/Guides/FreeBSD/Networking/

General Information

Running a FTP server is quite popular for sharing files over the Internet.  But, the FTP protocol is not as secure as some may think.  By default, each FTP user has a system shell account and when connecting to the FTP server, all usernames and passwords are transmitted in plaintext.  That means anybody sniffing your packets can gain access to your FTP accounts.  This guide is intended to provide a solution to both problems.  Pure-ftpd with puredb allows you to have throttled FTP-only accounts and the ability to use SSL.

Requirements

1. Local root access on the box or be able to su to root.
   
2. A SSH client that supports ANSI colors such as puTTy or SecureCRT (if you aren't on the box).
   
3. Your favorite text editor (I like nano).
   
4. OpenSSL

Installation

In order to have virtual user accounts, we need a database of some sort.  You can compile pure-ftpd to work with MySQL, but we are going to use puredb because it was written specifically for use with pure-ftpd.

# # # #

cd /usr/ports/databases/puredb make install distclean cd /usr/ports/ftp/pure-ftpd make install distclean

Configuration

Firse, we need to rename the configuration file and make an entry to rc.conf to make the daemon start.

# # #

cd /usr/local/etc mv pure-ftpd.conf.sample pure-ftpd.conf echo 'pureftpd_enable="YES"' >> /etc/rc.conf

Because we are authenticating virtual users, we need to change only a few lines in the config file.  Of course, the configuration file offer a lot of options for you to tweat for your own system.  Below are just a couple of requirements and recommendations for use with this guide.  So, make sure you have the following lines:

# nano -w pure-ftpd.conf ChrootEveryone              yes PureDB                      /usr/local/etc/pureftpd.pdb Umask                       177:077 AllowUserFXP                no CreateHomeDir               yes TLS                         1

Now it is time to generate a self-signed SSL Certificate for use with pure-ftpd.  You can use a signed one if you want, but make sure the name of it is pure-ftpd.pem

# # # #

mkdir -p /etc/ssl/private openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem \ -out /etc/ssl/private/pure-ftpd.pem chmod 600 /etc/ssl/private/*.pem

Pure-ftpd will start upon system startup, but you can always issue:

#	/usr/local/etc/rc.d/pure-ftpd.sh start

Managing Users

Now that pure-ftpd is up and running, it is time to create and manage our users.  Virtual user information is created and modified with pure-pw and the info is authenticated against /usr/local/etc/pureftpd.passwd and the puredb in /usr/local/etc/pureftpd.pdb.  Since the virtual users do not really exist system-wide, we need to create an actual user and group for filesystem read/write access.  You could even use an existing user/group, but to completely isolate the ftp users, we will create new ones.

# # #

pw groupadd ftpgroup pw useradd ftpusers -c "Virtual FTP Users" -g ftpgroup -d /dev/null -s /sbin/nologin mkdir /usr/home/ftpusers

If you plan on running anonymous ftp, then you have to create the system ftp account and it's home directory like the following and any recursive directories need to be owned by ftp, not ftpusers.  This means anonymous ftp cannot be regulated as a virtual account.

# # # # # # # #

pw useradd ftp -c "Anonymous FTP" -d /usr/home/ftpusers/ftp -s /sbin/nologin mkdir /usr/home/ftpusers/ftp mkdir /usr/home/ftpusers/ftp/incoming mkdir /usr/home/ftpusers/ftp/pub chown ftpusers:ftpgroup /usr/home/ftpusers/ftp chown ftp:ftpgroup /usr/home/ftpusers/ftp/* chmod 0755 /usr/home/ftpusers/ftp/incoming chmod 0555 /usr/home/ftpusers/ftp/pub

Now that we have a system user/group, we can add our virtual users to be in the same user group.  This only becomes a security issue if you do not chroot everyone to stay in their home directory.  To simply create a user that has default throttling:

# pure-pw useradd bob -u ftpusers -d /usr/home/ftpusers/bob -m Password: Enter it again:

The user, bob, has been created with the UID of ftpusers and the home directory of /usr/home/ftpusers/bob and this information is mirrored to /usr/local/etc/pureftpd.pdb with the -m flag.  If you want bob to have access to the entire system directory, use the -D flag instead of -d.  If you ever get errors about a user not being found, you can always fix that by creating the database with

#	pure-pw mkdb

Now, what if you have a system user that should be able to FTP?  There are two ways of doing this.  You can edit /usr/local/etc/pure-ftpd.conf to include UnixAuthentication, but the recommended way is to add your existing system accounts to pureftpd.passwd.  This is recommended because their ftp access can then be throttled or managed.

#	pure-pwconvert >> /usr/local/etc/pureftpd.passwd

Modifying user information uses the same flags as adding users, but you would use usermod instead.  So, let's change bob's parameters so he can only save 10 files and upload at 20kbps.

#	pure-pw usermod bob -n 10 -T 20 -m

To view the set parameters for bob, we can issue:

# pure-pw show bob Login              : bob Password           : $2a$07$2GsgzvrRTdAT9ld3bi.rPuIT1bfnfzJx1tqAn49uwHRPn3vfOEhUW UID                : 1003 (ftpusers) GID                : 1003 (ftpgroup) Directory          : /home/ftpusers/bob/./ Full name          : Download bandwidth : 0 Kb (unlimited) Upload   bandwidth : 20 Kb (enabled) Max files          : 10 (enabled) Max size           : 0 Mb (unlimited) Ratio              : 0:0 (unlimited:unlimited) Allowed local  IPs : Denied  local  IPs : Allowed client IPs : Denied  client IPs : Time restrictions  : 0000-0000 (unlimited) Max sim sessions   : 0 (unlimited)

Deleting users is quite simple as well.

#	pure-pw userdel bob -m

After modifying a user's parameters, restarting pure-ftpd is not necessary.  Just make the change and it goes into effect immediately.  For more information, check out the manpages or find the usage by not specifying any parameters:

#

pure-pw

Now you are all set up.  Try it out with using regular FTP and then FTP over SSL.

Author: Jon LaBass
jon at bsdguides dot org

Hello all.
Did all like sait in this manual and get this:

USER bob
331 User bob OK. Password required
PASS (hidden)
530 Authentication failed, sorry

Jara,

Authentication has failed because of one or two things: 1.) pure-ftpd.conf is not configured for use with PureDB, or 2.) when creating users, you forgot to add the -m flag for the account information to be added to /usr/local/etc/pureftpd.pdb.  To fix the latter issue, just run

# pure-pw mkdb

and that should take care of it.  Also, verify that bob is a valid user with

# pure-pw show bob

If you are still having problems, authenticating, please let me know what version of FreeBSD you are running and the exact steps you performed.

I have the same problem. I checked that pure-ftpd.conf is configured to use with PureDB. and I did not forget -m. I also run #pure-pw mkdb and #pure-pw show bob displays information as I expected.

I have FreeBSD 5.1.

exact step:
Followed your guide except...
#  pure-pwconvert >> /usr/local/etc/pureftpd.passwd
and
#  pure-pw usermod bob -n 10 -T 20 -m

I was able to get the FTP server running and it allows me to log in but for some reason, it will not allow me to upload anything or make directories. It tells me "553 Can't open that file: Permission denied".
Anyone know how to fix that? I glanced around the pure-ftpd.conf but didn't see what might be causing the issue.

Mike,
That problem sounds like a permission issue with the user's home directory.  If you followed this guide, be sure all virtual ftp user home dirs are 755 and owner is ftpuser:ftpgroup and that should allow you to write.

Greetings,
This is something that everyone needs to look at and make note of as I found a fix for it (FreeBSD 5.3 - PureFTPd):

server% ftp proxycentral.org
Connected to proxycentral.org.
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 12:48. Server port: 21.
220-Only anonymous FTP is allowed here
220 You will be disconnected after 15 minutes of inactivity.
Name (proxycentral.org:mborja):
230 Anonymous user logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Extended Passive mode OK (|||55573|)
500 I won't open a connection to 192.168.100.2 (only to 192.168.1.1)
200 PORT command successful
150 Connecting to port 54846
226-Sorry, we were unable to read [.]
226-Options: -a -l
226 0 matches total

You will notice that the port numbers will keep changing as you do a new ls. Relevant? I don't know. But here's everything I did next...

