SUSE Conversations


Pure-FTPd Administration



By: DamianMyerscough

October 23, 2007 11:11 am

Reads:2123

Comments:0

Rating:0

Pure-FTPd Administration

In this article I am going to cover setting up virtual users and administrating user accounts. Some of the tasks we will look at are; chrooting users, setting upload/download limits, restricting IP access and many other tasks. Pure-FTPd is an excellent service that provides a rich set of features and a high level of security as it is regularly audited for security vulnerabilities, Pure-FTPd also provides server messages in multiple languages which helps administrators that don’t natively speak English.

Installing Pure-FTPd

The Pure-FTPd daemon can be installed from the SUSE installation disks. To check that it is not currently installed you can issue the “rpm” command with the following qualifiers “-q pure-ftpd” this will query the RPM database for the pure-ftpd package, as shown in Figure 1.

linux-1reo:~ # rpm -q pure-ftpd
pure-ftpd-1.0.20-24.2

Figure 1: Querying the RPM database for the pure-ftpd package.

When you query the database for Pure-FTPd and nothing is returned you will need to install the daemon using the YaST utility either issue the command “yast” or “yast2” depending on your preference of interface.

Once Pure-FTPd has been installed you can start the service by using either the “service” command or the “rcpure-ftpd” as shown in Figure 1.1.

linux-1reo:~ # /sbin/service pure-ftpd start
Starting pure-ftpd                                              done

Figure 1.1: Starting the Pure-FTPd daemon with the service command.

On a side note, whenever you make changes to the Pure-FTP daemon you are require to restart the daemon for the changes to take effect.

Firewall configuration

Once Pure-FTPd has been successfully installed you will need to configure the passive ports and the actual FTP port (21) on the firewall and in the “pure-ftpd.conf” configuration file which is located in the “/etc/pure-ftpd” directory.

The first step to do is define what port range we are going to use for passive connections, in the “pure-ftpd.conf” file the default is 30000 – 50000 which is fine all you need to do is uncomment the “PassivePortRange 30000 50000″ directive as shown in Figure 1.2.

...
...
PassivePortRange          30000 50000
...
...

Figure 1.12: Enabling a port range for passive connections.

Once this has been uncommented you will need to restart the Pure-FTPd daemon. When you have restarted the Pure-FTPd daemon you will need to open the port range in the firewall as shown in Figure 1.3.

linux-1reo:~ # iptables -I INPUT 2 -p tcp --dport 30000:50000 -j ACCEPT
linux-1reo:~ # iptables -I INPUT 2 -p udp --dport 30000:50000 -j ACCEPT
linux-1reo:~ # iptables -I INPUT 2 -p tcp --dport 21 -j ACCEPT
linux-1reo:~ # iptables -I INPUT 2 -p udp --dport 21 -j ACCEPT

Figure 1.3: Open the ports necessary for FTP.

The first rule shown in Figure 1.3 opens the passive port range for TCP connections, the second command does the same accept it opens the port range for UDP connections. The third rule opens port 21 for TCP connections and rule four opens port 21 for UDP connections.

Once the ports have been opened you can FTP from another machine to the server and login as the anonymous user. Once you have logged in as the anonymous user you can issue the “ls” command and you should be able see two directory “.” and “..” as shown in Figure 1.4. If you issued the “ls” command and it stalled on “227 Entering Passive Mode (192,168,0,5,133,40)” message you have not configured the firewall correctly.

[damian@server2 ~]$ ftp 192.168.0.5 21 
Connected to 192.168.0.5 (192.168.0.5). 
220-Welcome to Pure-FTPd. 
220-You are user number 2 of 10 allowed. 
220-Only anonymous FTP is allowed here 
220-IPv6 connections are also welcome on this server. 
220 You will be disconnected after 15 minutes of inactivity. 
Name (192.168.0.5:damian): anonymous 
230 Anonymous user logged in 
Remote system type is UNIX. 
Using binary mode to transfer files. 
ftp> ls 
227 Entering Passive Mode (192,168,0,5,131,100) 
150 Accepted data connection 
drwxr-xr-x    2 0        0              48 Jun 16  2006 . 
drwxr-xr-x    2 0        0              48 Jun 16  2006 .. 
226-Options: -a -l 
226 2 matches total 
ftp>

Figure 1.4: Connecting to the FTP server as anonymous.

Enabling virtual users

Once the firewall has been configured you will need to edited two important directives within the “pure-ftpd.conf” configuration file. The first directive is “PureDB”, by default this directive has been commented out, you will need to uncomment this directive. The second directive is “AnonymousOnly” this directive needs to be set to “no” otherwise Pure-FTPd will only allow anonymous logins.

The next step is to create a user and group that virtual users will be assigned to. This will reduce the total number of user IDs (UID) and group IDs (GID) that will be stored in the “/etc/passwd” file, as each virtual user needs a UID and a GID. The command used to create a group is “groupadd” as shown in Figure 2.

linux-1reo:~ # groupadd virftp

Figure 2: Creating the “virftp” group.

Once the “virftp” group has been created the next step is to create a user which will house all virtual users. The user we will create is “virftp” as shown in Figure 2.1.

linux-1reo:~ # useradd -g virftp -d /srv/home -s /bin/false virftp

Figure 2.1: Creating the “virftp” user.

The qualifiers that have been used in Figure 2.1 are listed in Table 1 with a description of what they do.

Qualifier Description
-g This qualifier sets the default group to virftp for the “virusr”.
-d This qualifier sets the users home directory to “/srv/home”.
-s This qualifier sets the default shell.

Table 1: useradd qualifiers.

