Virtual FTP Users + SSL

General Information

Running a FTP server is quite popular for sharing files over the Internet. But, the FTP protocol is not as secure as some may think. By default, each FTP user has a system shell account and when connecting to the FTP server, all usernames and passwords are transmitted in plaintext. That means anybody sniffing your packets can gain access to your FTP accounts. This guide is intended to provide a solution to both problems. Pure-ftpd with puredb allows you to have throttled FTP-only accounts and the ability to use SSL.

Requirements

  1. Local root access on the box or be able to su to root.
  2. A SSH client that supports ANSI colors such as puTTy or SecureCRT (if you aren’t on the box).
  3. Your favorite text editor (I like nano).
  4. OpenSSL
  5. A reliable Unix hosting

Installation

In order to have virtual user accounts, we need a database of some sort. You can compile pure-ftpd to work with MySQL, but we are going to use puredb because it was written specifically for use with pure-ftpd.

# cd /usr/ports/databases/puredb
# make install distclean
# cd /usr/ports/ftp/pure-ftpd
# make install distclean

Configuration

Firse, we need to rename the configuration file and make an entry to rc.conf to make the daemon start.

# cd /usr/local/etc
# mv pure-ftpd.conf.sample pure-ftpd.conf
# echo 'pureftpd_enable="YES"' >> /etc/rc.conf

Because we are authenticating virtual users, we need to change only a few lines in the config file. Of course, the configuration file offer a lot of options for you to tweat for your own system. Below are just a couple of requirements and recommendations for use with this guide. So, make sure you have the following lines:

# nano -w pure-ftpd.conf

ChrootEveryone              yes

PureDB                      /usr/local/etc/pureftpd.pdb

Umask                       177:077

AllowUserFXP                no

CreateHomeDir               yes

TLS                         1

Now it is time to generate a self-signed SSL Certificate for use with pure-ftpd. You can use a signed one if you want, but make sure the name of it is pure-ftpd.pem

# mkdir -p /etc/ssl/private
# openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem \
# -out /etc/ssl/private/pure-ftpd.pem
# chmod 600 /etc/ssl/private/*.pem

Pure-ftpd will start upon system startup, but you can always issue:

# /usr/local/etc/rc.d/pure-ftpd.sh start

Managing Users

Now that pure-ftpd is up and running, it is time to create and manage our users. Virtual user information is created and modified with pure-pw and the info is authenticated against /usr/local/etc/pureftpd.passwd and the puredb in /usr/local/etc/pureftpd.pdb. Since the virtual users do not really exist system-wide, we need to create an actual user and group for filesystem read/write access. You could even use an existing user/group, but to completely isolate the ftp users, we will create new ones.

# pw groupadd ftpgroup
# pw useradd ftpusers -c "Virtual FTP Users" -g ftpgroup -d /dev/null -s /sbin/nologin
# mkdir /usr/home/ftpusers

If you plan on running anonymous ftp, then you have to create the system ftp account and it’s home directory like the following and any recursive directories need to be owned by ftp, not ftpusers. This means anonymous ftp cannot be regulated as a virtual account.

# pw useradd ftp -c "Anonymous FTP" -d /usr/home/ftpusers/ftp -s /sbin/nologin
# mkdir /usr/home/ftpusers/ftp
# mkdir /usr/home/ftpusers/ftp/incoming
# mkdir /usr/home/ftpusers/ftp/pub
# chown ftpusers:ftpgroup /usr/home/ftpusers/ftp
# chown ftp:ftpgroup /usr/home/ftpusers/ftp/*
# chmod 0755 /usr/home/ftpusers/ftp/incoming
# chmod 0555 /usr/home/ftpusers/ftp/pub

Now that we have a system user/group, we can add our virtual users to be in the same user group. This only becomes a security issue if you do not chroot everyone to stay in their home directory. To simply create a user that has default throttling:

# pure-pw useradd bob -u ftpusers -d /usr/home/ftpusers/bob -m
Password:
Enter it again:

The user, bob, has been created with the UID of ftpusers and the home directory of /usr/home/ftpusers/bob and this information is mirrored to /usr/local/etc/pureftpd.pdb with the -m flag. If you want bob to have access to the entire system directory, use the -D flag instead of -d. If you ever get errors about a user not being found, you can always fix that by creating the database with

# pure-pw mkdb

Now, what if you have a system user that should be able to FTP? There are two ways of doing this. You can edit /usr/local/etc/pure-ftpd.conf to include UnixAuthentication, but the recommended way is to add your existing system accounts to pureftpd.passwd. This is recommended because their ftp access can then be throttled or managed.

# pure-pwconvert >> /usr/local/etc/pureftpd.passwd

Modifying user information uses the same flags as adding users, but you would use usermod instead. So, let’s change bob’s parameters so he can only save 10 files and upload at 20kbps.

# pure-pw usermod bob -n 10 -T 20 -m

To view the set parameters for bob, we can issue:

# pure-pw show bob

Login              : bob
Password           : $2a$07$2GsgzvrRTdAT9ld3bi.rPuIT1bfnfzJx1tqAn49uwHRPn3vfOEhUW
UID                : 1003 (ftpusers)
GID                : 1003 (ftpgroup)
Directory          : /home/ftpusers/bob/./
Full name          :
Download bandwidth : 0 Kb (unlimited)
Upload   bandwidth : 20 Kb (enabled)
Max files          : 10 (enabled)
Max size           : 0 Mb (unlimited)
Ratio              : 0:0 (unlimited:unlimited)
Allowed local  IPs :
Denied  local  IPs :
Allowed client IPs :
Denied  client IPs :
Time restrictions  : 0000-0000 (unlimited)
Max sim sessions   : 0 (unlimited)

Deleting users is quite simple as well.

# pure-pw userdel bob -m

After modifying a user’s parameters, restarting pure-ftpd is not necessary. Just make the change and it goes into effect immediately. For more information, check out the manpages or find the usage by not specifying any parameters:

# pure-pw

Now you are all set up. Try it out with using regular FTP and then FTP over SSL.

Speak Your Mind

*