server# cd /usr/home
server# ls
ciapichino      ftpusers        mborja          root
server# ls -l
total 8
drwxr-xr-x   2 ciapichino  users   512 Dec 17 12:28 ciapichino
drwxr-x---   3 root        wheel   512 Dec 23 12:37 ftpusers
drwxr-xr-x  10 mborja      wheel  1024 Dec 23 05:40 mborja
drwxr-xr-x   9 root        wheel  1024 Dec 23 12:17 root
server# chown ftpusers ftpusers
server# ls -l
total 8
drwxr-xr-x   2 ciapichino  users   512 Dec 17 12:28 ciapichino
drwxr-x---   3 ftpusers    wheel   512 Dec 23 12:37 ftpusers
drwxr-xr-x  10 mborja      wheel  1024 Dec 23 05:40 mborja
drwxr-xr-x   9 root        wheel  1024 Dec 23 12:17 root
server# chgrp ftpgroup ftpusers
server# cd ftpusers/ftp
server# ls -l
total 4
drwxr-xr-x  2 ftp  ftpgroup  512 Dec 23 12:04 incoming
dr-xr-xr-x  2 ftp  ftpgroup  512 Dec 23 12:04 pub
server# pure-pw list
server# pure-pw useradd ldm -u ftpusers -d /usr/home/ftpusers/ldm-mirror -m
Password:
Enter it again:
---------
Now here is my /usr/local/etc/pure-ftpd.conf file:
ChrootEveryone              yes
BrokenClientsCompatibility  no
MaxClientsNumber            50
Daemonize                   yes
MaxClientsPerIP             8
VerboseLog                  no
DisplayDotFiles             yes
NoAnonymous                 yes
SyslogFacility              ftp
DontResolve                 yes
MaxIdleTime                 15
PureDB                      /usr/local/etc/pureftpd.pdb
LimitRecursion              2000 8
AnonymousCanCreateDirs      no
MaxLoad                     4
PassivePortRange            21
ForcePassiveIP              192.168.100.2
AntiWarez                   yes
Bind                        192.168.100.2,21
MinUID                      100
AllowUserFXP                no
AllowAnonymousFXP           no
ProhibitDotFilesWrite       no
ProhibitDotFilesRead        no
AutoRename                  no
AnonymousCantUpload         no
CreateHomeDir               yes
MaxDiskUsage                99
CustomerProof               yes
TLS                         1
---------
FYI: umask is actually commented out at this time. I will be resetting it. Something to think about.

With this configuration, /usr/local/etc/rc.d/pure-ftpd.sh restart and I was able to login after testing it with a few

server# touch adsf
server# touch test
server# touch root
server# touch everything
server# touch touch
server# touch lol

in my /usr/local/ftpusers/ldm-mirror, and not only login, but get a directory listing. Here are the results:

server% ftp proxycentral.org
Connected to proxycentral.org.
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 13:01. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
Name (proxycentral.org:mborja): ldm
331 User ldm OK. Password required
Password:
230-User ldm has group access to:  1010
230 OK. Current directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Extended Passive mode OK (|||38048|)
500 I won't open a connection to 192.168.100.2 (only to 192.168.1.1)
200 PORT command successful
150 Connecting to port 51608
drwxr-xr-x    2 1010     1010          512 Dec 23 13:01 .
drwxr-xr-x    2 1010     1010          512 Dec 23 13:01 ..
-rw-r-----    1 0        1010            0 Dec 23 13:00 adsf
-rw-r-----    1 0        1010            0 Dec 23 13:01 everything
-rw-r-----    1 0        1010            0 Dec 23 13:01 lol
-rw-r-----    1 0        1010            0 Dec 23 13:00 root
-rw-r-----    1 0        1010            0 Dec 23 13:00 test
-rw-r-----    1 0        1010            0 Dec 23 13:01 touch
226-Options: -a -l
226 8 matches total
ftp>

Now if I didn't know any better...I'd say our problems are fixed [for now].

Best Regards,

Matt Borja (CEO)
Proxy Central, Inc. Network Services

I was installing PureFTPD under FreeBSD 5.3

installation is okay. I have problem How can I remove anonymous user. I created user. Example

ftp://www.host.com running few seconds going to ftp server with anonymous user. Why not asked me username and password.

