Pure FTPd Configuration and Security Best Practices

Author

Reads 1.3K

Close Up Photo of Cables Plugged into the Server
Credit: pexels.com, Close Up Photo of Cables Plugged into the Server

Pure FTPd is a popular open-source FTP server that's widely used due to its reliability and ease of use.

To get started with Pure FTPd, you'll need to configure it to suit your needs.

First, you'll need to edit the Pure FTPd configuration file, typically located at /etc/pure-ftpd.conf.

A good practice is to set the anonymous user to be able to upload files, but only to a specific directory, such as /var/ftp/pub.

Installation and Setup

pure-ftpd can be installed from the Arch User Repository, and you can start and enable pure-ftpd.service.

To install Pure-FTPd on Ubuntu Server, issue the following command to install the FTP server. Once installed, Pure-FTPd will be automatically started.

You can check if Pure-FTPd is running with the command, and it's listening on TCP port 21, which is the control port.

Anonymous access is disabled by default, so you can use your system account to login. However, plain text FTP is insecure and strongly discouraged.

To have a secure FTP server, you need to encrypt communication with TLS.

You might like: Hostinger Port 25

Configuration and Security

Credit: youtube.com, Master FTP Server Setup on Linux | ProFTPd, Pure-FTPd & vsftpd (Full Guide)

Configuration of Pure-FTPd is done through its startup arguments, which can be managed using a wrapper script that reads the /etc/pure-ftpd/pure-ftpd.conf file.

The script then starts Pure-FTPd with the corresponding arguments, making it easy to configure the FTP server. You can use a self-signed certificate to enable TLS encryption, but keep in mind that it might not be recommended due to security concerns.

To secure the FTP server with Let's Encrypt, you'll need to create a folder for the certificate and add the necessary configuration to the last line of the /etc/pure-ftpd/pure-ftpd.conf file. This will enable secure connections for your FTP traffic.

Here are some ways to harden your Pure-FTPd setup:

  • Update Pure-FTPd frequently to ensure you have the latest security patches.
  • Enable TLS encryption to protect user credentials.
  • Enforce strong passwords and limit login attempts.
  • Chroot users to their own environment to prevent them from accessing system files.
  • Disable anonymous access unless it's absolutely necessary.

Configuration

You can configure Pure-FTPd completely with its startup arguments. A wrapper script reads /etc/pure-ftpd/pure-ftpd.conf to start Pure-FTPd with the corresponding arguments.

Setting your FTP to IPv4 only can improve performance, especially if your provider doesn't support IPv6 equally well. You can do this by deleting the existing config.

Readers also liked: Pure Cloud Block Store

Computer server in data center room
Credit: pexels.com, Computer server in data center room

To delete the existing config, you can use the command. This will give you a clean slate to work with.

Now that you've deleted the existing config, you can complete the config file with your settings. Open the pure-ftpd.conf to make the necessary changes.

Finally, you'll need to restart the Pure-FTPd after making the changes to your config file.

Configuration and Setup

Configuration and setup of Pure-FTPd is crucial for a secure and efficient FTP server.

To ensure everything runs properly, you must execute specific commands, which we'll cover next.

Setting your FTP to IPv4 only is recommended, as the performance of IPv6 is not the same for every provider. You can do this by using the command "pure-ftpd -C ipv4".

To delete the existing config, use the command "rm /etc/pure-ftpd.conf". This will reset the configuration file to its default state.

The config file can be completed with our settings by opening the pure-ftpd.conf file and adding our desired settings. Everything is now set up and configured.

Finally, we have to restart the Pure-FTPd using the command "service pure-ftpd restart".

If this caught your attention, see: Discord Server Settings

Hardening FTPd

Credit: youtube.com, Secure Configurations: 3. System Hardening

Hardening FTPd is crucial to prevent unauthorized access to your server. Keeping your FTPd setup secure requires some basic steps to be taken.

First and foremost, update your FTPd software regularly. Old versions might be missing critical patches that can be exploited by hackers.

It's essential to use strong passwords and enforce complexity. This will make it harder for attackers to guess your passwords.

Consider limiting login attempts to prevent brute-force attacks. This can be a game-changer in preventing unauthorized access.

Chrooting users is another security measure you can take. This keeps each user in their own environment, preventing them from accessing system files.

Disabling anonymous access is also a must unless you really need it. Anonymous access can be a vulnerability that hackers love to exploit.

Security

Security is a top priority when it comes to your FTP server. To ensure your server is secure, you should update Pure-FTPd itself regularly to keep up with the latest patches.

Broaden your view: Gmail Email Server Name

Computer server in data center room
Credit: pexels.com, Computer server in data center room

Enabling encryption is also crucial, as plain FTP is not secure. You can enable TLS encryption by creating a TLS file and putting the number 2 into it, which will disable plain-text and use TLS encryption only.

