Pure-FTPd is a free, open-source FTP server software available for Ubuntu and other Linux distributions. Designed with a focus on security, performance, and ease of use, Pure-FTPd offers robust features such as support for virtual users, encrypted connections using TLS/SSL, and various authentication mechanisms. It also provides features like limiting bandwidth, restricting user permissions, and enabling anonymous FTP access. Pure-FTPd is often chosen for its simplicity in configuration compared to other FTP servers, making it a popular choice for both small and large-scale deployments on Ubuntu systems.

The File Transfer Protocol (FTP) is a standard network protocol used to transfer files between a client and a server over a network, such as the internet. Developed in the early 1970s, FTP allows users to upload, download, and manage files on a remote server. It operates using two channels: a command channel for controlling the connection and a data channel for transferring files. FTP can work in either active or passive mode, which dictates how the server and client establish connections. While widely used for file transfers, FTP is considered insecure because data, including login credentials, is transmitted in plain text; I will show you in this guide how to configure Pure-FTPd to use FTPS (FTP over SSL/TLS), making FTP secure.

This tutorial guides you step-by-step through the process of installing and configuring Pure-FTPd on Ubuntu.

Prerequisites for Installing Pure-FTPd

Before proceeding with the installation, ensure you have:

  • An Ubuntu server setup
  • Access to a user account with sudo privileges

Step-by-Step Installation of Pure-FTPd

Updating System Packages

First, update your system’s package list:

sudo apt update

Installing Pure-FTPd

Next, install Pure-FTPd using the following command:

sudo apt install pure-ftpd

Configuring Pure-FTPd for Enhanced Security

Setting Up a Secure Environment

Create a dedicated group for FTP users:

sudo groupadd ftpgroup

Create a user for Pure-FTPd:

sudo useradd -g ftpgroup -d /dev/null -s /etc ftpuser

Managing User Access

To add a user to the FTP server:

sudo pure-pw useradd [username] -u ftpuser -g ftpgroup -d /home/ftpusers/[username]

sudo pure-pw mkdb

Replace [username] with the desired username.

Configuring TLS for Secure Data Transfer

Generate a self-signed certificate:

sudo openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Modify the Pure-FTPd configuration to activate TLS:

echo 1 | sudo tee /etc/pure-ftpd/conf/TLS

sudo service pure-ftpd restart

Advanced Configuration Options

Here’s a list of common settings that can be configured for Pure-FTPd in /etc/pure-ftpd/conf/ directory on Ubuntu. The config file name is in bold.

  • AltLog: Specifies alternative logging methods. For instance, AltLog clf:/var/log/pureftpd.log will log transfers in W3C format.
  • AnonymousOnly: When enabled (by creating a file named AnonymousOnly), it restricts the server to allow only anonymous logins.
  • AntiWarez: If this file exists, users are forbidden to upload files that already exist on the server.
  • AutoRename: Automatically renames uploaded files if a file with the same name exists.
  • Bind: Binds the server to a specific IP address and port. For example, Bind 21 binds to port 21 on all available addresses.
  • BrokenClientsCompatibility: Enables compatibility with FTP clients that do not strictly adhere to FTP standards.
  • ChrootEveryone: If enabled, restricts all users to their home directory.
  • CreateHomeDir: Automatically creates home directories if they do not exist when a user logs in.
  • CustomerProof: Increases resilience against common mistakes made in client configurations and commands.
  • Daemonize: When this file exists, Pure-FTPd will run as a daemon.
  • DisplayDotFiles: Controls whether dot files (hidden files) are displayed or not.
  • DontResolve: Prevents DNS resolution for logging and bandwidth control, which can improve performance.
  • ExtAuth: Specifies an external program for user authentication.
  • ForcePassiveIP: Forces the server to report a specific IP address to passive mode clients.
  • FSCharset: Sets the file system character set, useful for non-ASCII filenames.
  • IPv4Only or IPv6Only: Restricts the server to listen to IPv4 or IPv6 addresses only.
  • KeepAllFiles: Prevents deletion of any files on the server.
  • LDAPConfigFile: Specifies the path to the LDAP configuration file for authentication.
  • LimitRecursion: Limits the recursion depth and number of files displayed in directory listings.
  • MaxClientsNumber: Limits the maximum number of simultaneous clients.
  • MaxClientsPerIP: Restricts the number of simultaneous connections from a single IP address.
  • MaxDiskUsage: Limits the percentage of disk usage.
  • MaxIdleTime: Sets the maximum idle time in minutes before disconnecting a client.
  • MaxLoad: Disconnects clients or refuses new connections above a certain system load.
  • MinUID: Sets the minimum UID for login. Users with a lower UID cannot log in.
  • MySQLConfigFile: Specifies the path to the MySQL configuration file for database-based authentication.
  • NoAnonymous: Disables anonymous logins if this file exists.
  • NoChmod: Disables the CHMOD command on the server.
  • NoRename: Prevents users from renaming files.
  • PassivePortRange: Defines a range of ports for passive connections (e.g., 30000 35000).
  • PerUserLimits: Sets limits on a per-user basis.
  • PureDB: Specifies the path to the PureDB user database file.
  • Quota: Sets user quota limits.
  • SyslogFacility: Defines the syslog facility for logging.
  • TLSCipherSuite: Specifies the allowed TLS ciphers for encrypted connections.
  • TrustedGID: Specifies a list of trusted group IDs for login.
  • UMask: Sets the default umask for file creation.
  • UnixAuthentication: Enables authentication against the UNIX password database.
  • UploadScript: Specifies a script to run after a successful upload.

