2008-02-10

Sysadmin Sunday: Pure-ftpd configuration on Ubuntu Server Edition

0. Introduction

There are tons of ftp servers out there. Some are leftovers from the stone age others are fairly up to date with SSL capability and virtual user support. In this case I have chosen Ubuntu server and Pure-ftpd.

Why: Ubuntu comes out of the box unencumbered by unnecessary bloat that many server editions are forced to install out of a spider web of software dependencies. It at the same time has a very mature package management system which allows for easy software updates.

I'll stop there because I don't intend this to be a flame war on what Linux is best. An important difference that the Ubuntu installation has versus its native configuration is that it uses a configuration wrapper instead of modifying a start-up script. Which is why I am writing this article.

This article assumes that you have an intermediate or advanced knowledge of command line based UNIX operating systems.

-=-=-=-=-=-=-=-
Table of contents:
-=-=-=-=-=-=-=-
0.........Intro
1..........System setup and overview on what needs to be done

2..........Package installation

3..........Wrapper configuration with virtual users and SSL
4..........Access control via virtual users and iptables and or pure-ftp

5..........Informative resources

-=-=-=-=-=-=-=-


1.System setup and overview on what needs to be done

-=-=-=-=-=-=-=-
We will be needing an Ubuntu server edition installation. Preferably with a firewall in place.
In this case I have a pile of users who need to use dreamweaver to edit their web sites. Preferably they need to have their own logins, those logins need to be chrooted to their directory. Secondly, the users have no earthly reason to have a system user account.
For security sake I want the option for them to use encryption (once we can get licenses for the newer version of Dreamweaver which supports it). Lastly having these virtual users have disk space quotas so some idiot doesn't up load a ton of the family pictures that were taken with a 10 Megapixel camera and are like 20 Mb a piece causing the storage array to !#*& itself.

Pure-Ftpd can use arbitrary file paths for virtual user home directories. You can assign a local system user account and group for each virtual user or group of virtual users.

You can make a system user and group called webadmin who owns the "sites" folder under "/data/sites". All of the virtual users from a system standpoint are doing business as "webadmin". Pureftp does the job of doing access control and permissions on its end and keeping people in their home folders.
-=-=-=-=-=-=-=-
2.Package installation
-=-=-=-=-=-=-=-
Run the command:

apt-get install pure-ftpd
There is a GUI configuration tool but by default Ubuntu does not have a GUI so I leave that to you.

Once installed the wrapper configuration folder is on "/etc/pure-ftpd". The folder contains a structure like so:

root@stage:/etc/pure-ftpd# ls -al
total 32

drwxr-xr-x 5 root root 4096 2008-02-20 01:32 .

drwxr-xr-x 133 root root 12288 2008-02-20 01:32 ..

drwxr-xr-x 2 root root 4096 2008-02-20 01:32 auth

drwxr-xr-x 2 root root 4096 2008-02-20 01:32 conf

drwxr-xr-x 2 root root 4096 2007-06-21 19:01 db

-rw-r--r-- 1 root root 230 2007-06-21 19:01 pureftpd-dir-aliases

Under Auth you will find the following symlinks:
root@stage:/etc/pure-ftpd/auth# ls -alF
total 8
drwxr-xr-x 2 root root 4096 2008-02-20 01:32 ./
drwxr-xr-x 5 root root 4096 2008-02-20 01:32 ../
lrwxrwxrwx 1 root root 26 2008-02-20 01:32 65unix -> ../conf/UnixAuthentication
lrwxrwxrwx 1 root root 25 2008-02-20 01:32 70pam -> ../conf/PAMAuthentication
Delete all of these and make a symlink to "../conf/PureDB":
root@stage:/etc/pure-ftpd/auth# ln -s ../conf/PureDB
Go to the conf directory and edit the "PAMAuthentication" file to say NO insted of YES.
Add a new file called "ChrootEveryone" and edit it and add the word "YES".

Now lets make a user!
pure-pw useradd test -u webadmin -g webadmin -d /data/sites/localhost/ -N 25
pure-pw mkdb
Where -N is a 25 Mb quota and -u and -g is the userid and groupid of the corresponding system user. -d is the folder that the user is chrooted in. The command "mkdb" creates the binary password database.

Now we have our chrooted ftpd environment finished we just need to configure the ssl option.
now it is possible to FORCE users to use ftp-SSL however thats out side of the scope of this article.
(from the pure-ftpd documentation)
mkdir -p /etc/ssl/private  openssl req -x509 -nodes -newkey rsa:1024 -keyout \
/etc/ssl/private/pure-ftpd.pem \
-out /etc/ssl/private/pure-ftpd.pem

chmod 600 /etc/ssl/private/*.pem
Then go into "/etc/pure-ftpd/conf" and edit the file named "TLS" and add the number "1".
(0 disables encryption, 1 makes it optional and 2 makes it mandatory).

Now restart the service :
/etc/init.d/pure-ftpd restart

And login to your new ftp server!
-=-=-=-=-=-
4.Access control via virtual users and iptables and or pure-ftp
-=-=-=-=-=-
It pisses me off to read the logs and see all of the automated Interweb
exploit scripted attacks. So here are some suggestions to keep the
automated attacks down.

1. Hosts.deny doesn't work. Use Ip tables filtering.
2. Grab a blackhole ip list (BBL) from http://www.unixhub.com/block.html.
3. Determine your scope of service, if your users work only within the continental United States then blocking AP-NIC and any other non-local IP ranges in their entirety would be a good idea.

If you want to tie it down on a per-user basis try this:
pure-pw usermod testuser \
-r IP-ADDRESS-RANGE\

-R IP-ADDRESS-RANGE
where -r is allowed IP ranged and -R is denied ranges (Example: -R 200.0.0.0/8 -r 192.168.0.0/16)

-=-=-=-=-=-
5.Informative resources
-=-=-=-=-=-
Barnes, Robert. "Bad IP addresses/Bob's Block List (BBL)", (Accessed Feb, 2008)
http://www.unixhub.com/block.html

Denis, Frank. "Pure ftpd", (Accessed Feb, 2008)
http://www.pureftpd.org
http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS

Hornburg, Stefan (Racke). "Debian pure-ftpd-wrapper man page", (Accessed Feb, 2008)
http://www.penguin-soft.com/penguin/man/8/pure-ftpd-wrapper.html

blog comments powered by Disqus