Pure-FTPd is a fast and lightweight FTP server built with security in mind. In this tutorial, I am going to show you how to install and use Pure FTP in 4 easy steps. This guide explains how to install Pure FTPd on Debian 9.
Step one – Installation
Pure-FTPd is in Debian’s stable repository, so there is no need to add any additional repositories to your system.
Run the following command with root privileges:
apt install -y pure-ftpd-common pure-ftpd
Step two – Configuration
There are many options you can use to change the application’s behavior. These options could be applied to Pure-FTPd’s daemon at startup or you could make them persistent by creating the necessary files inside the conf
directory.
We want to:
- Create virtual users.
- Create home directories for users automatically.
- Limit (
chroot
) users to only have access to their own home directory.
Enable Pure-FTPd’s database and disable PAM and Unix authentication to enable virtual users:
ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/50pure
echo no > /etc/pure-ftpd/conf/PAMAuthentication
echo no > /etc/pure-ftpd/conf/UnixAuthentication
Set Pure-FTPd to create home directories for users at their first login:
echo "yes" > /etc/pure-ftpd/conf/CreateHomeDir
Chroot everyone.
echo "yes" > /etc/pure-ftpd/conf/ChrootEveryone
If you are interested to learn about other options, visit the official documentation page.
Step three – Create users
Pure-FTPd can handle virtual-users, which means they are kept in Pure-FTPd’s database and are not related to Linux system users.
In order for Pure-FTPd to manage files with virtual-users we need to create a Linux user and group in which all virtual users will be associated. All virtual users can use the same system user and group as long as they have been chrooted.
Run the following commands to create the system user and group:
groupadd ftpusr
useradd -g ftpusr -d /dev/null -s /etc ftpusr
Note: We don’t want this user to have a home directory or login capability.
Create our FTP root directory:
mkdir /home/FTP
Create a virtual-user in Pure-FTPd:
pure-pw useradd alex -u ftpusr -g ftpusr -d /home/FTP/alex
We have added our first virtual-user (alex
) and associated it with system user/group (ftpusr
). All files that you write with alex
will be owned by ftpusr
on the system.
Update Pure-FTPd’s database:
pure-pw mkdb
Check the user’s information:
pure-pw show alex
Login : alex
Password : <encrypted password>
UID : 1000 (ftpusr)
GID : 1000 (ftpusr)
Directory : /home/FTP/alex/./
Full name :
Download bandwidth : 0 Kb (unlimited)
Upload bandwidth : 0 Kb (unlimited)
Max files : 0 (unlimited)
Max size : 0 Mb (unlimited)
Ratio : 0:0 (unlimited:unlimited)
Allowed local IPs :
Denied local IPs :
Allowed client IPs :
Denied client IPs :
Time restrictions : 0000-0000 (unlimited)
Max sim sessions : 0 (unlimited)
To make life easier, use the following script to add FTP accounts:
echo -e '#!/bin/bash/nread -p "Enter UserName: " usrname/npure-pw useradd $usrname -u ftpusr -g ftpusr -d /home/FTP/$usrname && pure-pw mkdb' > /usr/sbin/ftp-createacc
chmod u+x /usr/sbin/ftp-createacc
Now, creating FTP accounts is simple:
ftp-createacc
Enter UserName: mike
Password:
Enter it again:
Step four – TLS support
First, we need to install OpenSSL.
apt install -y openssl
Force Pure-FTPd to use TLS, or we can make it optional which means both insecure and TLS connections are accepted
# force TLS
echo 2 > /etc/pure-ftpd/conf/TLS
# insecure + TLS
echo 1 > /etc/pure-ftpd/conf/TLS
Create a directory to store our keys.
mkdir -p /etc/ssl/pure-ftpd
Generate a bundle key (private key and public key).
openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Restart the pure-ftpd
daemon.
systemctl restart pure-ftpd
If you have a firewall installed on your system, or your server is behind NAT, you must define passive ports in Pure-FTPd and open the these ports in your firewall, otherwise you will receive errors such as these:
Server sent passive reply with unroutable address. Passive mode failed.
Failed to retrieve directory listing.
500 I won't open a connection to 192.168.1.4 (only to 10.10.10.10).
Set passive ports in Pure-FTPd:
echo "40110 42210" > /etc/pure-ftpd/conf/PassivePortRange
Restart pure-ftpd
to apply the change.
systemctl restart pure-ftpd
In your firewall, open the incoming port range from 40110 to 42210, protocol TCP.
FTP is insecure by nature, but it is also fast and easy to setup. For a more secure solution, use SFTP instead.
Want to contribute?
You could earn up to $300 by adding new articles
Suggest an update
Request an article