This list covers the most commonly used configuration options but is not exhaustive. Always refer to the official Pure-FTPd documentation or use the

pure-ftpd-wrapper --help

command for the most accurate and comprehensive information.

Examples

Here is a list of Pure-FTPd settings in /etc/pure-ftpd/conf/ with examples to illustrate the types of values they accept:

  • AltLog: AltLog clf:/var/log/pureftpd.log
    • Example: clf:/var/log/pureftpd.log
  • AnonymousOnly: Enable by creating a file named AnonymousOnly.
    • No value needed.
  • AntiWarez: Enable by creating a file named AntiWarez.
    • No value needed.
  • AutoRename: Enable by creating a file named AutoRename.
    • No value needed.
  • Bind: Bind 21
    • Example: 192.168.0.1,21
  • BrokenClientsCompatibility: Enable by creating a file named BrokenClientsCompatibility.
    • No value needed.
  • ChrootEveryone: Enable by creating a file named ChrootEveryone.
    • No value needed.
  • CreateHomeDir: Enable by creating a file named CreateHomeDir.
    • No value needed.
  • CustomerProof: Enable by creating a file named CustomerProof.
    • No value needed.
  • Daemonize: Enable by creating a file named Daemonize.
    • No value needed.
  • DisplayDotFiles: Enable by creating a file named DisplayDotFiles.
    • No value needed.
  • DontResolve: Enable by creating a file named DontResolve.
    • No value needed.
  • ExtAuth: ExtAuth /path/to/authenticator
    • Example: /usr/local/bin/myauth
  • ForcePassiveIP: ForcePassiveIP 192.168.0.1
    • Example: 192.168.0.1
  • FSCharset: FSCharset utf-8
    • Example: utf-8
  • IPv4Only or IPv6Only: Enable by creating a file named IPv4Only or IPv6Only.
    • No value needed.
  • KeepAllFiles: Enable by creating a file named KeepAllFiles.
    • No value needed.
  • LDAPConfigFile: LDAPConfigFile /etc/pure-ftpd/ldap.conf
    • Example: /etc/pure-ftpd/ldap.conf
  • LimitRecursion: LimitRecursion 10000 8
    • Example: 10000 8 (10000 files, 8 levels deep)
  • MaxClientsNumber: MaxClientsNumber 50
    • Example: 50
  • MaxClientsPerIP: MaxClientsPerIP 8
    • Example: 8
  • MaxDiskUsage: MaxDiskUsage 95
    • Example: 95 (95 percent)
  • MaxIdleTime: MaxIdleTime 15
    • Example: 15 (15 minutes)
  • MaxLoad: MaxLoad 4.0
    • Example: 4.0
  • MinUID: MinUID 1000
    • Example: 1000
  • MySQLConfigFile: MySQLConfigFile /etc/pure-ftpd/mysql.conf
    • Example: /etc/pure-ftpd/mysql.conf
  • NoAnonymous: Enable by creating a file named NoAnonymous.
    • No value needed.
  • NoChmod: Enable by creating a file named NoChmod.
    • No value needed.
  • NoRename: Enable by creating a file named NoRename.
    • No value needed.
  • PassivePortRange: PassivePortRange 30000 35000
    • Example: 30000 35000
  • PerUserLimits: PerUserLimits 8
    • Example: 8 (8 simultaneous connections per user)
  • PureDB: PureDB /etc/pure-ftpd/pureftpd.pdb
    • Example: /etc/pure-ftpd/pureftpd.pdb
  • Quota: Quota 1000M
    • Example: 1000M (1000 Megabytes)
  • SyslogFacility: SyslogFacility ftp
    • Example: ftp
  • TLSCipherSuite: TLSCipherSuite HIGH:MEDIUM: TLSv1:!SSLv2: SSLv3
    • Example: HIGH:MEDIUM: TLSv1:!SSLv2: SSLv3
  • TrustedGID: TrustedGID 1000
    • Example: 1000
  • UMask: UMask 133:022
    • Example: 133:022 (Files: 133, Directories: 022)
  • UnixAuthentication: Enable by creating a file named UnixAuthentication.
    • No value needed.
  • UploadScript: UploadScript /path/to/script
    • Example: /usr/local/bin/uploadscript

These examples should clarify how to configure various options in Pure-FTPd.

Monitoring and Maintenance

Regularly check logs in /var/log/pure-ftpd/ for any unusual activities or errors.

Show Comments