Virtual FTP Users + SSL

General Information

Running a FTP server is quite popular for sharing files over the Internet. nike air max 90 chaussures running nike But, the FTP protocol is not as secure as some may think. adidas messi By default, each FTP user has a system shell account and when connecting to the FTP server, all usernames and passwords are transmitted in plaintext. Chaussures Adidas UGG Bottes That means anybody sniffing your packets can gain access to your FTP accounts. chaussure nike pour homme air jordan 11 This guide is intended to provide a solution to both problems. ugg soldes asics tiger Pure-ftpd with puredb allows you to have throttled FTP-only accounts and the ability to use SSL.


  1. Local root access on the box or be able to su to root.
  2. A SSH client that supports ANSI colors such as puTTy or SecureCRT (if you aren’t on the box).
  3. Your favorite text editor (I like nano).
  4. OpenSSL
  5. A reliable Unix hosting


In order to have virtual user accounts, we need a database of some sort. nike air max tn soldes ugg 2017 You can compile pure-ftpd to work with MySQL, but we are going to use puredb because it was written specifically for use with pure-ftpd.

 # cd /usr/ports/databases/puredb # make install distclean # cd /usr/ports/ftp/pure-ftpd # make install distclean 


Firse, we need to rename the configuration file and make an entry to rc.conf to make the daemon start.

 # cd /usr/local/etc # mv pure-ftpd.conf.sample pure-ftpd.conf # echo 'pureftpd_enable="YES"' >> /etc/rc.conf 

Because we are authenticating virtual users, we need to change only a few lines in the config file. nike air max 90 timberland pas cher Of course, the configuration file offer a lot of options for you to tweat for your own system. ugg paillettes Below are just a couple of requirements and recommendations for use with this guide. nike air max 2017 nike air huarache So, make sure you have the following lines:

 # nano -w pure-ftpd.conf ChrootEveryone yes PureDB /usr/local/etc/pureftpd.pdb Umask 177:077 AllowUserFXP no CreateHomeDir yes TLS 1 

Now it is time to generate a self-signed SSL Certificate for use with pure-ftpd. You can use a signed one if you want, but make sure the name of it is pure-ftpd.pem

 # mkdir -p /etc/ssl/private # openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem \ # -out /etc/ssl/private/pure-ftpd.pem # chmod 600 /etc/ssl/private/*.pem 

Pure-ftpd will start upon system startup, but you can always issue:

 # /usr/local/etc/rc.d/ start 

Managing Users

Now that pure-ftpd is up and running, it is time to create and manage our users. air jordan en soldes nike air max pas cher nike free trainer Virtual user information is created and modified with pure-pw and the info is authenticated against /usr/local/etc/pureftpd.passwd and the puredb in /usr/local/etc/pureftpd.pdb. Since the virtual users do not really exist system-wide, we need to create an actual user and group for filesystem read/write access. ugg australia pas cher ugg bottes chaussure timberland homme You could even use an existing user/group, but to completely isolate the ftp users, we will create new ones.

 # pw groupadd ftpgroup # pw useradd ftpusers -c "Virtual FTP Users" -g ftpgroup -d /dev/null -s /sbin/nologin # mkdir /usr/home/ftpusers 

If you plan on running anonymous ftp, then you have to create the system ftp account and it’s home directory like the following and any recursive directories need to be owned by ftp, not ftpusers. nike air max 1 This means anonymous ftp cannot be regulated as a virtual account.

 # pw useradd ftp -c "Anonymous FTP" -d /usr/home/ftpusers/ftp -s /sbin/nologin # mkdir /usr/home/ftpusers/ftp # mkdir /usr/home/ftpusers/ftp/incoming # mkdir /usr/home/ftpusers/ftp/pub # chown ftpusers:ftpgroup /usr/home/ftpusers/ftp # chown ftp:ftpgroup /usr/home/ftpusers/ftp/* # chmod 0755 /usr/home/ftpusers/ftp/incoming # chmod 0555 /usr/home/ftpusers/ftp/pub 

Now that we have a system user/group, we can add our virtual users to be in the same user group. ffxiv gold This only becomes a security issue if you do not chroot everyone to stay in their home directory. ugg chaussons soldes timberland To simply create a user that has default throttling:

 # pure-pw useradd bob -u ftpusers -d /usr/home/ftpusers/bob -m Password: Enter it again: 

The user, bob, has been created with the UID of ftpusers and the home directory of /usr/home/ftpusers/bob and this information is mirrored to /usr/local/etc/pureftpd.pdb with the -m flag. Nike Roshe Run soldes If you want bob to have access to the entire system directory, use the -D flag instead of -d. If you ever get errors about a user not being found, you can always fix that by creating the database with

 # pure-pw mkdb 

Now, what if you have a system user that should be able to FTP? There are two ways of doing this. You can edit /usr/local/etc/pure-ftpd.conf to include UnixAuthentication, but the recommended way is to add your existing system accounts to pureftpd.passwd. This is recommended because their ftp access can then be throttled or managed.

 # pure-pwconvert >> /usr/local/etc/pureftpd.passwd 

Modifying user information uses the same flags as adding users, but you would use usermod instead. adidas pas cher chaussure tn pour homme So, let’s change bob’s parameters so he can only save 10 files and upload at 20kbps.

 # pure-pw usermod bob -n 10 -T 20 -m 

To view the set parameters for bob, we can issue:

 # pure-pw show bob Login : bob Password : $2a$07$2GsgzvrRTdAT9ld3bi.rPuIT1bfnfzJx1tqAn49uwHRPn3vfOEhUW UID : 1003 (ftpusers) GID : 1003 (ftpgroup) Directory : /home/ftpusers/bob/./ Full name : Download bandwidth : 0 Kb (unlimited) Upload bandwidth : 20 Kb (enabled) Max files : 10 (enabled) Max size : 0 Mb (unlimited) Ratio : 0:0 (unlimited:unlimited) Allowed local IPs : Denied local IPs : Allowed client IPs : Denied client IPs : Time restrictions : 0000-0000 (unlimited) Max sim sessions : 0 (unlimited) 

Deleting users is quite simple as well.

 # pure-pw userdel bob -m 

After modifying a user’s parameters, restarting pure-ftpd is not necessary. nike air max flyknit ultra 2.0 louboutin homme Just make the change and it goes into effect immediately. nike roshe run For more information, check out the manpages or find the usage by not specifying any parameters:

 # pure-pw 

Now you are all set up.

Speak Your Mind