Pure-FTPd is a free, open-source FTP server software available for Ubuntu and other Linux distributions. Designed with a focus on security, performance, and ease of use, Pure-FTPd offers robust features such as support for virtual users, encrypted connections using TLS/SSL, and various authentication mechanisms. It also provides features like limiting bandwidth, restricting user permissions, and enabling anonymous FTP access. Pure-FTPd is often chosen for its simplicity in configuration compared to other FTP servers, making it a popular choice for both small and large-scale deployments on Ubuntu systems.
The File Transfer Protocol (FTP) is a standard network protocol used to transfer files between a client and a server over a network, such as the internet. Developed in the early 1970s, FTP allows users to upload, download, and manage files on a remote server. It operates using two channels: a command channel for controlling the connection and a data channel for transferring files. FTP can work in either active or passive mode, which dictates how the server and client establish connections. While widely used for file transfers, FTP is considered insecure because data, including login credentials, is transmitted in plain text; I will show you in this guide how to configure Pure-FTPd to use FTPS (FTP over SSL/TLS), making FTP secure.
This tutorial guides you step-by-step through the process of installing and configuring Pure-FTPd on Ubuntu.
Prerequisites for Installing Pure-FTPd
Before proceeding with the installation, ensure you have:
- An Ubuntu server setup
- Access to a user account with
sudoprivileges
Step-by-Step Installation of Pure-FTPd
Updating System Packages
First, update your system’s package list:
sudo apt updateInstalling Pure-FTPd
Next, install Pure-FTPd using the following command:
sudo apt install pure-ftpdConfiguring Pure-FTPd for Enhanced Security
Setting Up a Secure Environment
Create a dedicated group for FTP users:
sudo groupadd ftpgroupCreate a user for Pure-FTPd:
sudo useradd -g ftpgroup -d /dev/null -s /etc ftpuserManaging User Access
To add a user to the FTP server:
sudo pure-pw useradd [username] -u ftpuser -g ftpgroup -d /home/ftpusers/[username]
sudo pure-pw mkdbReplace [username] with the desired username.
Configuring TLS for Secure Data Transfer
Generate a self-signed certificate:
sudo openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pemModify the Pure-FTPd configuration to activate TLS:
echo 1 | sudo tee /etc/pure-ftpd/conf/TLS
sudo service pure-ftpd restartAdvanced Configuration Options
Here’s a list of common settings that can be configured for Pure-FTPd in /etc/pure-ftpd/conf/ directory on Ubuntu. The config file name is in bold.
- AltLog: Specifies alternative logging methods. For instance, AltLog clf:/var/log/pureftpd.log will log transfers in W3C format.
- AnonymousOnly: When enabled (by creating a file named AnonymousOnly), it restricts the server to allow only anonymous logins.
- AntiWarez: If this file exists, users are forbidden to upload files that already exist on the server.
- AutoRename: Automatically renames uploaded files if a file with the same name exists.
- Bind: Binds the server to a specific IP address and port. For example, Bind 21 binds to port 21 on all available addresses.
- BrokenClientsCompatibility: Enables compatibility with FTP clients that do not strictly adhere to FTP standards.
- ChrootEveryone: If enabled, restricts all users to their home directory.
- CreateHomeDir: Automatically creates home directories if they do not exist when a user logs in.
- CustomerProof: Increases resilience against common mistakes made in client configurations and commands.
- Daemonize: When this file exists, Pure-FTPd will run as a daemon.
- DisplayDotFiles: Controls whether dot files (hidden files) are displayed or not.
- DontResolve: Prevents DNS resolution for logging and bandwidth control, which can improve performance.
- ExtAuth: Specifies an external program for user authentication.
- ForcePassiveIP: Forces the server to report a specific IP address to passive mode clients.
- FSCharset: Sets the file system character set, useful for non-ASCII filenames.
- IPv4Only or IPv6Only: Restricts the server to listen to IPv4 or IPv6 addresses only.
- KeepAllFiles: Prevents deletion of any files on the server.
- LDAPConfigFile: Specifies the path to the LDAP configuration file for authentication.
- LimitRecursion: Limits the recursion depth and number of files displayed in directory listings.
- MaxClientsNumber: Limits the maximum number of simultaneous clients.
- MaxClientsPerIP: Restricts the number of simultaneous connections from a single IP address.
- MaxDiskUsage: Limits the percentage of disk usage.
- MaxIdleTime: Sets the maximum idle time in minutes before disconnecting a client.
- MaxLoad: Disconnects clients or refuses new connections above a certain system load.
