How to install and configure pure-ftpd
This is how to install and configure the pure-ftpd ftp server on your Ubuntu or Debian server or workstation.
First use apt to download and install the pure-ftpd package - it is available from default repositories :
root@box:~# apt-get install pure-ftpd
.
.
.
Setting up pure-ftpd (1.0.21-11ubuntu1) ...
Starting ftp server: Running: /usr/sbin/pure-ftpd -l pam -u 1000 -E -O clf:/var/log/pure-ftpd/transfer.log -B
As the latest line of apt output tells us, the server is already started with some default options passed to the binary via the command line.
The way to configure pure-ftpd is quite different from to other Debian / Ubuntu software. When installed as a service and started during the init process, pure-ftpd is invoked by a script called pure-ftpd-wrapper. What’s unusual is that instead of reading a single configuration file for all options, the script uses a directory full of one-line files. Let’s have a look in /etc/pure-ftpd/conf :
root@box:~# cd /etc/pure-ftpd/conf/
root@box:/etc/pure-ftpd/conf# ls -la
total 24K
-rw-r--r-- 1 root 36 2007-06-22 02:01 AltLog
-rw-r--r-- 1 root 5 2007-06-22 02:01 MinUID
-rw-r--r-- 1 root 4 2007-06-22 02:01 NoAnonymous
-rw-r--r-- 1 root 4 2007-06-22 02:01 PAMAuthentication
-rw-r--r-- 1 root 28 2007-06-22 02:01 PureDB
-rw-r--r-- 1 root 3 2007-06-22 02:01 UnixAuthentication
Each of those files describes a command-line option of the pure-ftpd server. For example, the file AltLog contains the format of, and path to, the tranfer log file :
root@box:/etc/pure-ftpd/conf# cat AltLog
clf:/var/log/pure-ftpd/transfer.log
Let’s now set some of the basic options by editing those one-liners (our server will listen to port 21 on all available interfaces, and will use IP 12.34.56.78 and ports 4500-4600 for passive mode - don’t forget to forward those from your NAT router if you are behind one):
root@box:/etc/pure-ftpd/conf# echo ,21 > Bind
root@box:/etc/pure-ftpd/conf# echo 12.34.56.78 > ForcePassiveIP
root@box:/etc/pure-ftpd/conf# echo 4500 4600 > PassivePortRange
Now for some recommended security stuff :
root@box:/etc/pure-ftpd/conf# echo yes > ChrootEveryone
root@box:/etc/pure-ftpd/conf# echo yes > ProhibitDotFilesRead
root@box:/etc/pure-ftpd/conf# echo yes > ProhibitDotFilesWrite
root@box:/etc/pure-ftpd/conf# echo yes > NoChmod
root@box:/etc/pure-ftpd/conf# echo yes > BrokenClientsCompatibility
Let’s also set some limits to avoid abuse :
root@box:/etc/pure-ftpd/conf# echo 4 > MaxClientsPerIP
root@box:/etc/pure-ftpd/conf# echo 20 > MaxClientsNumber
Now the important thing we need to decide is what user authorization method(s) our server will support. Options include Unix Authentication (anyone with a login account on the server will have ftp access), but I chose PureDB authentication, which involves a dedicated pure-ftpd “virtual users” base.
So let’s disable Unix and PAM auth, set the path to the PureDB user file, and add PureDB as an auth method by linking to it from the /etc/pure-ftpd/auth directory :
root@box:/etc/pure-ftpd/conf# echo no > PAMAuthentication
root@box:/etc/pure-ftpd/conf# echo no > UnixAuthentication
root@box:/etc/pure-ftpd/conf# echo /etc/pure-ftpd/pureftpd.pdb > PureDB
root@box:/etc/pure-ftpd/conf# ln -s /etc/pure-ftpd/conf/PureDB ../auth/50pure
Let’s now create a (system) user and group that will be bound to all ftp virtual users. For security reasons, that special user should have no home directory (-d /bin/null) and no shell access (-s /bin/false) :
root@box:/etc/pure-ftpd/conf# groupadd -g 2001 ftpgroup
root@box:/etc/pure-ftpd/conf# useradd -u 2001 -s /bin/false -d /bin/null -c "pureftpd user" -g ftpgroup ftpuser
We can now use the pure-pw command to add our first virtual user (don’t forget the “pure-pw mkdb” command : it is required to commit/confirm changes to the user file)
root@box:/etc/pure-ftpd/conf# pure-pw useradd myfirstuser -u ftpuser -d /var/ftp/public/
Password:
Enter it again:
root@box:/etc/pure-ftpd/conf# pure-pw mkdb
Let’s add TLS/SSL support and generate a private certificate (you will be asked to provide some information to put in the cert)
root@box:/etc/pure-ftpd/conf# apt-get install openssl
root@box:/etc/pure-ftpd/conf# echo 1 > TLS
root@box:/etc/pure-ftpd/conf# openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Generating a 1024 bit RSA private key
.
