctly for current operating systems or software.

Introduction

Pure-FTPd is a fast and lightweight FTP server built with security in mind. In this tutorial, I am going to show you how to install and use Pure FTP in 4 easy steps. This guide explains how to install Pure FTPd on Debian 9.

1. Installation

Pure-FTPd is in Debian's stable repository, so there is no need to add any additional repositories to your system.

Run the following command with root privileges:

apt install -y pure-ftpd-common pure-ftpd

2. Configuration

There are many options you can use to change the application's behavior. These options could be applied to Pure-FTPd's daemon at startup or you could make them persistent by creating the necessary files inside the conf directory.

We want to:

  • Create virtual users.

  • Create home directories for users automatically.

  • Limit (chroot) users to only have access to their own home directory.

Enable Pure-FTPd's database and disable PAM and Unix authentication to enable virtual users:

ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/50pure

echo no > /etc/pure-ftpd/conf/PAMAuthentication

echo no > /etc/pure-ftpd/conf/UnixAuthentication

Set Pure-FTPd to create home directories for users at their first login:

echo "yes" > /etc/pure-ftpd/conf/CreateHomeDir

Chroot everyone.

echo "yes" > /etc/pure-ftpd/conf/ChrootEveryone

If you are interested to learn about other options, visit the official documentation page.

3. Create users

Pure-FTPd can handle virtual-users, which means they are kept in Pure-FTPd's database and are not related to Linux system users.

In order for Pure-FTPd to manage files with virtual-users we need to create a Linux user and group in which all virtual users will be associated. All virtual users can use the same system user and group as long as they have been chrooted.

Run the following commands to create the system user and group:

groupadd ftpusr

useradd -g ftpusr -d /dev/null -s /etc ftpusr

Note: We don't want this user to have a home directory or login capability.

Create our FTP root directory:

mkdir /home/FTP

Create a virtual-user in Pure-FTPd:

pure-pw useradd alex -u ftpusr -g ftpusr -d /home/FTP/alex

We have added our first virtual-user (alex) and associated it with system user/group (ftpusr). All files that you write with alex will be owned by ftpusr on the system.

Update Pure-FTPd's database:

pure-pw mkdb

Check the user's information:

pure-pw show alex



Login              : alex

Password           : <encrypted password>

UID                : 1000 (ftpusr)

GID                : 1000 (ftpusr)

Directory          : /home/FTP/alex/./

Full name          : 

Download bandwidth : 0 Kb (unlimited)

Upload   bandwidth : 0 Kb (unlimited)

Max files          : 0 (unlimited)

Max size           : 0 Mb (unlimited)

Ratio              : 0:0 (unlimited:unlimited)

Allowed local  IPs : 

Denied  local  IPs : 

Allowed client IPs : 

Denied  client IPs : 

Time restrictions  : 0000-0000 (unlimited)

Max sim sessions   : 0 (unlimited)

To make life easier, use the following script to add FTP accounts:

echo -e  '#!/bin/bash\nread -p "Enter UserName: " usrname\npure-pw useradd $usrname -u ftpusr -g ftpusr -d /home/FTP/$usrname && pure-pw mkdb'  > /usr/sbin/ftp-createacc



chmod u+x /usr/sbin/ftp-createacc

Now, creating FTP accounts is simple:

ftp-createacc



Enter UserName: mike

Password: 

Enter it again:

4. TLS support

First, we need to install OpenSSL.

apt install -y openssl

Force Pure-FTPd to use TLS, or we can make it optional which means both insecure and TLS connections are accepted

# force TLS

echo 2 > /etc/pure-ftpd/conf/TLS



# insecure + TLS

echo 1 > /etc/pure-ftpd/conf/TLS

Create a directory to store our keys.

mkdir -p /etc/ssl/pure-ftpd

Generate a bundle key (private key and public key).

openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Restart the pure-ftpd daemon.

systemctl restart pure-ftpd

If you have a firewall installed on your system, or your server is behind NAT, you must define passive ports in Pure-FTPd and open the these ports in your firewall, otherwise you will receive errors such as these:

Server sent passive reply with unroutable address. Passive mode failed.



Failed to retrieve directory listing.



500 I won't open a connection to 192.168.1.4 (only to 10.10.10.10).

Set passive ports in Pure-FTPd:

echo "40110 42210" > /etc/pure-ftpd/conf/PassivePortRange

Restart pure-ftpd to apply the change.

systemctl restart pure-ftpd

In your firewall, open the incoming port range from 40110 to 42210, protocol TCP.

FTP is insecure by nature, but it is also fast and easy to setup. For a more secure solution, use SFTP instead.

Want to contribute?

You could earn up to $600 by adding new articles.

Submit your article Request an article