EN Pure ftpd virtual users - titandc/titan-sc-documentation GitHub Wiki
This documentation describes how to install and configure the Pure-ftpd service with virtual users under Debian.
Do not hesitate to consult the official documentation.
The installation of Pure-ftpd is done by installing the pure-ftpd
package.
apt-get install pure-ftpd
The configuration files are located in the /etc/pure-ftpd/
directory.
The idea is to create a user on Pure-ftpd whose UID does not exist on the system. When this user logs in and uploads files to the FTP, the UID defined in the Pure-ftpd configuration will be used. In addition, the user will be chrooted in his directory.
The official documentation related to virtual users can be found here.
Open the file /etc/pure-ftpd/pure-ftpd.conf
and modify the following parameters:
DisplayDotFiles no
NoAnonymous yes
DontResolve yes
MaxIdleTime 5
PureDB /etc/pure-ftpd/pureftpd.pdb
PAMAuthentication no
ProhibitDotFilesWrite yes
ProhibitDotFilesRead yes
NoChmod yes
Other files need to be modified:
echo no > /etc/pure-ftpd/auth/70pam
echo no > /etc/pure-ftpd/conf/PAMAuthentication
ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/50pure
When setting up the service for the first time, if no user is present, the service will not start because the /etc/pure-ftpd/pureftpd.pdb
file does not yet exist. Once at least one user has been created, the service can be restarted:
systemctl restart pure-ftpd.service
To activate passive mode:
echo "30000 50000" > /etc/pure-ftpd/conf/PassivePortRange
Do not forget to modify the firewall if necessary.
Virtual users are added to the /etc/pure-ftpd/pureftpd.passwd
file. When the users have been added, it will be necessary to issue a command so that pure-ftpd can generate its database and work on it.
The virtual user john
will be created with the following characteristics:
- UID: 3001
- GID: 3001
- chroot:
/var/www/john-doe
Neither the UID nor the GID exists on the system.
pure-pw useradd john -u 3001 -g 3001 -d /var/www/john-doe
The information is saved in the file /etc/pure-ftpd/pureftpd.passwd
. It is possible to edit this file manually.
When all the users have been added successfully, you must run the following command so that pur-ftpd can work on its database and
pure-pw mkdb
This command will be used each time a user is added or modified using the pure-pw
command and/or if the /etc/pure-ftpd/pureftpd.passwd
file has been modified.
If the service is not yet started because it was missing users, it can now be started:
systemctl start pure-ftpd
If the service was already started, it is not necessary to restart Pure-ftpd each time you add users.
Create the user's directory if it does not exist and assign the correct rights:
mkdir -p /var/www/john-doe
chown 3001:3001 /var/www/john-doe
The useradd
subcommand can take the following parameters:
pure-pw useradd <login> [-f <passwd file>] -u <uid> [-g <gid>]
-D / -d <home directory> [-c <gecos>]
[-t <download bandwidth>] [-T <upload bandwidth>]
[-n <max number of files>] [-N <max Mbytes>]
[-q <upload ratio>] [-Q <download ratio>]
[-r <allow client ip> / <mask>] [-R <deny client ip> / <mask>]
[-i <allow local ip> / <mask>] [-I <deny local ip> / <mask>]
[-y <max number of concurrent sessions>]
[-C <max number of concurrent login attempts>]
[-M <total memory (in MB) to reserve for password hashing>]
[-z <hhmm> - <hhmm>] [-m]
Modifying a virtual user is done via the following command:
``bash pure-pw usermod
The parameters are those used by the `useradd` subcommand.
To reset a default setting, just put an empty string in its value.
For example, to reset the number of parallel sessions for user `john`:
```bash
pure-pw usermod john -y ""
The following command is used to delete a user:
pure-pw userdel <user>
To delete the user john
:
pure-pw userdel john
By default, users authorized to connect must have an UID greater than 1000. Otherwise, the connection will be refused.
To authorize a user with an UUID 33:
echo "33" > /etc/pure-ftpd/conf/MinUID
Before enabling encryption, it is necessary to be certain that you have a valid certificate in your possession. This certificate must be deployed on the machine.
If you do not yet have an SSL certificate, please refer to the [documentation] (https://github.com/titandc/titan-sc-documentation/wiki/EN-Certbot) explaining how to generate a certificate for free at the help from let's encrypt.
There are three levels of configuration for the encryption part:
- 0 : Disable encryption and only unencrypted connections are accepted (this is the default setting)
- 1 : Encrypted and unencrypted connections are accepted
- 2 : Only encrypted connections are accepted. Unencrypted connections will be refused.
To change the configuration:
echo 1 > /etc/pure-ftpd/conf/TLS
It is necessary for Pure-ftpd to have the certificate and the key in the same file (example here with a letsencrypt certificate):
cat /etc/letsencrypt/live/<domain name>/fullchain.pem /etc/letsencrypt/live/<domain name>/privkey.pem > /etc/ssl/private/pure-ftpd.pem
Then modify the configuration /etc/pure-ftpd/pure-ftpd.conf
:
# Certificate file, for TLS
# The certificate itself and the keys can be bundled into the same
# file or split into two files.
# CertFile is for a cert + key bundle, CertFileAndKey for separate files.
# Use only one of these.
CertFile /etc/ssl/private/pure-ftpd.pem
Create the dhparams file for pure-ftpd (this may take some time) :
openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048
And finally, restart the service:
systemctl restart pure-ftpd.service
The installation of fail2ban is done by typing the following command on a Debian:
apt-get install fail2ban
To enable pure-ftpd configuration on fail2ban, type the following command:
printf "[pure-ftpd]\nenabled=true" >> /etc/fail2ban/jail.d/defaults-debian.conf
Reload fail2ban configuration:
systemctl reload fail2ban