A valid TLS certificate is also necessary, and you can obtain one from a certificate authority or create a self-signed certificate from within the container. However, self-signed certificates come with certain drawbacks.

To harden your Pure-FTPd setup, you should update often, enable encryption (TLS), use strong passwords, chroot users, and disable anonymous access. This will make your server a less easy target for attackers.

Here are some potential attack vectors to watch out for:

  • Default or Weak Credentials: If someone never changed their user/password or used a laughably simple one, brute force might be all you need to get in.
  • Buffer Overflow: Some older FTP daemons had vulnerabilities where sending a crafted command or filename could trigger remote code execution.
  • Command Injection: If the server doesn’t sanitize input, an attacker might be able to run system-level commands.
  • Directory Traversal: Escaping the FTP root (chroot) folder to access system files is a classic trick if the server isn’t configured correctly.

To identify vulnerabilities, you should perform version detection using tools like Nmap, search for known exploits in the CVE database or Exploit-DB, and review your server's configuration to ensure it's not poorly configured.

Using Different Passive Ports

Using different passive ports is a great way to customize your FTP setup. You can change the default passive ports exposed by adding the --expose= option when running the Docker container.

Credit: youtube.com, Active vs Passive FTP - Understanding FTP Ports

To use passive ports in a different range, you can specify them using the FTP_PASSIVE_PORTS environment variable. For example, to use ports 10000-10009, you would use the following command: docker run -e FTP_PASSIVE_PORTS=10000:10009 --expose=10000-10009 -p 21:21 -p 10000-10009:10000-10009.

Default passive ports exposed are 30000 to 30009, so you may need to add the --expose= option to change them.

User Management

User management with Pure-FTPd is a breeze. You can set up virtual users instead of real system users, which is useful for simplicity and demonstration purposes.

To create a virtual user, you'll need to use the pure-pw command to create a /etc/pureftpd.passwd file. This file is then used to create the PureDB, which houses all information related to your virtual users.

The user can now access everything in /srv/ftp, but they can't log in by default. To change that behavior, you need to set the option MinUID in /etc/pure-ftpd.conf to 14 (UID of the ftp user).

To remove a user, simply type the command pure-pw del someuser, and don't forget to update /etc/pureftpd.pdb afterwards.

Set Up Virtual Users

Close-up of a young man using a VR headset to explore virtual reality indoors.
Credit: pexels.com, Close-up of a young man using a VR headset to explore virtual reality indoors.

To set up virtual users, you'll want to use the PureDB backend for simplicity. This involves uncommenting two lines in the configuration file.

You'll also need to create a /etc/pureftpd.passwd file, which is used to create the PureDB. To do this, use the pure-pw command.

Create a user like this: pure-pw useradd someuser -u ftpuser -d /srv/ftp. The user will run as the FTP system user by default.

To allow the virtual user to log in, set the option MinUID in /etc/pure-ftpd.conf to 14, which is the UID of the ftp user.

Don't forget to list the shell of the FTP system user in /etc/shells.

Before the account is usable, commit your changes.

The pure-pw mkdb command creates the /etc/pureftpd.pdb file, which houses all information related to your virtual users.

Changing User Password

Changing a user's password is a straightforward process. To initiate the change, type the command:

You'll then need to commit your changes by updating /etc/pureftpd.pdb.

Removing User

Credit: youtube.com, User Management 5 - Deleting Accounts

Removing a user is a straightforward process. To do so, you simply type the command to remove the user.

The command removes the user account, but not the user's home directory. This means you'll need to manually remove the home directory afterwards.

Be sure to take care of this step to keep your system organized and clutter-free.

Max Clients

Max clients can be set to a default of 5, but you can increase this by using the environment variable FTP_MAX_CLIENTS.

You can set the maximum number of clients to, for example, 50 by specifying FTP_MAX_CLIENTS=50.

To accommodate more clients, you'll also need to open additional public ports, such as 30000:30099.

The number of maximum connections per IP can also be set using the environment variable FTP_MAX_CONNECTIONS, which defaults to 5.

Backends

Backends play a crucial role in user management, and Pure-FTPd allows you to specify one or more backends.

You need to specify at least one backend, and if you specify more than one, Pure-FTPd will respect the order in which they are specified. It will use the first backend which contains the requested user.

Credit: youtube.com, MANAGING USERS - Backend

The available backends include /etc/passwd, which is a common choice for many systems.

MySQL, LDAP, PostgreSQL, and PAM are also available backends. You can choose the one that best fits your needs.

If you're using a custom database, you can specify PureDB as the backend.

You can also write your own backend if needed.

Here's a list of available backends:

  • /etc/passwd
  • MySQL
  • LDAP
  • PostgreSQL
  • PAM
  • PureDB

Certificate Management

To obtain a trusted TLS certificate from Let's Encrypt, run the following command to install the Let's Encrypt client (certbot) from the default Ubuntu repository. I recommend using the standalone or webroot plugin to obtain the TLS certificate for Pure-FTPd.