.
.
root@box:/etc/pure-ftpd/conf# chmod 600 /etc/ssl/private/pure-ftpd.pem
Let’s finally restart the server with our all-new config :
root@box:/etc/pure-ftpd/conf# /etc/init.d/pure-ftpd restart
Restarting ftp server: Running: /usr/sbin/pure-ftpd -l puredb:/etc/pure-ftpd/pureftpd.pdb -X -b -u 1000 -C 4 -E -S ,21 -x -c 20 -R -A -p 4500:4600 -O clf:/var/log/pure-ftpd/transfer.log -Y 1 -P 12.34.56.78 -B
All done ! Enjoy a simple, robust and secure ftp server.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
How to change line ProhibitDotFiles read, I made msitake miss one letter. And the server shows error, how to disable that line
I followed your letter to the T, but when I attempt to login using the user I created I get a password failure, I re-ran the user add portion to create another user with the same results, any ideas?
Same error as Brandon. What’s wrong?
I have the same error and Brandon also. I cannot log in.. I also tried with TLS set to 0 using regular http://FTP... same. Transcript:
220———- Welcome to Pure-FTPd [privsep] [TLS] ———-
220-You are user number 1 of 12 allowed.
220-Local time is now 22:53. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
USER example
331 User example OK. Password required
PASS ********
530 Login authentication failed
Other than that (rather serious problem) you guide was great! Would perhaps also benefit from some additional commentary to help people know what’s going on and what they might want to change and what they should not!
Thanks for your efforts.
SOLUTION: I suspected it was a problem with the PureDB linking. Referring to another guide similar to this (this one is better actually) I recreated the link and it worked. Here’s the difference: it worked when the link was made the reverse way, FROM the auth directory back to the conf directory:
root@box:/etc/pure-ftpd/auth# ln -s ../conf/PureDB
Then restart the server. Should work!
@Casey : you are right, my linking was wrong ! I have just corrected it by adding the full path :
root@box:/etc/pure-ftpd/conf# ln -s /etc/pure-ftpd/conf/PureDB ../auth/50pure
instead of previously (wrong syntax) :
root@box:/etc/pure-ftpd/conf# ln -s PureDB ../auth/50pure
Thanks a lot for letting me know and sorry about the typo.
Is it possible to allow a virtual user to transverse downward through the directory tree while restricting them from transversing up the tree?
EXAMPLE:
newuser Home directory: /var/ftp/public
Requirements: Allow ‘newuser’ to log in and not be allowed to view /var/ftp, but allow them to view /var/ftp/public (and anything below).
newuser needs r/w access to ‘public’ and read only to anything below ‘public’.
Thank you for the tips!
Can someone please help me out. I followed this instructions and even tried the PureDB fix mentioned in the comments here, however I still get password errors when I try to log in! Any ideas?
Make sure that you have the /var/ftp/public path.
[...] How to configure pure-ftpd-mysql on ubuntu: http://www.ubuntu-howto.info/howto/how-to-install-and-configure-pure-ftpd [...]
Gracias por el tutorial -> Thanks for tutorial is very good.
From Spain.
Hi,
I have a Problem with the Homedirectory “/bin/null”. Do I have to create this directory? But even after creating this directory with 777 privileges it doesen’t work.
My FTP- Client says ” Home directory not available - aborting “.
Has someone any ideas?
Hi again,
I found the mistake myself…… sorry…… everything works….
Thank you for the great howto
Hi Thomas and thank you for your lovely guide! I have this site saved as a bookmark, incase I would forget something
But I also noticed that this only works with explicit SSL, but how can I get implicit SSL? Tried to google for it in hours but no success at all.
Regards
/iskall
If someone needs to delete the users used in this tutorial in reverse order he will need to do the following:
pure-pw userdel myfirstuser
userdel -r ftpuser
groupdel ftpgroup
And then you can redo step 8 (Let’s now create a (system) user and group that will be bound to all ftp virtual users.) with different names.
This seems to work but does someone know how to change the time out interval. I can log on from a windows box on a ftp client but i can’t create anything and then I get disconnected after about 15 sek
I cannot connect to the server with my user.
