Polarwave's OpenBSD
Tips and Tricks for Newbies
| Pure-FTPd |
Pure-FTPd
Configuring & Running Pure-FTPd
I already have some stuff up on this site pertaining to SSH which, in my opinion, is by far,
the safest way to go for users logging in from remote locations. There's also information
on Samba which I use for Windows boxes on the local area network. But, a lot of people
still like good old FTP, so I started looking into the best way to do it. After doing some
reading and research, it looked like pure-ftpd(8) was the way for me to go. It fairly well
limits what a user logging in can do, but they can still upload and download files, and for
me, that's enough. Anything else and I'd rather use SSH. There is plenty of documentation
provided by the Pure-FTPd project and I won't try to cover it all here. I didn't want any
anonymous users, so I went the regular user route. Even then I set it up chrooted. I recall
when the Internet was a friendly place, but that was a long while back.
I didn't opt to build it from ports with any special --with statements. Instead, I installed
the precompiled OpenBSD binary package. I'm not running a mail or web server and have
no other special needs, and not too many users, so I felt that would be sufficient, and it
was. On to the install.
$ sudo pkg_add pure-ftpd-1.0.21
The port has 6 "FLAVORS" you can choose from but the binary packages on the ftp servers
only offer the regular build along with 3 "FLAVORS": ldap, mysql, and postgresql. Like I
said before, I just used the plain one. Remember, when you're installing a package, you
can have PKG_PATH in your enviroment, or, if you really like to type, you can type the entire
path to the package on the server. So if you're running OpenBSD 4.2, your environment
would need a value like this:
PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.2/packages/i386/
Okay, now that pure-ftpd is installed, it's time to configure it. Boy, are there scads of
settings you can choose from, too! Here's an example from the first part of the man page
- -0 --notruncate
- -1 --logpid
- -4 --ipv4only
- -6 --ipv6only
- -a --trustedgid
- -A --chrooteveryone
- -b --brokenclientscompatibility
- -B --daemonize
- -c --maxclientsnumber
- -C --maxclientsperip
- -d --verboselog
- -D --displaydotfiles
- -e --anonymousonly
- -E --noanonymous
- -f --syslogfacility
- -F --fortunesfile
- -g --pidfile
- -G --norename
- -h --help
- -H --dontresolve
- -i --anonymouscantupload
- -I --maxidletime
- -j --createhomedir
- -k --maxdiskusagepct
- -K --keepallfiles
- -l --login
- -L --limitrecursion
- -m --maxload
- -M --anonymouscancreatedirs
- -n --quota
- -N --natmode
- -o --uploadscript
- -O --altlog
- -p --passiveportrange
- -P --forcepassiveip
- -q --anonymousratio
- -Q --userratio
- -r --autorename
- -R --nochmod
- -s --antiwarez
- -S --bind
- -t --anonymousbandwidth
- -T --userbandwidth
- -u --minuid
- -U --umask
- -v --bonjour
- -V --trustedip
- -w --allowuserfxp
- -W --allowanonymousfxp
- -x --prohibitdotfileswrite
- -X --prohibitdotfilesread
- -y --peruserlimits
- -Y --tls
- -z --allowdotfiles
- -Z --customerproof
Maybe I indulged in a little overkill there, but I my point was to show just how versatile
pure-ftpd is. Here's a list of the switches I used when I was testing it out:
- -1 Add the PID to the syslog output
- -4 Listen only to IPv4 connections
- -A Chroot() everyone, but root
- -B Start the standalone server in background (daemonize)
- -C Limit the number of simultanous connections coming from the same IP (for test, 2)
- -c Allow a maximum of clients to be connected (for test, 5)
- -E Only allow authenticated login. Anonymous users are prohibited
- -H Don't resolve host names
- -L max files:max depth (for test, 100:5)
- -u Do not allow uids below uid to log in (up to you and your system)
- -U umask files:umask dirs (for test, 177:077 - new files should only be readable by
the user
- -S (for test, 42 like in the documentation example)
- -p first:last Use only ports in the range first to last inclusive for passive-mode downloads,
(for test, 49500:49700)
- -Z Add safe guards against common customer mistakes (like chmod 0 on their own
files)
- -F fortunes file. (for test, /usr/share/games/fortune/wilde - my bud likes Oscar Wilde
- -O format:log file (for test, clf:/var/log/pureftpd.log)
Now, all of that being explained, and, hopefully finding it all to one's liking, if you're going
to start it automatically at boot time, you need to put it into /usr/rc.local:
if [ -x /usr/local/sbin/pure-ftpd ]; then
echo Starting Pure-FTPd
/usr/local/sbin/pure-ftpd -1 -4 -A -B -C 2 -c 5 -E -H -L 100:5 -u999 \
-U 177:077 -S 42 -p 49500:49700 -Z -F /usr/share/games/fortune/wilde \
-O clf:/var/log/pureftpd.log
fi
With this setup, no root or anonymous logins are allowed, only authenticated ones. That
is, logins for those having a user account on the system. That, along with all ftp logins
being chrooted, makes things a little more secure. One more thing we can do is put -Y 2
in the start up command so that cleartext passwords will no longer be a security problem.
And, if you do that, you also have to have a site certificate in /etc/ssl/private. To create
that certificate, do the following:
sudo openssl req -x509 -nodes -newkey rsa:1024 -keyout \
/etc/ssl/private/pure-ftpd.pem \
-out /etc/ssl/private/pure-ftpd.pem
Now, restart the server, remembering to add the -Y 2 switch also.
The downside of this approach is finding an ftp agent that has SSL & TLS capabilities.
ftp-tls is the one I tried it with. You can get it at:
http://www.ford-hutchinson.com/~fh-1-pfh/ftp-tls-20051021.tar.gz
It's Pete Runestig's client based on OpenBSD 2.7 client, now updated with CCC support.
It'll do SSL Connect has AUTH SSL, AUTH TSL, & X.509 Client AUTH capabilites.
I untarred mine in /usr/ports/mystuff and had no problems configuring and building it.
If you use it, read README.TLS, especially the part about --with-openssl-dir=DIR.
If you're more the GUI kind of user, you could try IglooFTP or some other program like it,
whatever your personal preferences are, but be sure it has the aforementioned needed
capabilities.
One last item concerns making the server accessible if you're running pf, packet filter
firewall, which comes with OpenBSD and is what I use. I read about getting it through
the firewall at:
http://www.openbsd.org/faq/pf/ftp.html
Here's the ruleset they give as an example:
pass in on $ext_if proto tcp from any to any port 21 keep state
pass in on $ext_if proto tcp from any to any port > 49151 \
keep state
I hope this write-up helps anyone wanting to run an ftp server on their site.
Back to Tips and Tricks
Home
No affiliation between this site and the OpenBSD project exists or is implied.
