Learn How To Setup Pure-FTPd With TLS on Debian 9
Table of Contents
Pure-FTPd is a fast and lightweight FTP server built with security in mind. In this tutorial, I am going to show you how to install and use Pure FTP in 4 easy steps. This guide explains how to install Pure FTPd on Debian 9.
Step one – Installation
Pure-FTPd is in Debian’s stable repository, so there is no need to add any additional repositories to your system.
Run the following command with root privileges:
apt install -y pure-ftpd-common pure-ftpd
Step two – Configuration
There are many options you can use to change the application’s behavior. These options could be applied to Pure-FTPd’s daemon at startup or you could make them persistent by creating the necessary files inside the
We want to:
- Create virtual users.
- Create home directories for users automatically.
- Limit (
chroot) users to only have access to their own home directory.
Enable Pure-FTPd’s database and disable PAM and Unix authentication to enable virtual users:
ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/50pure echo no > /etc/pure-ftpd/conf/PAMAuthentication echo no > /etc/pure-ftpd/conf/UnixAuthentication
Set Pure-FTPd to create home directories for users at their first login:
echo "yes" > /etc/pure-ftpd/conf/CreateHomeDir
echo "yes" > /etc/pure-ftpd/conf/ChrootEveryone
If you are interested to learn about other options, visit the official documentation page.
Step three – Create users
Pure-FTPd can handle virtual-users, which means they are kept in Pure-FTPd’s database and are not related to Linux system users.
In order for Pure-FTPd to manage files with virtual-users we need to create a Linux user and group in which all virtual users will be associated. All virtual users can use the same system user and group as long as they have been chrooted.
Run the following commands to create the system user and group:
groupadd ftpusr useradd -g ftpusr -d /dev/null -s /etc ftpusr
Note: We don’t want this user to have a home directory or login capability.
Create our FTP root directory:
Create a virtual-user in Pure-FTPd:
pure-pw useradd alex -u ftpusr -g ftpusr -d /home/FTP/alex
We have added our first virtual-user (
alex) and associated it with system user/group (
ftpusr). All files that you write with
alex will be owned by
ftpusr on the system.
Update Pure-FTPd’s database:
Check the user’s information:
pure-pw show alex Login : alex Password : <encrypted password> UID : 1000 (ftpusr) GID : 1000 (ftpusr) Directory : /home/FTP/alex/./ Full name : Download bandwidth : 0 Kb (unlimited) Upload bandwidth : 0 Kb (unlimited) Max files : 0 (unlimited) Max size : 0 Mb (unlimited) Ratio : 0:0 (unlimited:unlimited) Allowed local IPs : Denied local IPs : Allowed client IPs : Denied client IPs : Time restrictions : 0000-0000 (unlimited) Max sim sessions : 0 (unlimited)
To make life easier, use the following script to add FTP accounts:
echo -e '#!/bin/bashnread -p "Enter UserName: " usrnamenpure-pw useradd $usrname -u ftpusr -g ftpusr -d /home/FTP/$usrname && pure-pw mkdb' > /usr/sbin/ftp-createacc chmod u+x /usr/sbin/ftp-createacc
Now, creating FTP accounts is simple:
ftp-createacc Enter UserName: mike Password: Enter it again:
Step four – TLS support
First, we need to install OpenSSL.
apt install -y openssl
Force Pure-FTPd to use TLS, or we can make it optional which means both insecure and TLS connections are accepted
# force TLS echo 2 > /etc/pure-ftpd/conf/TLS # insecure + TLS echo 1 > /etc/pure-ftpd/conf/TLS
Create a directory to store our keys.
mkdir -p /etc/ssl/pure-ftpd
Generate a bundle key (private key and public key).
openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
systemctl restart pure-ftpd
If you have a firewall installed on your system, or your server is behind NAT, you must define passive ports in Pure-FTPd and open the these ports in your firewall, otherwise you will receive errors such as these:
Server sent passive reply with unroutable address. Passive mode failed. Failed to retrieve directory listing. 500 I won't open a connection to 192.168.1.4 (only to 10.10.10.10).
Set passive ports in Pure-FTPd:
echo "40110 42210" > /etc/pure-ftpd/conf/PassivePortRange
pure-ftpd to apply the change.
systemctl restart pure-ftpd
In your firewall, open the incoming port range from 40110 to 42210, protocol TCP.
FTP is insecure by nature, but it is also fast and easy to setup. For a more secure solution, use SFTP instead.
Do you need help setting up this on your own service?
Please contact us and we’ll provide you the best possible quote!