- MinUID: Sets the minimum UID for login. Users with a lower UID cannot log in.
- MySQLConfigFile: Specifies the path to the MySQL configuration file for database-based authentication.
- NoAnonymous: Disables anonymous logins if this file exists.
- NoChmod: Disables the CHMOD command on the server.
- NoRename: Prevents users from renaming files.
- PassivePortRange: Defines a range of ports for passive connections (e.g., 30000 35000).
- PerUserLimits: Sets limits on a per-user basis.
- PureDB: Specifies the path to the PureDB user database file.
- Quota: Sets user quota limits.
- SyslogFacility: Defines the syslog facility for logging.
- TLSCipherSuite: Specifies the allowed TLS ciphers for encrypted connections.
- TrustedGID: Specifies a list of trusted group IDs for login.
- UMask: Sets the default umask for file creation.
- UnixAuthentication: Enables authentication against the UNIX password database.
- UploadScript: Specifies a script to run after a successful upload.
This list covers the most commonly used configuration options but is not exhaustive. Always refer to the official Pure-FTPd documentation or use the
pure-ftpd-wrapper --help
command for the most accurate and comprehensive information.
Examples
Here is a list of Pure-FTPd settings in /etc/pure-ftpd/conf/ with examples to illustrate the types of values they accept:
- AltLog:
AltLog clf:/var/log/pureftpd.log- Example:
clf:/var/log/pureftpd.log
- Example:
- AnonymousOnly: Enable by creating a file named
AnonymousOnly. - AntiWarez: Enable by creating a file named
AntiWarez. - AutoRename: Enable by creating a file named
AutoRename. - Bind:
Bind 21 - BrokenClientsCompatibility: Enable by creating a file named
BrokenClientsCompatibility. - ChrootEveryone: Enable by creating a file named
ChrootEveryone. - CreateHomeDir: Enable by creating a file named
CreateHomeDir. - CustomerProof: Enable by creating a file named
CustomerProof. - Daemonize: Enable by creating a file named
Daemonize. - DisplayDotFiles: Enable by creating a file named
DisplayDotFiles. - DontResolve: Enable by creating a file named
DontResolve. - ExtAuth:
ExtAuth /path/to/authenticator- Example:
/usr/local/bin/myauth
- Example:
- ForcePassiveIP:
ForcePassiveIP 192.168.0.1 - FSCharset:
FSCharset utf-8 - IPv4Only or IPv6Only: Enable by creating a file named
IPv4OnlyorIPv6Only. - KeepAllFiles: Enable by creating a file named
KeepAllFiles. - LDAPConfigFile:
LDAPConfigFile /etc/pure-ftpd/ldap.conf- Example:
/etc/pure-ftpd/ldap.conf
- Example:
- LimitRecursion:
LimitRecursion 10000 8- Example:
10000 8(10000 files, 8 levels deep)
- Example:
- MaxClientsNumber:
MaxClientsNumber 50 - MaxClientsPerIP:
MaxClientsPerIP 8 - MaxDiskUsage:
MaxDiskUsage 95 - MaxIdleTime:
MaxIdleTime 15 - MaxLoad:
MaxLoad 4.0 - MinUID:
MinUID 1000 - MySQLConfigFile:
MySQLConfigFile /etc/pure-ftpd/mysql.conf- Example:
/etc/pure-ftpd/mysql.conf
- Example:
- NoAnonymous: Enable by creating a file named
NoAnonymous. - NoChmod: Enable by creating a file named
NoChmod. - NoRename: Enable by creating a file named
NoRename. - PassivePortRange:
PassivePortRange 30000 35000 - PerUserLimits:
PerUserLimits 8- Example:
8(8 simultaneous connections per user)
- Example:
- PureDB:
PureDB /etc/pure-ftpd/pureftpd.pdb- Example:
/etc/pure-ftpd/pureftpd.pdb
- Example:
- Quota:
Quota 1000M- Example:
1000M(1000 Megabytes)
- Example:
- SyslogFacility:
SyslogFacility ftp - TLSCipherSuite:
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3- Example:
HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
- Example:
- TrustedGID:
TrustedGID 1000 - UMask:
UMask 133:022- Example:
133:022(Files: 133, Directories: 022)
- Example:
- UnixAuthentication: Enable by creating a file named
UnixAuthentication. - UploadScript:
UploadScript /path/to/script- Example:
/usr/local/bin/uploadscript
- Example:
These examples should clarify how to configure various options in Pure-FTPd.
Monitoring and Maintenance
Regularly check logs in /var/log/pure-ftpd/ for any unusual activities or errors.
