How-to install secure pure ftp server chrooted with virtual usersFollow @ggarron
Having a FTP server usually means some risks, in this how-to I will try to show you how to avoid some of them. First, if you can avoid installing an FTP server, do it, usually it is not needed at all, you may think you need it, if you have a web server, and you need to upload files to it, but no, you do not need it. You can use scp, (sftp) to upload your files. When the FTP server is really needed is when you need to put some files that non-techie users needs to download, and you also need to allow this non-techie users to upload files to the server. Well, some of the security issues you may have with running a FTP server on a Linux Operating System are:
- Users are commonly created in the system itself, thus allowing them to log into the system
- Passwords are not encrypted, therefore it can be guessed, and then used to gain access to the system using ssh
One way to overcome this issues, is to install pure-ftp with support for virtual users, and have them jailed to their home directories.
Let's start with installation.
sudo pacman -S pure-ftpd
sudo aptitude install pure-ftpd
Let's go with configuration
Arch Linux Operating System
Once installed, we need to make some changes to the file /etc/pure-ftpd.conf
Here are some good options to have.
ChrootEveryone yes BrokenClientsCompatibility no MaxClientsNumber 10 Daemonize yes MaxClientsPerIP 5 VerboseLog no DisplayDotFiles no AnonymousOnly no NoAnonymous yes SyslogFacility ftp DontResolve yes MaxIdleTime 15 PureDB /etc/pureftpd.pdb LimitRecursion 2000 8 AnonymousCanCreateDirs no MaxLoad 4 UserRatio 5 10 AntiWarez no UserBandwidth 200 Umask 133:022 MinUID 100 AllowUserFXP no AllowAnonymousFXP no ProhibitDotFilesWrite yes ProhibitDotFilesRead yes AutoRename no AnonymousCantUpload yes AltLog stats:/var/log/pureftpd.log NoChmod yes CreateHomeDir yes Quota 2000:500 MaxDiskUsage 80 CustomerProof yes PerUserLimits 3:20 IPV4Only yes
There are lots of other options, but these will make it work secure, anonymous are not allowed, users can not see .dot files like .bash, etc.
Debian Linux Operating System
Prepare it to run as standalone server edit the file: vim /etc/default/pure-ftpd-common and change
And to have users chrooted change in the same file
Now edit the file /etc/pure-ftpd/conf/PureDB and add this line
In case it does not already exists.
We now want it to operate using pure Database to authenticate users, so lets create a link in the directory /etc/pure-ftpd/auth like this:... run these commands:
ln -s /etc/pure-ftpd/conf/PureDB 50pure
Here the method is the same for both distributions.
We will create a user and group that will be used by virtual users.
sudo groupadd ftpgroup
sudo useradd -g ftpgroup -d /dev/null -s /etc ftpuser
Create our first virtual user
pure-pw useradd joe -u ftpuser -g ftpgroup -d /home/pubftp/joe
We will have to type his password twice, and we are almost ready to go.
Save the password file, I mean create the pure-ftp password database run this command:
Do this each time you make changes to the password file.
Start the server
sudo /etc/rc.d/pure-ftpd start
Do not forget to add pure-ftpd to the daemons list in the file /etc/rc.conf
sudo /etc/init.d/pure-ftpd start
Some other tips
- To list users
- To see some user's information
- To change a password
pure-pw show joeWhere joe is the user you want to list his info.
pure-pw passwd joeBe sure to update the database by running: