You may need to allow a third party to have access to a site, but don't want to give the party full SSH server access. The solution can be to setup at secure FTP server using TLS/SSL encryption.
Installation
This article assumes that you are installing PureFTPd on a Debian flavored system, but the configuration part should be valid on other systems as well. To install, simply run this command.
~$ apt-get install pure-ftpd-common pure-ftpd
I use virtual users to log into PureFTP, so to enable this I need to have a real user that can be used to mask the virtual user on the system. So the command below adds an group and user that can be used.
~$ groupadd ftpgroup
~$ useradd -g ftpgroup -d /dev/null -s /etc ftpuser
Configuration
The default configuration that comes with PureFTPd, one Debian, can be used on most systems with only a few modifications. PureFTPd stores it configuration in a collection of files in the folder "/etc/pure-ftpd/conf/". Each filename is a configuration parameter and the content is the option(s). See the TLS configuration on this page for an example.
Before virtual user authentication can be used a symlink have to be created in the auth folder to the PureDB configuration file.
~$ cd /etc/pure-ftpd/auth
~$ ln -s ../conf/PureDB 50pure
If you only want to enable virtual users to log in. You will have to disable PAM and Unix authentication as shown below.
~$ echo no > /etc/pure-ftpd/conf/PAMAuthentication
~$ echo no > /etc/pure-ftpd/conf/UnixAuthentication
SSL/TLS
To enable SSL/TLS by generating a self signed certificate with the command below. You can also use a "real" certificate, which will be a better solution for production systems. The location of the certificate should be the same as below, as PureFTPd looks for it at this location.
~$ openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
~$ echo 2 > /etc/pure-ftpd/conf/TLS
~$ /etc/init.d/pure-ftpd restart
The option/number insert in the TLS configuration file has the following effect.
- 0 disables TLS.
- 1 makes TLS optional for users.
- 2 forces all users to use TLS.
User Management
PureFTPd gives you the option to control each user differently and set different limitations. The basic commands list and show, which respectively lists all users and shows detail information about a single user. For a full list of options you can execute the command "pure-pw" without any parameters.
~$ pure-pw list
~$ pure-pw show <username>
Create user
You create virtual ftp user by executing the useradd. You will be asked for a password and a confirmation when executing the first command. As you can see the "real" user and group create under the configuration section is used here. The later command updates/creates the binary database that PureFTPd uses for fast access.
~$ pure-pw useradd <username> -u ftpuser -g ftpgroup -d <dir>
~$ pure-pw mkdb
Reset password
If you need to reset a users password the passwd command can be used. The -m parameter ensures that the binary database is updated as well and not only the password file.
~$ pure-pw passwd <name> -m
Delete user
Simply run the userdel command.
~$ pure-pw userdel <username> -m
Limit bandwidth
You can limit both download (-t) and upload (-T) bandwidth, below they are limited 10 Kbps.
~$ pure-pw usermod <username> -t 10 -T 10 -m
Block IP
You can block access from a network range or a single IP as shown below. You can also allow access from an IP or range by using "-r" with the same parameters.
~$ pure-pw usermod <username> -R 192.168.2.0/24 -m
~$ pure-pw usermod <username> -R 192.168.0.8 -m
Upload max
You can set the maximum allowed amount of data to be uploaded using the "-N" parameter. The command below sets the maximum upload to 10 Mb.
~$ pure-pw usermod <username> -N 10 -m
Time interval
To limit access to a time interval the "-z" option can be used.
~$ pure-pw usermod <username> -z 0900-1600 -m
Default options (unlimited)
You can reset an option to default by using the empty string as parameter value.
~$ pure-pw usermod <username> -N '' -m
FTP Clients
- Cyberduck is a Mac client that supports SSL/TLS and many other options. A trail version can be download form this homepage and the full version can be install from the App Store.
- coreFTP is a free windows client that support SSL/TLS.
- FileZilla runs on almost any platforms, but have some issues with firewalls and active connections.
Comments
FTP
Your information is great
Add new comment