Please help me

tnx

oh

#ee /usr/local/etc/pure-ftpd.conf

change this
NoAnonymous yes
it's not working

Hello all!

I followed this guide step by step and when entering pure-pw coomand it says command not found. What is wrong? I tried to reinstall puredb and pure-ftpd. It is FBSD5.3
Thanks in advance.

Csarlee

berx:  Anonymous access is disabled by changing
No Anonymous no
to
No Anonymous yes
and then you have to restart pure-ftpd by
# /usr/local/etc/rc.d/pure-ftpd.sh restart
and then anonymous access is denied.

csarlee:  After you installed pure-ftpd, did you log out and then back into your shell or issue
# rehash
to be able to use pure-pw?

@Jon
I forgot to rehash!!!!
THANKS
Csarlee

Hi,
I prefer Another simple way to use ftp manner secure  , is via "ssh" infact under sshd_config   there is :

#Subsystem       sftp    /usr/local/libexec/sftp-server

it is very usefull infact  permit FTP over SSH so NOT in plain text.

under windows for example you can use "winscp" to copy file or get them , instead under unix exist "scp" command

Have a nice day

Yes, sftp is another method of having secure ftp, but since it uses ssh, users must have a valid ssh shell in order to use sftp.  This guide allows you (as an admin) to restrict the access users have so you don't have to give them shell access -- only ftp access.  The SSL portion is to encrypt it so usernames/passwords are not sent in plaintext.

Excellent guide. I have a question about getting the ssl to work. I changed the setting in pure-ftp.conf of the tsl 1 to tsl 2 just to see if the ssl was working and it said I couldn't log in with plain text of course. So, to I have to do something with the certificate and my users?  
I don't get certificates perfectly yet. It seems like I'm missing something simple.

                              thanks Monx

Once pure-ftpd is configured to use TLS/SSL and you have a certificate in place per this guide, then the only thing left is to use a ftp client that supports SSL.  Some such clients include SmartFTP, cuteFTP, WS-FTP, etc.  In these you just need to choose to connect using SSL.  This should solve your issue.  If not, let me know.

Yes, that helped. I figured it has to do with active and passive connections. I'm behind an firewall/nat thing. I'll have to read up on the act/pasv thing. Thanks again for an excellent guide

Ah, yes.  For passive connections, you need to allow ports 30000 - 50000 to go through to your ftp server.  If you are using ipf, you can find a rule <a href="http://www.bsdguides.org/guides/freebsd/networking/ipfilter.php">with this IPF guide</a>.

Everything is ok, but one simple problem, when the anonymous user connects to ftp and uploads a file, he, the same user can't download it, where can be the problem? Thx in advice..

pure-ftpd has a built-in security feature that disallows anonymous users from downloading the files they upload.  This prevents people from using your server for warez.  Just think if anonymous users could upload files and download them, your server would be filled with warez and your bandwidth usage would increase dramatically.  So, this is not a problem, it's a good security feature.

i've got some problem:
1. -out: Command not found.
2. when I typep ps -as|grep pureftpd, the process of pureftpd didn't see
i have restarted my computer

i've found  the answer of number two question. What software that I can open my FTP server now?

why i can't conncet to ftp server?

ps -wauxx |grep pure-ftpd
root   1016  0.0  0.2  2908  1828  p0  I     2:59AM   0:00.05 pure-ftpd (SERVER) (pure-ftpd)

ftp> o localhost
Trying ::1...
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
ftp: connect: Connection refused

Hi maverick,

1. You are receiving the 'Command not found' error because that is actually a part of the previous line.  The command was broken up with a because it was a long line so it was wrapped.  Rerun the entries with the and it will work.

2.  Do you have a firewall that is blocking TCP port 21?

Thank you very much Jon,

but now i get a new problem:
[yahya@fiktm-67]/home/yahya > ftp localhost
Trying ::1...
Connected to localhost.fiktm.itb.ac.id.
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 20:21. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
Name (localhost:yahya): yahya
331 User yahya OK. Password required
Password:
530 Login authentication failed
ftp: Login failed.

