EN Pure ftpd virtual users - titandc/titan-sc-documentation Wiki


This documentation describes how to install and configure the Pure-ftpd service with virtual users under Debian.

Do not hesitate to consult the official documentation.


The installation of Pure-ftpd is done by installing the pure-ftpd package.

apt-get install pure-ftpd


The configuration files are located in the /etc/pure-ftpd/ directory.

The idea is to create a user on Pure-ftpd whose UID does not exist on the system. When this user logs in and uploads files to the FTP, the UID defined in the Pure-ftpd configuration will be used. In addition, the user will be chrooted in his directory.

The official documentation related to virtual users can be found here.

Open the file /etc/pure-ftpd/pure-ftpd.conf and modify the following parameters:

DisplayDotFiles no
NoAnonymous yes
DontResolve yes
MaxIdleTime 5
PureDB /etc/pure-ftpd/pureftpd.pdb
PAMAuthentication no
ProhibitDotFilesWrite yes
ProhibitDotFilesRead yes
NoChmod yes

Other files need to be modified:

echo no > /etc/pure-ftpd/auth/70pam
echo no > /etc/pure-ftpd/conf/PAMAuthentication
ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/50pure

When setting up the service for the first time, if no user is present, the service will not start because the /etc/pure-ftpd/pureftpd.pdb file does not yet exist. Once at least one user has been created, the service can be restarted:

systemctl restart pure-ftpd.service

Create users

Virtual users are added to the /etc/pure-ftpd/pureftpd.passwd file. When the users have been added, it will be necessary to issue a command so that pure-ftpd can generate its database and work on it.

The virtual user john will be created with the following characteristics:

Neither the UID nor the GID exists on the system.

pure-pw useradd john -u 3001 -g 3001 -d /var/www/john-doe

The information is saved in the file /etc/pure-ftpd/pureftpd.passwd. It is possible to edit this file manually.

When all the users have been added successfully, you must run the following command so that pur-ftpd can work on its database and

pure-pw mkdb

This command will be used each time a user is added or modified using the pure-pw command and/or if the /etc/pure-ftpd/pureftpd.passwd file has been modified.

If the service is not yet started because it was missing users, it can now be started:

systemctl start pure-ftpd

If the service was already started, it is not necessary to restart Pure-ftpd each time you add users.

Create the user's directory if it does not exist and assign the correct rights:

mkdir -p /var/www/john-doe
chown 3001:3001 /var/www/john-doe

The useradd subcommand can take the following parameters:

pure-pw useradd <login> [-f <passwd file>] -u <uid> [-g <gid>]
                         -D / -d <home directory> [-c <gecos>]
                         [-t <download bandwidth>] [-T <upload bandwidth>]
                         [-n <max number of files>] [-N <max Mbytes>]
                         [-q <upload ratio>] [-Q <download ratio>]
                         [-r <allow client ip> / <mask>] [-R <deny client ip> / <mask>]
                         [-i <allow local ip> / <mask>] [-I <deny local ip> / <mask>]
                         [-y <max number of concurrent sessions>]
                         [-C <max number of concurrent login attempts>]
                         [-M <total memory (in MB) to reserve for password hashing>]
                         [-z <hhmm> - <hhmm>] [-m]

Modify a user

Modifying a virtual user is done via the following command:

``bash pure-pw usermod

The parameters are those used by the `useradd` subcommand.

To reset a default setting, just put an empty string in its value.

For example, to reset the number of parallel sessions for user `john`:

pure-pw usermod john -y ""

Delete a user

The following command is used to delete a user:

pure-pw userdel <user>

To delete the user john:

pure-pw userdel john

Allow user with UUID less than 1000

By default, users authorized to connect must have an UID greater than 1000. Otherwise, the connection will be refused.

To authorize a user with an UUID 33:

echo "33" > /etc/pure-ftpd/conf/MinUID

Enabling encryption

Before enabling encryption, it is necessary to be certain that you have a valid certificate in your possession. This certificate must be deployed on the machine.

If you do not yet have an SSL certificate, please refer to the [documentation] (https://github.com/titandc/titan-sc-documentation/wiki/Certbot#english) explaining how to generate a certificate for free at the help from let's encrypt.

There are three levels of configuration for the encryption part:

To change the configuration:

echo 2 > /etc/pure-ftpd/conf/TLS

It is necessary for Pure-ftpd to have the certificate and the key in the same file (example here with a letsencrypt certificate):

cat /etc/letsencrypt/live/<domain name>/fullchain.pem /etc/letsencrypt/live/<domain name>/privkey.pem > /etc/ssl/private/pure-ftpd.pem

Then modify the configuration /etc/pure-ftpd/pure-ftpd.conf:

# Certificate file, for TLS
# The certificate itself and the keys can be bundled into the same
# file or split into two files.
# CertFile is for a cert + key bundle, CertFileAndKey for separate files.
# Use only one of these.

CertFile /etc/ssl/private/pure-ftpd.pem

Create the dhparams file for pure-ftpd (this may take some time) :

openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048

And finally, restart the service:

systemctl restart pure-ftpd.service

Install and configure fail2ban

The installation of fail2ban is done by typing the following command on a Debian:

apt-get install fail2ban

To enable pure-ftpd configuration on fail2ban, type the following command:

printf "[pure-ftpd]\nenabled=true" >> /etc/fail2ban/jail.d/defaults-debian.conf

Reload fail2ban configuration:

systemctl reload fail2ban