WinSock 2.0 — OpenSSL 0.9.7g 11 Apr 2005
[R] Connecting to Ubuntu -> IP=192.168.0.4 PORT=1980
[R] Connected to Ubuntu
[R] 220———- Welcome to Pure-FTPd [privsep] [TLS] ———-
[R] 220-You are user number 1 of 20 allowed.
[R] 220-Local time is now 00:48. Server port: 1980.
[R] 220-This is a private system - No anonymous login
[R] 220-IPv6 connections are also welcome on this server.
[R] 220 You will be disconnected after 15 minutes of inactivity.
[R] USER afo
[R] 331 User afo OK. Password required
[R] PASS (hidden)
[R] 530 Login authentication failed
[R] Connection failed
[R] Delaying for 120 seconds before reconnect attempt #1
Any ide?
I would just like to add my thanks for a fantastic how-to.
Worked first time and did exactly what I needed.
The only other thing I wanted was to allow *ONLY* TLS encrypted connections.
I achieved this by setting the TLS option to a higher number. (as explained in the README.TLS doc)
eg:
echo 2 > TLS
according to the docs, valid values are 0 to 3 - here is a quick summary
0: no encryption enabled
1: encryption enabled but optional
2: encryption required on control channel but option on data channels
3: encryption require for all communications
I actually wanted to use option 3 but looking at the man page for my install, it appears my version does not support it.
Just did a fresh Install and configuration from the above tutorial, and when I attempt to connect I get this.
root@dragon-server:/etc/pure-ftpd/conf# ftp 192.168.1.201
Connected to 192.168.1.201.
220———- Welcome to Pure-FTPd [privsep] [TLS] ———-
220-You are user number 1 of 20 allowed.
220-Local time is now 10:17. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (192.168.1.201:jamie): jamie
331 User jamie OK. Password required
Password:
421 Service not available, remote server has closed connection
Login failed.
No control connection for command: No such file or directory
ftp>
It appears to be work as far as I can tell.
root@dragon-server:/etc/pure-ftpd/conf# sudo /etc/init.d/pure-ftpd restart
Restarting ftp server: Running: /usr/sbin/pure-ftpd -l puredb:/etc/pure-ftpd/pureftpd.pdb -x -c 20 -Y 1 -C 4 -R -p 4500:4600 -X -b -P 192.168.1.201 -O clf:/var/log/pure-ftpd/transfer.log -A -u 1000 -E -S ,21 -B
root@dragon-server:/etc/pure-ftpd/conf#
Any Idea?
[...] http://www.ubuntu-howto.info/howto/how-to-install-and-configure-pure-ftpd [...]
I tried both filenames ‘TLS’ and ‘tls’ but Ubuntu karmic gives this error when trying to use TLS option as described above:
sudo /etc/init.d/pure-ftpd restart
Restarting ftp server: /usr/sbin/pure-ftpd-wrapper: Invalid configuration file /etc/pure-ftpd/conf/tls: No corresponding directive
Is the version available through the repositories not compiled with TLS/SSL support? That would be a major boner.
Thanks for any help.
Please help me here. I have followed this to the letter (since the changes you made) and it is still not working.
When I goto restart I get this error
Restarting FTP Server: /usr/sbin/pure-ftp-wrapper: Invalid Configuratin file / etc/pure-ftpd/conf/50pure: No corresponding directive
I am running karmic.
Connected to 192.168.1.4.
220———- Welcome to Pure-FTPd [privsep] [TLS] ———-
220-You are user number 1 of 20 allowed.
220-Local time is now 21:50. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (192.168.1.4:braincheese): beavis
331 User beavis OK. Password required
Password:
421 Service not available, remote server has closed connection
Login failed.
No control connection for command: No such file or directory
ftp>
I even fixed the link but get this error. ?
I fixed it. It was a pure-pw.pdb problem. Just deleted it and ran pure-pw mkdb
Great guide!
I’m interested in a reference to a complete list of files considered in the conf directory - do you have that?
Thanks!
This is the best howto for pure-ftpd on Debian. Thank You!!!!!!!!
Great tutorial! Exactly what I was looking for.
One quick question for you if at all possible, though: I seem to be having the MLSD problem where the connection is successful until the client (filezilla) calls the MLSD command is run, then it times out. And I’m not quite sure what MLSD/T is supposed to do, exactly. Supposedly if one were to change the MLSD protocol to MLST, it fixes this issue. I have no idea how to do this, though. Any thoughts?
No idea sorry, maybe other readers have ran into similar issues, personally I didn’t.
Thanks for reading my posts and good luck with your server !