How-to install secure pure ftp server chrooted with virtual users
Follow @ggarronHaving a FTP server usually means some risks, in this how-to I will try to show you how to avoid some of them. First, if you can avoid installing an FTP server, do it, usually it is not needed at all, you may think you need it, if you have a web server, and you need to upload files to it, but no, you do not need it. You can use scp, (sftp) to upload your files. When the FTP server is really needed is when you need to put some files that non-techie users needs to download, and you also need to allow this non-techie users to upload files to the server. Well, some of the security issues you may have with running a FTP server on a Linux Operating System are:
- Users are commonly created in the system itself, thus allowing them to log into the system
- Passwords are not encrypted, therefore it can be guessed, and then used to gain access to the system using ssh
One way to overcome this issues, is to install pure-ftp with support for virtual users, and have them jailed to their home directories.
Let's start with installation.
Arch Linux
sudo pacman -S pure-ftpd
Debian
sudo aptitude install pure-ftpd
Let's go with configuration
Arch Linux Operating System
Once installed, we need to make some changes to the file /etc/pure-ftpd.conf
Here are some good options to have.
ChrootEveryone yes BrokenClientsCompatibility no MaxClientsNumber 10 Daemonize yes MaxClientsPerIP 5 VerboseLog no DisplayDotFiles no AnonymousOnly no NoAnonymous yes SyslogFacility ftp DontResolve yes MaxIdleTime 15 PureDB /etc/pureftpd.pdb LimitRecursion 2000 8 AnonymousCanCreateDirs no MaxLoad 4 UserRatio 5 10 AntiWarez no UserBandwidth 200 Umask 133:022 MinUID 100 AllowUserFXP no AllowAnonymousFXP no ProhibitDotFilesWrite yes ProhibitDotFilesRead yes AutoRename no AnonymousCantUpload yes AltLog stats:/var/log/pureftpd.log NoChmod yes CreateHomeDir yes Quota 2000:500 MaxDiskUsage 80 CustomerProof yes PerUserLimits 3:20 IPV4Only yes
There are lots of other options, but these will make it work secure, anonymous are not allowed, users can not see .dot files like .bash, etc.
Debian Linux Operating System
Prepare it to run as standalone server edit the file: vim /etc/default/pure-ftpd-common and change
STANDALONE_OR_INETD=inetd
to
STANDALONE_OR_INETD=standalone
And to have users chrooted change in the same file
VIRTUALCHROOT=false
to
VIRTUALCHROOT=true
Now edit the file /etc/pure-ftpd/conf/PureDB and add this line
/etc/pure-ftpd/pureftpd.pdb
In case it does not already exists.
We now want it to operate using pure Database to authenticate users, so lets create a link in the directory /etc/pure-ftpd/auth like this:... run these commands:
cd /etc/pure-ftpd/auth
ln -s /etc/pure-ftpd/conf/PureDB 50pure
Create users
Here the method is the same for both distributions.
We will create a user and group that will be used by virtual users.
sudo groupadd ftpgroup
sudo useradd -g ftpgroup -d /dev/null -s /etc ftpuser
Create our first virtual user
pure-pw useradd joe -u ftpuser -g ftpgroup -d /home/pubftp/joe
We will have to type his password twice, and we are almost ready to go.
Save the password file, I mean create the pure-ftp password database run this command:
pure-pw mkdb
Do this each time you make changes to the password file.
Start the server
Arch Linux
sudo /etc/rc.d/pure-ftpd start
Do not forget to add pure-ftpd to the daemons list in the file /etc/rc.conf
Debian Linux
sudo /etc/init.d/pure-ftpd start
Some other tips
- To list users
- To see some user's information
- To change a password
pure-pw list
pure-pw show joe
Where joe is the user you want to list his info.pure-pw passwd joe
Be sure to update the database by running:pure-pw mkdb