EN Pure ftpd virtual users - titandc/titan-sc-documentation Wiki
This documentation describes how to install and configure the Pure-ftpd service with virtual users under Debian.
Do not hesitate to consult the official documentation.
The installation of Pure-ftpd is done by installing the
apt-get install pure-ftpd
The configuration files are located in the
The idea is to create a user on Pure-ftpd whose UID does not exist on the system. When this user logs in and uploads files to the FTP, the UID defined in the Pure-ftpd configuration will be used. In addition, the user will be chrooted in his directory.
The official documentation related to virtual users can be found here.
Open the file
/etc/pure-ftpd/pure-ftpd.conf and modify the following parameters:
DisplayDotFiles no NoAnonymous yes DontResolve yes MaxIdleTime 5 PureDB /etc/pure-ftpd/pureftpd.pdb PAMAuthentication no ProhibitDotFilesWrite yes ProhibitDotFilesRead yes NoChmod yes
Other files need to be modified:
echo no > /etc/pure-ftpd/auth/70pam echo no > /etc/pure-ftpd/conf/PAMAuthentication ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/50pure
When setting up the service for the first time, if no user is present, the service will not start because the
/etc/pure-ftpd/pureftpd.pdb file does not yet exist. Once at least one user has been created, the service can be restarted:
systemctl restart pure-ftpd.service
Virtual users are added to the
/etc/pure-ftpd/pureftpd.passwd file. When the users have been added, it will be necessary to issue a command so that pure-ftpd can generate its database and work on it.
The virtual user
john will be created with the following characteristics:
- UID: 3001
- GID: 3001
Neither the UID nor the GID exists on the system.
pure-pw useradd john -u 3001 -g 3001 -d /var/www/john-doe
The information is saved in the file
/etc/pure-ftpd/pureftpd.passwd. It is possible to edit this file manually.
When all the users have been added successfully, you must run the following command so that pur-ftpd can work on its database and
This command will be used each time a user is added or modified using the
pure-pw command and/or if the
/etc/pure-ftpd/pureftpd.passwd file has been modified.
If the service is not yet started because it was missing users, it can now be started:
systemctl start pure-ftpd
If the service was already started, it is not necessary to restart Pure-ftpd each time you add users.
Create the user's directory if it does not exist and assign the correct rights:
mkdir -p /var/www/john-doe chown 3001:3001 /var/www/john-doe
useradd subcommand can take the following parameters:
pure-pw useradd <login> [-f <passwd file>] -u <uid> [-g <gid>] -D / -d <home directory> [-c <gecos>] [-t <download bandwidth>] [-T <upload bandwidth>] [-n <max number of files>] [-N <max Mbytes>] [-q <upload ratio>] [-Q <download ratio>] [-r <allow client ip> / <mask>] [-R <deny client ip> / <mask>] [-i <allow local ip> / <mask>] [-I <deny local ip> / <mask>] [-y <max number of concurrent sessions>] [-C <max number of concurrent login attempts>] [-M <total memory (in MB) to reserve for password hashing>] [-z <hhmm> - <hhmm>] [-m]
Modify a user
Modifying a virtual user is done via the following command:
``bash pure-pw usermod
The parameters are those used by the `useradd` subcommand. To reset a default setting, just put an empty string in its value. For example, to reset the number of parallel sessions for user `john`: ```bash pure-pw usermod john -y ""
Delete a user
The following command is used to delete a user:
pure-pw userdel <user>
To delete the user
pure-pw userdel john
Allow user with UUID less than 1000
By default, users authorized to connect must have an UID greater than 1000. Otherwise, the connection will be refused.
To authorize a user with an UUID 33:
echo "33" > /etc/pure-ftpd/conf/MinUID
Before enabling encryption, it is necessary to be certain that you have a valid certificate in your possession. This certificate must be deployed on the machine.
If you do not yet have an SSL certificate, please refer to the [documentation] (https://github.com/titandc/titan-sc-documentation/wiki/Certbot#english) explaining how to generate a certificate for free at the help from let's encrypt.
There are three levels of configuration for the encryption part:
- 1 : Disable encryption and only unencrypted connections are accepted (this is the default setting)
- 2 : Encrypted and unencrypted connections are accepted
- 3 : Only encrypted connections are accepted. Unencrypted connections will be refused.
To change the configuration:
echo 2 > /etc/pure-ftpd/conf/TLS
It is necessary for Pure-ftpd to have the certificate and the key in the same file (example here with a letsencrypt certificate):
cat /etc/letsencrypt/live/<domain name>/fullchain.pem /etc/letsencrypt/live/<domain name>/privkey.pem > /etc/ssl/private/pure-ftpd.pem
Then modify the configuration
# Certificate file, for TLS # The certificate itself and the keys can be bundled into the same # file or split into two files. # CertFile is for a cert + key bundle, CertFileAndKey for separate files. # Use only one of these. CertFile /etc/ssl/private/pure-ftpd.pem
Create the dhparams file for pure-ftpd (this may take some time) :
openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048
And finally, restart the service:
systemctl restart pure-ftpd.service
Install and configure fail2ban
The installation of fail2ban is done by typing the following command on a Debian:
apt-get install fail2ban
To enable pure-ftpd configuration on fail2ban, type the following command:
printf "[pure-ftpd]\nenabled=true" >> /etc/fail2ban/jail.d/defaults-debian.conf
Reload fail2ban configuration:
systemctl reload fail2ban