I am sure that I type correct password

If you are using the correct password, then please verify that you used the -m flag in your pure-pw command.  If not, run:

# pure-pw mkdb

The reason for the -m flag is to make the changes to the /usr/local/etc/pureftpd.pdb file.

I am sure that I was typed -m  flag in my pure-pw command and I have ran pure-pw mkdb

I've tried reproducing this issue and a fresh install seems to work fine.  Would you be able to send me an email with your xferlog log file and your pure-ftpd.conf file?

i've got everything installed and it FTP server seems to be running.
however I cannot login at all. I made sure pure-ftpd.conf is pointing to the pure db
I've tried pure-pw mkdb

i have verified that my user exists.


when I type

# ftp localhost


from the terminal window, it connects to the ftp with the current shell username.

if I try to connect from another computer with ftp client I always get the same error

[R] USER webaccess
[R] 331 User webaccess OK. Password required
[R] PASS (hidden)
[R] Connection failed (Connection lost)



one thing i did notice that when the ftp machine is rebooting pure-ftpd send out a message stating that it cannot find 'ftp' account.

if anyone has any ideas, thanks in advance.

I am running this on a Free-BSD 6.1 R2

What version of pure-ftpd are you running?  I recently installed 1.0.21 to test with and I don't see the issues you and maverick see.  Also, you are seeing the message about not being able to find the 'ftp' account because you have anonymous access enabled in pure-ftpd.conf, but did not set up the system to use anonymous ftp.  The ftp user account is used for anonymous ftp.

I am using the same version you stated. 1.0.21

I turned of anonymous connnects and the error about 'ftp' account did go away.

I am going to configure today with anonymous access and see if i can get into it that way first.

then try to troubleshoot why regular users cannot log-in.

one other thing i noticed.

when i create new users, pure-ftpd doesn't auto create the root folder for that user.

this is a really great tutorial, I know i'm really close to making this work.

thanks,
chris

Let me know if you have the same issue with the anonymous user access.  If so, you can contact me via email with your pure-ftpd.conf attached so we can go more in-depth with the situation because I'm having a hard time reproducing it.

If you want the user's home directory to be created, make sure you use the -d flag in your pure-pw command and then also make sure the following is set in your pure-ftpd.conf:

CreateHomeDir     yes

Can you confirm that SSL/TLS connections actually work in pureftpd 1.0.21?  I have TLS=1 in my config file, and my cert is set up correctly.  Yet, Pure' does not open port 990 as I would expect and ftps client connections just time out.

    - H

hello  i am setting pure-ftp when  i am logging with Local users ftp 10.0.0.13 but when i am trying logging my DYNAMIC ip  (88.59.123.**) it  deny me with 530 login failed message .How i can solve this problem you can help me please ?

everything is working great.

now i have a question.

I want to move my ftp site to new computer. is there anyway to save some cofig files to move over to the new machine for usernames and logins??

thanks,
C

@haroldp :  Pure-ftpd listens on port 21 regardless if you have SSL/TLS enabled.  Just connect to port 21 using ftps and you will connect with SSL/TLS.  You can verify this as you should see something similar to the following in you /var/log/xferlog:

[INFO] SSL/TLS: Enabled TLSv1/SSLv3 with AES256-SHA, 256 secret bits cipher


@fantasio :  It sounds like pure-ftpd is running properly if you are able to connect fine using the server IP.  Therefore it sounds like there might be a problem with your router/firewall not forwarding properly.  Send me an email and I can help you offline.


@severndigital :  All you have to do is copy the following files over to the new site and start up the daemon:
/usr/local/etc/pure-ftpd.conf
/usr/local/etc/pureftpd.passwd
/usr/local/etc/pureftpd.pdb

okey i solved my problem . i disabled my ftp server on my adsl router that meet me .but i am not connecting to my dynamic ip address on whatismyipaddress.com ,still i dont understand what is the reason  .but my friend succeded connection at his home to my ftp server .Thanx  JON  your interest and your help  .

I'm having a very starnge problem.
Every thing is working very well, it is just that I can loginto my server using my web browser(firefox, IE). Even when I try "ftp://localhost" on BSD box nothing happens.

Any suggestions