Pure-FTPd Administration
Source: Novell Cool Solutions
This article was tested on SUSE Linux Enterprise Server and SUSE Linux Enterprise Desktop.
In this article I am going to cover setting up virtual users and administrating user accounts. Some of the tasks we will look at are; chrooting users, setting upload/download limits, restricting IP access and many other tasks. Pure-FTPd is an excellent service that provides a rich set of features and a high level of security as it is regularly audited for security vulnerabilities, Pure-FTPd also provides server messages in multiple languages which helps administrators that don’t natively speak English.
Installing Pure-FTPd
The Pure-FTPd daemon can be installed from the SUSE installation disks. To check that it is not currently installed you can issue the “rpm” command with the following qualifiers “-q pure-ftpd” this will query the RPM database for the pure-ftpd package, as shown in Figure 1.
linux-1reo:~ # rpm -q pure-ftpd pure-ftpd-1.0.20-24.2
When you query the database for Pure-FTPd and nothing is returned you will need to install the daemon using the YaST utility either issue the command “yast” or “yast2” depending on your preference of interface.
Once Pure-FTPd has been installed you can start the service by using either the “service” command or the “rcpure-ftpd” as shown in Figure 1.1.
linux-1reo:~ # /sbin/service pure-ftpd start
Starting pure-ftpd doneFirewall configuration
Once Pure-FTPd has been successfully installed you will need to configure the passive ports and the actual FTP port (21) on the firewall and in the “pure-ftpd.conf” configuration file which is located in the “/etc/pure-ftpd” directory.
The first step to do is define what port range we are going to use for passive connections, in the “pure-ftpd.conf” file the default is 30000 – 50000 which is fine all you need to do is uncomment the “PassivePortRange 30000 50000” directive as shown in Figure 1.2.
... ... PassivePortRange 30000 50000 ... ...
linux-1reo:~ # iptables -I INPUT 2 -p tcp --dport 30000:50000 -j ACCEPT linux-1reo:~ # iptables -I INPUT 2 -p udp --dport 30000:50000 -j ACCEPT linux-1reo:~ # iptables -I INPUT 2 -p tcp --dport 21 -j ACCEPT linux-1reo:~ # iptables -I INPUT 2 -p udp --dport 21 -j ACCEPT
Once the ports have been opened you can FTP from another machine to the server and login as the anonymous user. Once you have logged in as the anonymous user you can issue the “ls” command and you should be able see two directory “.” and “..” as shown in Figure 1.4. If you issued the “ls” command and it stalled on “227 Entering Passive Mode (192,168,0,5,133,40)” message you have not configured the firewall correctly.
[damian@server2 ~]$ ftp 192.168.0.5 21 Connected to 192.168.0.5 (192.168.0.5). 220-Welcome to Pure-FTPd. 220-You are user number 2 of 10 allowed. 220-Only anonymous FTP is allowed here 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. Name (192.168.0.5:damian): anonymous 230 Anonymous user logged in Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (192,168,0,5,131,100) 150 Accepted data connection drwxr-xr-x 2 0 0 48 Jun 16 2006 . drwxr-xr-x 2 0 0 48 Jun 16 2006 .. 226-Options: -a -l 226 2 matches total ftp>
Enabling virtual users
Once the firewall has been configured you will need to edited two important directives within the “pure-ftpd.conf” configuration file. The first directive is “PureDB”, by default this directive has been commented out, you will need to uncomment this directive. The second directive is “AnonymousOnly” this directive needs to be set to “no” otherwise Pure-FTPd will only allow anonymous logins.
The next step is to create a user and group that virtual users will be assigned to. This will reduce the total number of user IDs (UID) and group IDs (GID) that will be stored in the “/etc/passwd” file, as each virtual user needs a UID and a GID. The command used to create a group is “groupadd” as shown in Figure 2.
linux-1reo:~ # groupadd virftp
linux-1reo:~ # useradd -g virftp -d /srv/home -s /bin/false virftp
| Qualifier | Description |
| -g | This qualifier sets the default group to virftp for the “virusr”. |
| -d | This qualifier sets the users home directory to “/srv/home”. |
| -s | This qualifier sets the default shell. |
Table 1: useradd qualifiers.
