Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Pure-FTPd installation and configuration

News

 pure ftpd Recommended Links Xinetd TCP Wrappers FAQ
wu-ftpd ProFTPD vsftpd FTP server security Humor Etc

If you forget to include the package in the initial Suse installation you can add using YaST.  The standard Suse RPM installs it as one of Xinetd services, not as a standalone daemon.  This is inconvenient as pure ftpd is a unique in a way that it does not reread its configuration file on HUP signal. 

There are three configuration files for Pure-FTPd in Suse:

You probably should disable the ability to run pure-ftpd as a standalone daemon as it is compileed without TCP wrappers support. So the proper way to run it is via xinetd. The commands to delete standalone init script is :

rm  /etc/init.d/pure-ftpd

After the installation of the package pure-ftpd is disabled  and configuration allows only anonymous ftp access tot he server. You need to enable it.

NOTE: It's a bad idea to use pure-ftpd from xinetd. In this case the arguments to control it's behaviour should be added to /etc/xinetd.d/pure-ftpd in the "server_args" line manually since the configuration file /etc/pure-ftpd.conf is not used by pure-ftpd and need to be compiled into set of invocation options.

The command "/usr/sbin/pure-config-args /etc/pure-ftpd/pure-ftpd.conf" compiles and print  the list of arguments that corresponds to the configuration options set in /etc/pure-ftpd/pure-ftpd.conf

In a typical server configuration only authenticated users can use the ftp daemon. So typically you need to disable anonymous ftp access and enable authenticated user access. It involved three steps:

  1. Changing /etc/xinetd.d/pure-ftpd file
  2. Editing or copying /etc/pure-ftpd/pure-ftpd.conf file
  3. Restarting pure-ftpd using service command (pure-ftpd does not reread its configuration file on HUP signal)

There are three configuration files for Pure-FTPs in Suse:

Pure-ftp has very interesting built-in security mechanisms, probably the most elaborate and well though out in comparison with other ftpd daemons.

  1. The first and pretty brilliant idea is to created two groups of users with different levels of access: one caged and the other privileged, usually wheel group -- 10 in the example below, not. 
    Cage in every user in his home directory

ChrootEveryone no


# If the previous option is set to "no", members of the following group
# won't be caged. Others will be. If you don't want chroot()ing anyone,
# just comment out ChrootEveryone and TrustedGID.

TrustedGID 10
  2. The second very good idea is to set lower limit on UID of users who can use FTP. In the example below it is 100.  That excludes possibility of abusing system accounts such as httpd or apache2 for ftp access.

    MinUID 100

  3. The third good idea is to block access to dot file for users outside of trusted group.\

    # Users can't delete/write files beginning with a dot ('.')
    # even if they own them. If TrustedGID is enabled, this group
    # will have access to dot-files, though.

    ProhibitDotFilesWrite yes

  4.  Separation of IP spaces for anonymous FTP and authenticated users.

    # Only connections to this specific IP address are allowed to be
    # non-anonymous. You can use this directive to open several public IPs for
    # anonymous FTP, and keep a private firewalled IP for remote administration.
    # You can also only allow a non-routable local IP (like 10.x.x.x) to
    # authenticate, and keep a public anon-only FTP server on another IP.

    #TrustedIP 10.1.1.1

  5. Apache style file transfer log

    # Create an additional log file with transfers logged in a Apache-like format :
    # fw.c9x.org - jedi [13/Dec/1975:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338
    # This log file can then be processed by www traffic analyzers.

  6. You can create alternative log file

    AltLog clf:/var/log/pureftpd.log

Example of configuration

Assuming that all sysadmins are enrolled in the wheel group (group 10 on Suse) the possible  configuration with authenticated users access and PAM authentication might  looks like

# grep -v "^#" pure-ftpd.conf | grep -v "^$"
ChrootEveryone              no
TrustedGID                  10
BrokenClientsCompatibility  no
MaxClientsNumber            10
Daemonize                   yes
MaxClientsPerIP             3
VerboseLog                  no
AllowDotFiles               yes
DisplayDotFiles             yes
AnonymousOnly               no
NoAnonymous                 yes
SyslogFacility              ftp
DontResolve                 no
MaxIdleTime                 3600
PAMAuthentication           yes
LimitRecursion              2000 8
AnonymousCanCreateDirs      no
MaxLoad                     4
AntiWarez                   yes
MinUID                      100
AllowUserFXP                yes
AllowAnonymousFXP           no
ProhibitDotFilesWrite       yes # group wheel still will have ability to write to doc files
ProhibitDotFilesRead        no
AutoRename                  no
AnonymousCantUpload         yes
AltLog                      clf:/var/log/pureftpd.log
NoChmod                     no
CreateHomeDir               yes
MaxDiskUsage                99
NoRename                    no
CustomerProof               yes
IPV4Only                    yes
 

Recommended Links

Cool Solutions Installing Pure-FTPd on SUSE Linux Professional

Pure-FTPd - About

Main documentation

pure-ftpd configuration - Bing

Setting up an FTP server on SUSE Linux 9.1 Professional [Archive] - Antionline Forums - Maximum Security for a Connected World

HOWTO Setup a Pure-FTPd server with virtual users - The FreeBSD Forums

Gentoo Wiki Archives - PureFTPd

No pain no gain » Setting up PureFTPD on a virtual server

How I Got Pure-ftpd To Work - openSUSE Forums

Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

 You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019