How to Set up a Secure FTP Server with Pure FTPd on Ubuntu 16.04
Pure FTPd is a free open-source FTP server designed with security in mind. In this tutorial, we are going to take a look at how to set up a secure FTP server on Ubuntu 16.04 server with Pure FTPd and how to enforce TLS encryption.
Pure FTPd features:
- It supports SSL/TLS encryption and thus passwords and commands can be protected.
- It can run on most Unix-like systems: Linux, BSDs, Solaris, Darwin, HPUX, AIX and even iPhone.
- Available in 21 languages.
- Allows you to monitor active sessions.
- Supports a virtual quota system.
- And much more
For a complete list of features, please go to Pure FTPd official website.
Installing Pure FTPd on Ubuntu 16.04 Server
It’s in the software repository, so issue the following command to install the FTP server.
sudo apt install pure-ftpd
Once installed, Pure FTPd will be automatically started, as can be seen with this command:
systemctl status pure-ftpd
Output:
● pure-ftpd.service Loaded: loaded (/etc/init.d/pure-ftpd; bad; vendor preset: enabled) Active: active (running) since Mon 2016-12-12 21:51:46 EST; 23s ago Docs: man:systemd-sysv-generator(8) CGroup: /system.slice/pure-ftpd.service └─3435 pure-ftpd (SERVER)
preset: enabled
indicates it will auto start at system boot time.
And it’s listening on TCP port 21, the control port, as can be seen with
sudo netstat -lnpt | grep pure-ftpd
Anonymous access is disabled by default. From now on you can use your system account to login, but plain text FTP is insecure and strongly discouraged. To have a secure FTP server, we need to encrypt communication with TLS.
How to Enforce TLS Encryption
To enable both plain-text and TLS encryption, run the following command, which create the /etc/pure-ftpd/conf/TLS
file and put number 1 into the file.
echo 1 | sudo tee /etc/pure-ftpd/conf/TLS
But it’s recommended to disable plain-text and use TLS encryption only, so put the number 2 to the file instead.
echo 2 | sudo tee /etc/pure-ftpd/conf/TLS
Obtaining a TLS Certificate
If you have a CA signed certificate, skip this step, go to the next step.
If you don’t have a certificate, then you can obtain a free one from Let’s Encrypt. Self-signed certificate is not recommended because the user will get a warning like the screenshot below.
To obtain a TLS certificate from Let’s Encrypt, install the Let’s Encrypt (certbot) client.
sudo apt install letsencrypt
Then run the following command.
sudo letsencrypt certonly --agree-tos --email your-email-address -d ftp.your-domain.com
Your certificate will be save at /etc/letsencrypt/archive/ftp.your-domain.com/
directory.
Installing the Certificate
Pure FTPd requires that the certificate and private key are combined into one file named pure-ftpd.pem
and stored under /etc/ssl/private/
directory.
You can use cat
command to combine two files into one like below.
cat cert.pem privatekey.pem > pure-ftpd.pem
Let’s Encrypt signed certificate is named fullchain1.pem
and private key is named privkey1.pem
.
Then move pure-ftpd.pem
file to /etc/ssl/private/
directory.
sudo mv pure-ftpd.pem /etc/ssl/private/
And make sure only root user can read the file.
sudo chmod 600 /etc/ssl/private/pure-ftpd.pem
Restart Pure FTPd.
sudo systemctl restart pure-ftpd
Now you can connect to your FTP server over TLS.
If you use Nautilus file manager to connect to FTP server via plain text ftp://
protocol
The connection will be refused.
Instead of ftp://
, you must use ftps://
.
Please note that Filezilla doesn’t trust any certificate (self-signed or CA signed) by default. Users must choose to trust certificate for themselves.
Need help?
Do you need help setting up this on your own service?
Please contact us and we’ll provide you the best possible quote!