How to install and configure pure-ftpd

This is how to install and configure the pure-ftpd ftp server on your Ubuntu or Debian server or workstation.
First use apt to download and install the pure-ftpd package – it is available from default repositories :

root@box:~# apt-get install pure-ftpd
.
.
.
Setting up pure-ftpd (1.0.21-11ubuntu1) …
Starting ftp server: Running: /usr/sbin/pure-ftpd -l pam -u 1000 -E -O clf:/var/log/pure-ftpd/transfer.log -B

As the latest line of apt output tells us, the server is already started with some default options passed to the binary via the command line.

The way to configure pure-ftpd is quite different from to other Debian / Ubuntu software. When installed as a service and started during the init process, pure-ftpd is invoked by a script called pure-ftpd-wrapper. What’s unusual is that instead of reading a single configuration file for all options, the script uses a directory full of one-line files. Let’s have a look in /etc/pure-ftpd/conf :

root@box:~# cd /etc/pure-ftpd/conf/
root@box:/etc/pure-ftpd/conf# ls -la
total 24K
-rw-r–r– 1 root 36 2007-06-22 02:01 AltLog
-rw-r–r– 1 root 5 2007-06-22 02:01 MinUID
-rw-r–r– 1 root 4 2007-06-22 02:01 NoAnonymous
-rw-r–r– 1 root 4 2007-06-22 02:01 PAMAuthentication
-rw-r–r– 1 root 28 2007-06-22 02:01 PureDB
-rw-r–r– 1 root 3 2007-06-22 02:01 UnixAuthentication

Each of those files describes a command-line option of the pure-ftpd server. For example, the file AltLog contains the format of, and path to, the tranfer log file :


root@box:/etc/pure-ftpd/conf# cat AltLog
clf:/var/log/pure-ftpd/transfer.log

Let’s now set some of the basic options by editing those one-liners (our server will listen to port 21 on all available interfaces, and will use IP 12.34.56.78 and ports 4500-4600 for passive mode – don’t forget to forward those from your NAT router if you are behind one):

root@box:/etc/pure-ftpd/conf# echo ,21 > Bind
root@box:/etc/pure-ftpd/conf# echo 12.34.56.78 > ForcePassiveIP
root@box:/etc/pure-ftpd/conf# echo 4500 4600 > PassivePortRange

Now for some recommended security stuff :

root@box:/etc/pure-ftpd/conf# echo yes > ChrootEveryone
root@box:/etc/pure-ftpd/conf# echo yes > ProhibitDotFilesRead
root@box:/etc/pure-ftpd/conf# echo yes > ProhibitDotFilesWrite
root@box:/etc/pure-ftpd/conf# echo yes > NoChmod
root@box:/etc/pure-ftpd/conf# echo yes > BrokenClientsCompatibility

Let’s also set some limits to avoid abuse :

root@box:/etc/pure-ftpd/conf# echo 4 > MaxClientsPerIP
root@box:/etc/pure-ftpd/conf# echo 20 > MaxClientsNumber

Now the important thing we need to decide is what user authorization method(s) our server will support. Options include Unix Authentication (anyone with a login account on the server will have ftp access), but I chose PureDB authentication, which involves a dedicated pure-ftpd “virtual users” base.
So let’s disable Unix and PAM auth, set the path to the PureDB user file, and add PureDB as an auth method by linking to it from the /etc/pure-ftpd/auth directory :


root@box:/etc/pure-ftpd/conf# echo no > PAMAuthentication
root@box:/etc/pure-ftpd/conf# echo no > UnixAuthentication
root@box:/etc/pure-ftpd/conf# echo /etc/pure-ftpd/pureftpd.pdb > PureDB
root@box:/etc/pure-ftpd/conf# ln -s /etc/pure-ftpd/conf/PureDB ../auth/50pure

Let’s now create a (system) user and group that will be bound to all ftp virtual users. For security reasons, that special user should have no home directory (-d /dev/null) and no shell access (-s /bin/false) :


root@box:/etc/pure-ftpd/conf# groupadd -g 2001 ftpgroup
root@box:/etc/pure-ftpd/conf# useradd -u 2001 -s /bin/false -d /dev/null -c “pureftpd user” -g ftpgroup ftpuser

We can now use the pure-pw command to add our first virtual user (don’t forget the “pure-pw mkdb” command : it is required to commit/confirm changes to the user file)

root@box:/etc/pure-ftpd/conf# pure-pw useradd myfirstuser -u ftpuser -d /var/ftp/public/