To install the certificate, combine the certificate and private key into one file named pure-ftpd.pem and store it under /etc/ssl/private/. If your server has a single CPU core, this process can take about 10 minutes.

It's essential to restart Pure-FTPd after installing the certificate. You can create a Cron job to automatically renew the TLS certificate, which is necessary to reload pure-ftpd to make it pick up the new certificate and private key.

Credit: youtube.com, How To Setup Pure-FTPD On Rocky Linux 8.5 with SSL/TLS Certificates

If you want to use self-signed certificates, you can add --tls to the ADDED_FLAGS and set TLS_CN, TLS_ORG, and TLS_C. However, keep in mind that generated certificates won't be persisted and new ones will be generated on each start.

To enforce TLS encryption, create a file named TLS in the /etc/pure-ftpd/conf/ directory and put the number 2 into it. This will disable plain-text encryption and use TLS encryption only.

Docker and Volumes

You can mount a Docker volume to configure the server and persist uploaded data. It's recommended to use them in production.

To mount a Docker volume, you can use the following directories: /home/ftpusers//etc/pure-ftpd/passwd/etc/ssl/private/

These volumes allow you to persist data and configure the server securely. The /etc/pure-ftpd/passwd directory contains the pureftpd.passwd file, which is read on startup and updated by the pure-pw useradd command.

Docker FTP Server

You can pull down the latest version of the Pure-ftpd Server using Docker with the command sudo docker pull stilliard/pure-ftpd.

A computer room with a monitor and computer
Credit: pexels.com, A computer room with a monitor and computer

To make changes to the server, it's best to either modify the run command or extend the existing image. Rebuilding the entire Docker image via a fork can be slow and rebuilds the entire pure-ftpd package from source.

You can change the command run on start by using the command option with docker-compose or directly with docker run.

Docker Volumes

Docker Volumes are a fantastic way to persist data and configure your server. You can mount a Docker volume to various spots to achieve this.

There are a few key locations where you can mount a Docker volume. One of these is /home/ftpusers/, which is a common convention for FTP data volumes.

You can also mount a volume to /etc/pure-ftpd/passwd, which contains the pureftpd.passwd file. This file is used to store the user database, including passwords and home directories.

This file is read on startup and updated by the pure-pw useradd command. It's a crucial part of managing your FTP users.

Close-up of network server showing organized cable management and patch panels in a data center.
Credit: pexels.com, Close-up of network server showing organized cable management and patch panels in a data center.

Another important spot is /etc/ssl/private/, which contains the server's SSL certificates for TLS support. If you place a pure-ftpd.pem file in this directory, TLS will be enabled automatically.

Here are some key Docker volume locations to keep in mind:

  • /home/ftpusers/ - FTP data volume
  • /etc/pure-ftpd/passwd - User database and password storage
  • /etc/ssl/private/ - SSL certificates for TLS support

Troubleshooting and Monitoring

You can get verbose logs by adding a specific option to your docker run command, which will then be captured by the docker log collector.

Verbose logs will be redirected to the stdout of the container and can be watched with the command docker logs -f ftpd_server.

If you exec into the container, you can watch the logs with tail -f /var/log/messages.

Want a transfer log file? add a specific option to your docker run command.

Advanced Topics

pure-ftpd is a highly customizable server, allowing you to tailor its behavior to your specific needs.

You can change the server's listening port by editing the `Port` directive in the configuration file. This is useful for avoiding conflicts with other services on your system.

Credit: youtube.com, pure-ftpd Setup Passive FTP Ports - CWP

The server can be configured to use a non-standard user ID and group ID by setting the `User` and `Group` directives. This is particularly useful for security purposes.

pure-ftpd supports the use of SSL/TLS encryption for secure file transfers. You can enable this by setting the `TLS` directive to `yes`.

The server also supports the use of virtual users, which can be useful for hosting multiple FTP sites on a single server. You can enable this by setting the `UseIPv6` directive to `no` and configuring the `VirtualUsers` directive.

pure-ftpd can be configured to log its activity to a file, which can be useful for troubleshooting purposes. You can enable this by setting the `Log` directive to a file path.

Frequently Asked Questions

How to check pure FTPd version?

To check the Pure-FTPd version, use a tool like Nmap with the command 'nmap -sV -p 21 targetIP'

How to install pure FTPd on debian?

To install Pure-FTPd on Debian, start by updating your server and then follow the steps to install, configure, and secure the FTP server. Begin with updating your Debian 10 server to the latest version.

Lamar Smitham

Writer

Lamar Smitham is a seasoned writer with a passion for crafting informative and engaging content. With a keen eye for detail and a knack for simplifying complex topics, Lamar has established himself as a trusted voice in the industry. Lamar's areas of expertise include Microsoft Licensing, where he has written in-depth articles that provide valuable insights for businesses and individuals alike.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.