Once the user and group have been successfully created you will need to create a home directory for the “virftp” user as shown in Figure 2.2.
linux-1reo:~ # mkdir /srv/home
Create a virtual user
Once the “virftp” user and group has been created you can begin to create virtual users. When creating the first virtual users you will need to issue the “pure-pw mkdb” command which creates the virtual user(s) database. The user we will create in this article is “damian”. The command we will be using is “pure-pw useradd” as shown in Figure 3.
linux-1reo:~ # pure-pw useradd damian -u virftp -g virftp -d /srv/home/damian Password: Enter it again: linux-1reo:~# pure-pw mkdb
linux-1reo:~ # mkdir /srv/home/damian linux-1reo:~ # chown virftp:virftp /srv/home -R
-m” qualifier will update the database automatically.Chrooting users
When adding virtual users to your system by default they are automatically chrooted however, if this is not what you want you can use the “-D” qualifier which will not chroot user into their home directory.
Upload/Download limiting
Setting upload and download limits is very simple as there are only two simple qualifiers that control upload and download speeds. The two qualifiers that control the upload and download speeds are; “-t” for download and “-T” for upload.
Setting download limit
In this article we are going to limit the user “damian” to 10Kbps even though the network speed is 100Mbps. The command to modify the user is “pure-pw” along with the “usermod” argument, as shown in Figure 4.
linux-1reo:~ # pure-pw usermod damian -t 10 -m
linux-1reo:~# pure-pw show damian Login : damian Password : $2a$07$O039xkKSDHXXAAow./djsswkw7j2nxcv9b8 UID : 1001 (virftp) GID : 1001 (virftp) Directory : /srv/home/damian/./ Full name : Download bandwidth : 0 kb (unlimited) Upload bandwidth : 0 kb (unlimited) Max files : 0 (unlimited) Max size : 0 Mb (unlimited) Ratio : 0:0 (unlimited:unlimited) Allowed local IPs : Denied local IPs : Allowed client IPs : Time restrictions : 0000-0000 (unlimited) Max sim sessions : 0 (unlimited)
Setting upload limit
We are now going to limit the user “damian” to 10Kbps, similar to what we have done with the download speed. The command we are going to use is “pure-pw” along with the “usermod” argument as shown in Figure 4.2.
linux-1reo:~ # pure-pw usermod damian -T 10 -m
IP Restrictions
Restricting access based on IP addresses is very simple. The qualifier that is used to block IP addresses is “-R” followed by the IP address as shown in Figure 5.
linux-1reo:~# pure-pw usermod damian -R 192.168.0.2 -m
Time restrictions
Setting time restrictions is very easy with Pure-FTP. The time notation that Pure-FTP uses is 24 hour, so to allow the user “damian” to access the FTP server between 1PM and 5PM you would enter the time as follows “1300-1700” as shown in Figure 6.
linux-1reo:~ # pure-pw usermod damian -z 1300-1700 -m
The Pure-FTP daemon provides a utility called: “pure-ftpwho” which allows you to see what activities are happening on your FTP server such as; who is logged in, what they are doing, were they are connecting from. Figure 7 shows the output of the “pure-ftpwho” command.
linux-1reo:~ # pure-ftpwho +---------+-------------+---------------+------------+------------------+ | PID | Login | For/Spd | What | File/IP | +---------+-------------+---------------+------------+------------------+
linux-1reo:~ # pure-pw usermod damian -R '' -m linux-1reo:~ # pure-pw usermod damian -t '' -m
Final Thoughts
The Pure-FTP daemon has shown that it is very powerful and very feature rich allowing administrators to easily manage their users and apply strict policy. I would also recommend visiting the Pure-FTP website [1] as they provide guides on setting Pure-FTP up with MySQL and PostgreSQL.