Password:
Enter it again:

root@box:/etc/pure-ftpd/conf# pure-pw mkdb

Let’s add TLS/SSL support and generate a private certificate (you will be asked to provide some information to put in the cert)

root@box:/etc/pure-ftpd/conf# apt-get install openssl
root@box:/etc/pure-ftpd/conf# echo 1 > TLS
root@box:/etc/pure-ftpd/conf# openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Generating a 1024 bit RSA private key
.
.
.
root@box:/etc/pure-ftpd/conf# chmod 600 /etc/ssl/private/pure-ftpd.pem

Let’s finally restart the server with our all-new config :

root@box:/etc/pure-ftpd/conf# /etc/init.d/pure-ftpd restart
Restarting ftp server: Running: /usr/sbin/pure-ftpd -l puredb:/etc/pure-ftpd/pureftpd.pdb -X -b -u 1000 -C 4 -E -S ,21 -x -c 20 -R -A -p 4500:4600 -O clf:/var/log/pure-ftpd/transfer.log -Y 1 -P 12.34.56.78 -B

All done ! Enjoy a simple, robust and secure ftp server.

42 Replies to “How to install and configure pure-ftpd”

  1. How to change line ProhibitDotFiles read, I made msitake miss one letter. And the server shows error, how to disable that line

  2. I followed your letter to the T, but when I attempt to login using the user I created I get a password failure, I re-ran the user add portion to create another user with the same results, any ideas?

  3. I have the same error and Brandon also. I cannot log in.. I also tried with TLS set to 0 using regular http://FTP… same. Transcript:

    220———- Welcome to Pure-FTPd [privsep] [TLS] ———-
    220-You are user number 1 of 12 allowed.
    220-Local time is now 22:53. Server port: 21.
    220-This is a private system – No anonymous login
    220 You will be disconnected after 15 minutes of inactivity.
    USER example
    331 User example OK. Password required
    PASS ********
    530 Login authentication failed

    Other than that (rather serious problem) you guide was great! Would perhaps also benefit from some additional commentary to help people know what’s going on and what they might want to change and what they should not!

    Thanks for your efforts.

  4. SOLUTION: I suspected it was a problem with the PureDB linking. Referring to another guide similar to this (this one is better actually) I recreated the link and it worked. Here’s the difference: it worked when the link was made the reverse way, FROM the auth directory back to the conf directory:

    root@box:/etc/pure-ftpd/auth# ln -s ../conf/PureDB

    Then restart the server. Should work!

    1. @Casey : you are right, my linking was wrong ! I have just corrected it by adding the full path :

      root@box:/etc/pure-ftpd/conf# ln -s /etc/pure-ftpd/conf/PureDB ../auth/50pure

      instead of previously (wrong syntax) :

      root@box:/etc/pure-ftpd/conf# ln -s PureDB ../auth/50pure

      Thanks a lot for letting me know and sorry about the typo.

  5. Is it possible to allow a virtual user to transverse downward through the directory tree while restricting them from transversing up the tree?

    EXAMPLE:
    newuser Home directory: /var/ftp/public

    Requirements: Allow ‘newuser’ to log in and not be allowed to view /var/ftp, but allow them to view /var/ftp/public (and anything below).

    newuser needs r/w access to ‘public’ and read only to anything below ‘public’.

  6. Can someone please help me out. I followed this instructions and even tried the PureDB fix mentioned in the comments here, however I still get password errors when I try to log in! Any ideas?

  7. Hi,
    I have a Problem with the Homedirectory “/bin/null”. Do I have to create this directory? But even after creating this directory with 777 privileges it doesen’t work.

    My FTP- Client says ” Home directory not available – aborting “.

    Has someone any ideas?

  8. Hi Thomas and thank you for your lovely guide! I have this site saved as a bookmark, incase I would forget something 🙂

    But I also noticed that this only works with explicit SSL, but how can I get implicit SSL? Tried to google for it in hours but no success at all.

    Regards
    /iskall

  9. If someone needs to delete the users used in this tutorial in reverse order he will need to do the following:

    pure-pw userdel myfirstuser
    userdel -r ftpuser
    groupdel ftpgroup

    And then you can redo step 8 (Let’s now create a (system) user and group that will be bound to all ftp virtual users.) with different names.

  10. This seems to work but does someone know how to change the time out interval. I can log on from a windows box on a ftp client but i can’t create anything and then I get disconnected after about 15 sek

  11. I cannot connect to the server with my user.

    WinSock 2.0 — OpenSSL 0.9.7g 11 Apr 2005
    [R] Connecting to Ubuntu -> IP=192.168.0.4 PORT=1980
    [R] Connected to Ubuntu
    [R] 220———- Welcome to Pure-FTPd [privsep] [TLS] ———-
    [R] 220-You are user number 1 of 20 allowed.
    [R] 220-Local time is now 00:48. Server port: 1980.
    [R] 220-This is a private system – No anonymous login
    [R] 220-IPv6 connections are also welcome on this server.
    [R] 220 You will be disconnected after 15 minutes of inactivity.
    [R] USER afo
    [R] 331 User afo OK. Password required
    [R] PASS (hidden)
    [R] 530 Login authentication failed
    [R] Connection failed
    [R] Delaying for 120 seconds before reconnect attempt #1

    Any ide?