Once the user and group have been successfully created you will need to create a home directory for the “virftp” user as shown in Figure 2.2.

linux-1reo:~ # mkdir /srv/home

Figure 2.2: Creating the “virftp” users home directory.

Create a virtual user

Once the “virftp” user and group has been created you can begin to create virtual users. When creating the first virtual users you will need to issue the “pure-pw mkdb” command which creates the virtual user(s) database. The user we will create in this article is “damian”. The command we will be using is “pure-pw useradd” as shown in Figure 3.

linux-1reo:~ # pure-pw useradd damian -u virftp -g virftp -d /srv/home/damian
Password:
Enter it again: 
linux-1reo:~# pure-pw mkdb

Figure 3: Creating the virtual user “damian”.

Once the user has been created there home directory needs to be created manually and needs the user and group owner of “virftp” as shown in Figure 3.1.

linux-1reo:~ # mkdir /srv/home/damian
linux-1reo:~ # chown virftp:virftp /srv/home -R

Figure 3.1: Creating the virtual users home directory.

Once the user has been successfully created and there home directory has been created and has the appropriate permissions set you can now login as that user. The “pure-pw mkdb” dose not need to be issued again after the first user has been created as the “-m” qualifier will update the database automatically.

Chrooting users

When adding virtual users to your system by default they are automatically chrooted however, if this is not what you want you can use the “-D” qualifier which will not chroot user into their home directory.

Upload/Download limiting

Setting upload and download limits is very simple as there are only two simple qualifiers that control upload and download speeds. The two qualifiers that control the upload and download speeds are; “-t” for download and “-T” for upload.

Setting download limit

In this article we are going to limit the user “damian” to 10Kbps even though the network speed is 100Mbps. The command to modify the user is “pure-pw” along with the “usermod” argument, as shown in Figure 4.

linux-1reo:~ # pure-pw usermod damian -t 10 -m

Figure 4: Limit the user “damian” to download 10Kbps.

Once you have set the download limit to 10Kbps you can view this by issuing the “pure-pw” command with the “show” argument, as shown in Figure 4.1.

linux-1reo:~# pure-pw show damian 

Login			: damian 
Password		: $2a$07$O039xkKSDHXXAAow./djsswkw7j2nxcv9b8 
UID			: 1001 (virftp) 
GID			: 1001 (virftp) 
Directory		: /srv/home/damian/./ 
Full name		: 
Download bandwidth	: 0 kb (unlimited) 
Upload   bandwidth	: 0 kb (unlimited) 
Max files		: 0 (unlimited) 
Max size		: 0 Mb (unlimited) 
Ratio			: 0:0 (unlimited:unlimited) 
Allowed local  IPs	: 
Denied  local  IPs	: 
Allowed client IPs	: 
Time restrictions	: 0000-0000 (unlimited) 
Max sim sessions	: 0 (unlimited)

Figure 4.1: The user “damian” profile.

Once the download limit has been set you should connect to your FTP server and download a test file, if all has gone well the user should not be able to download faster than 10Kpbs.

Setting upload limit

We are now going to limit the user “damian” to 10Kbps, similar to what we have done with the download speed. The command we are going to use is “pure-pw” along with the “usermod” argument as shown in Figure 4.2.

linux-1reo:~ # pure-pw usermod damian -T 10 -m

Figure 4.2: Limiting the user “damian” to upload 10Kbps.

Once the upload limit has been set you can view the effect by using the “pure-pw” command with the “show” argument as shown in Figure 4.1.

IP Restrictions

Restricting access based on IP addresses is very simple. The qualifier that is used to block IP addresses is “-R” followed by the IP address as shown in Figure 5.

linux-1reo:~# pure-pw usermod damian -R 192.168.0.2 -m

Figure 5: Denying access to 192.168.0.2.

The example shown in Figure 5 will deny access to the host 192.168.0.2 trying to login as the user “damian” even if the user enters the correct password they will be denied access.

Time restrictions

Setting time restrictions is very easy with Pure-FTP. The time notation that Pure-FTP uses is 24 hour, so to allow the user “damian” to access the FTP server between 1PM and 5PM you would enter the time as follows “1300-1700″ as shown in Figure 6.

linux-1reo:~ # pure-pw usermod damian -z 1300-1700 -m

Figure 6: Restricting the user “damian” to access the FTP service between 1PM – 5PM.

Pure-FTP administration

The Pure-FTP daemon provides a utility called: “pure-ftpwho” which allows you to see what activities are happening on your FTP server such as; who is logged in, what they are doing, were they are connecting from. Figure 7 shows the output of the “pure-ftpwho” command.

linux-1reo:~ # pure-ftpwho
+---------+-------------+---------------+------------+------------------+
|  PID    |    Login    |    For/Spd    |    What    |     File/IP      |
+---------+-------------+---------------+------------+------------------+

Figure 7: Checking the status of your FTP server.

When dealing with virtual users you may also find you want to reset certain fields such as download/upload limits, time restrictions and any of the other fields. The way you set set the values is by supplying two quotes (”) with the qualifier as shown in Figure 7.1.

linux-1reo:~ # pure-pw usermod damian -R '' -m
linux-1reo:~ # pure-pw usermod damian -t '' -m

Figure 7.1: Resetting field values.

The two commands shown in Figure 7.1 reset the “Denied clients IPs” and “Download bandwidth” fields.

Final Thoughts

The Pure-FTP daemon has shown that it is very powerful and very feature rich allowing administrators to easily manage their users and apply strict policy. I would also recommend visiting the Pure-FTP website [1] as they provide guides on setting Pure-FTP up with MySQL and PostgreSQL.

Reference

[1] http://www.pureftpd.org/project/pure-ftpd

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: , ,
Categories: SUSE Linux Enterprise Server, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

Comment

RSS