Having a FTP server usually means some risks, in this how-to I will try to show you how to avoid some of them. First, if you can avoid installing an FTP server, do it, usually it is not needed at all, you may think you need it, if you have a web server, and you need to upload files to it, but no, you do not need it. You can use scp, (sftp) to upload your files. When the FTP server is really needed is when you need to put some files that non-techie users needs to download, and you also need to allow this non-techie users to upload files to the server. Well, some of the security issues you may have with running a FTP server on a Linux Operating System are:

  1. Users are commonly created in the system itself, thus allowing them to log into the system
  2. Passwords are not encrypted, therefore it can be guessed, and then used to gain access to the system using ssh

One way to overcome this issues, is to install pure-ftp with support for virtual users, and have them jailed to their home directories.

Let's start with installation.

Arch Linux

sudo pacman -S pure-ftpd

Debian

sudo aptitude install pure-ftpd

Let's go with configuration

Arch Linux Operating System

Once installed, we need to make some changes to the file /etc/pure-ftpd.conf

Here are some good options to have.

ChrootEveryone              yes
BrokenClientsCompatibility  no
MaxClientsNumber            10
Daemonize                   yes
MaxClientsPerIP             5
VerboseLog                  no
DisplayDotFiles             no
AnonymousOnly               no
NoAnonymous                 yes
SyslogFacility              ftp
DontResolve                 yes
MaxIdleTime                 15
PureDB                        /etc/pureftpd.pdb
LimitRecursion              2000 8
AnonymousCanCreateDirs      no
MaxLoad                     4
UserRatio                 5 10
AntiWarez                   no
UserBandwidth             200
Umask                       133:022
MinUID                      100
AllowUserFXP                no
AllowAnonymousFXP           no
ProhibitDotFilesWrite       yes
ProhibitDotFilesRead        yes
AutoRename                  no
AnonymousCantUpload         yes
AltLog                     stats:/var/log/pureftpd.log
NoChmod                     yes
CreateHomeDir               yes
Quota                       2000:500
MaxDiskUsage               80
CustomerProof              yes
PerUserLimits            3:20
IPV4Only                 yes

There are lots of other options, but these will make it work secure, anonymous are not allowed, users can not see .dot files like .bash, etc.

Debian Linux Operating System

Prepare it to run as standalone server edit the file: vim /etc/default/pure-ftpd-common and change

STANDALONE_OR_INETD=inetd

to

STANDALONE_OR_INETD=standalone

And to have users chrooted change in the same file

VIRTUALCHROOT=false

to

VIRTUALCHROOT=true

Now edit the file /etc/pure-ftpd/conf/PureDB and add this line

/etc/pure-ftpd/pureftpd.pdb

In case it does not already exists.

We now want it to operate using pure Database to authenticate users, so lets create a link in the directory /etc/pure-ftpd/auth like this:… run these commands:

cd /etc/pure-ftpd/auth

ln -s /etc/pure-ftpd/conf/PureDB 50pure

Create users

Here the method is the same for both distributions.

We will create a user and group that will be used by virtual users.

sudo groupadd ftpgroup

sudo useradd -g ftpgroup -d /dev/null -s /etc ftpuser

Create our first virtual user

pure-pw useradd joe -u ftpuser -g ftpgroup -d /home/pubftp/joe

We will have to type his password twice, and we are almost ready to go.

Save the password file, I mean create the pure-ftp password database run this command:

pure-pw mkdb

Do this each time you make changes to the password file.

Start the server

Arch Linux

sudo /etc/rc.d/pure-ftpd start

Do not forget to add pure-ftpd to the daemons list in the file /etc/rc.conf

Debian Linux

sudo /etc/init.d/pure-ftpd start

Some other tips

  • To list users
  • pure-pw list

  • To see some user's information
  • pure-pw show joe

    Where joe is the user you want to list his info.
  • To change a password
  • pure-pw passwd joe

    Be sure to update the database by running:

    pure-pw mkdb