  12. I would just like to add my thanks for a fantastic how-to.

    Worked first time and did exactly what I needed.
    The only other thing I wanted was to allow *ONLY* TLS encrypted connections.

    I achieved this by setting the TLS option to a higher number. (as explained in the README.TLS doc)

    eg:

    echo 2 > TLS

    according to the docs, valid values are 0 to 3 – here is a quick summary

    0: no encryption enabled
    1: encryption enabled but optional
    2: encryption required on control channel but option on data channels
    3: encryption require for all communications

    I actually wanted to use option 3 but looking at the man page for my install, it appears my version does not support it.

  13. Just did a fresh Install and configuration from the above tutorial, and when I attempt to connect I get this.

    root@dragon-server:/etc/pure-ftpd/conf# ftp 192.168.1.201
    Connected to 192.168.1.201.
    220———- Welcome to Pure-FTPd [privsep] [TLS] ———-
    220-You are user number 1 of 20 allowed.
    220-Local time is now 10:17. Server port: 21.
    220-This is a private system – No anonymous login
    220-IPv6 connections are also welcome on this server.
    220 You will be disconnected after 15 minutes of inactivity.
    Name (192.168.1.201:jamie): jamie
    331 User jamie OK. Password required
    Password:
    421 Service not available, remote server has closed connection
    Login failed.
    No control connection for command: No such file or directory
    ftp>

    It appears to be work as far as I can tell.

    root@dragon-server:/etc/pure-ftpd/conf# sudo /etc/init.d/pure-ftpd restart
    Restarting ftp server: Running: /usr/sbin/pure-ftpd -l puredb:/etc/pure-ftpd/pureftpd.pdb -x -c 20 -Y 1 -C 4 -R -p 4500:4600 -X -b -P 192.168.1.201 -O clf:/var/log/pure-ftpd/transfer.log -A -u 1000 -E -S ,21 -B
    root@dragon-server:/etc/pure-ftpd/conf#

    Any Idea?

  14. I tried both filenames ‘TLS’ and ‘tls’ but Ubuntu karmic gives this error when trying to use TLS option as described above:

    sudo /etc/init.d/pure-ftpd restart
    Restarting ftp server: /usr/sbin/pure-ftpd-wrapper: Invalid configuration file /etc/pure-ftpd/conf/tls: No corresponding directive

    Is the version available through the repositories not compiled with TLS/SSL support? That would be a major boner.

    Thanks for any help.

  15. Please help me here. I have followed this to the letter (since the changes you made) and it is still not working.

    When I goto restart I get this error

    Restarting FTP Server: /usr/sbin/pure-ftp-wrapper: Invalid Configuratin file / etc/pure-ftpd/conf/50pure: No corresponding directive

    I am running karmic.

  16. Connected to 192.168.1.4.
    220———- Welcome to Pure-FTPd [privsep] [TLS] ———-
    220-You are user number 1 of 20 allowed.
    220-Local time is now 21:50. Server port: 21.
    220-This is a private system – No anonymous login
    220-IPv6 connections are also welcome on this server.
    220 You will be disconnected after 15 minutes of inactivity.
    Name (192.168.1.4:braincheese): beavis
    331 User beavis OK. Password required
    Password:
    421 Service not available, remote server has closed connection
    Login failed.
    No control connection for command: No such file or directory
    ftp>

    I even fixed the link but get this error. ?

  17. Great guide!
    I’m interested in a reference to a complete list of files considered in the conf directory – do you have that?

    Thanks!

  18. Great tutorial! Exactly what I was looking for.

    One quick question for you if at all possible, though: I seem to be having the MLSD problem where the connection is successful until the client (filezilla) calls the MLSD command is run, then it times out. And I’m not quite sure what MLSD/T is supposed to do, exactly. Supposedly if one were to change the MLSD protocol to MLST, it fixes this issue. I have no idea how to do this, though. Any thoughts?

    1. No idea sorry, maybe other readers have ran into similar issues, personally I didn’t.
      Thanks for reading my posts and good luck with your server !

  19. Thank you so much for this tutorial. After two days of searching all over the internet it solved my issues. People with Ispconfig 3: this will enable TLS for you without recompile!

  20. Great tutorial!

    Was looking around for some tutorial for virtual users and how to set up with tls/ssl support and this was just what i needed. Many thanks. However I did some changes to fit me better and tried to figger out the documentation from pure-FTPD’s web page and then a question aroused, how or where did you find/learn the part where you write for example echo 1 > TLS in conf directory?? I have read and searched for something about it but found nothing. It works really great and I would learn to make more of those especially how to write the umask.

    Thanks again for a great tutorial

    /Tordlil

  21. I started pure-ftpd using a configuration file with:

    ./pure-config.pl /etc/pure-ftpd.conf

    using provided Perl and conf example files. My question is: what command should I run to STOP it afterwards ?

  22. Hi,
    I have a Problem with the Homedirectory “/bin/null”. Do I have to create this directory? But even after creating this directory with 777 privileges it doesen’t work.

    My FTP- Client says ” Home directory not available – aborting “.

    Has someone any ideas?

    PROBLEM IS ACTUAL, HELP TO SOLVE IT

  23. root@vps:/etc/pure-ftpd/conf# /etc/init.d/pure-ftpd restart
    Restarting ftp server: Running: /usr/sbin/pure-ftpd -l puredb:/etc/pure-ftpd/pureftpd.pdb -S ,21 -C 5 -b -E -A -X -O clf:/var/log/pure-ftpd/transfer.log -c 20 -x -R -P 46.4.176.134 -u 1000 -p 4500:4600 -8 UTF-8 -B
    421 Unable to switch capabilities : Operation not permitted
    root@vps:/etc/pure-ftpd/conf# /etc/init.d/pure-ftpd start
    Starting ftp server: Running: /usr/sbin/pure-ftpd -l puredb:/etc/pure-ftpd/pureftpd.pdb -S ,21 -C 5 -b -E -A -X -O clf:/var/log/pure-ftpd/transfer.log -c 20 -x -R -P 46.4.176.134 -u 1000 -p 4500:4600 -8 UTF-8 -B
    421 Unable to switch capabilities : Operation not permitted

  24. Hi Braincheese.. I have some problem with you
    Pure-FTPd was running but it cannot login

    Status: Connection established, waiting for welcome message…
    Response: 220———- Welcome to Pure-FTPd [privsep] [TLS] ———-
    Response: 220-You are user number 1 of 50 allowed.
    Response: 220-Local time is now 23:08. Server port: 21.
    Response: 220-This is a private system – No anonymous login
    Response: 220-IPv6 connections are also welcome on this server.
    Response: 220 You will be disconnected after 15 minutes of inactivity.
    Command: USER softzers
    Response: 331 User softzers OK. Password required
    Command: PASS *****
    Response: 530 Login authentication failed
    Error: Critical error
    Error: Could not connect to server

    You say to delete pure-pw.pdb How to deleted it? Because i search and i cannot find that files, thankyou.

  25. Thomas,

    Thank you very much for posting the steps you took to get PureFTPD up and running. I had used a tutorial on Howtoforge.com, but I ran into a problem using Pureftpd with an external customer. Your tutorial saved me an incredible amount of time and effort.

    The info that was key for me was the port forwarding on the router and then the running of the following steps:

    root@box:/etc/pure-ftpd/conf# echo ,21 > Bind
    root@box:/etc/pure-ftpd/conf# echo xx.xx.xx.xx > ForcePassiveIP
    root@box:/etc/pure-ftpd/conf# echo 4500 4600 > PassivePortRange

    Once I had run the commands, restarted Pureftpd and forwarded the ports on my router, my customer was able to upload files using passive FTPS.

    Thank you for the great tutorial. Please keep up the good work!

  26. @Vixaz: Just create /var/ftp/public and you should fix this problem. – At least tis helped with my “problem” seeming the same like yours.

  27. Hello,
    nice tutorial but I have problem when I bind different port (2221).

    220 You will be disconnected after 15 minutes of inactivity.
    AUTH TLS
    500 This security scheme is not implemented
    AUTH SSL
    500 This security scheme is not implemented

    When I use port 21 it is ok. Can You help? I use filezilla client.

  28. I had an issue with being unable to login. The issue was I had already had a ftpuser and ftpgroup on my machine with uid of 115 and gid of 125 (ubuntu 11.04 default?). I had to change the MinUID in /etc/pure-ftpd/conf/ to be 115.

  29. How should I configure the SSL cert usage? Because I already have one for a website running on the same address.
    In other words, how should I point pure-ftpd to use my existent ssl cert?
    Regards,

  30. Thank you for a great tutorial. I had problem with connection timing out, using both Cyberduck and Filezilla.
    The problem were that I had to open a Firewall range according to
    echo 4500 4600 > PassivePortRange

    After that all worked well!

Leave a Reply

Your email address will not be published. Required fields are marked *