Pure FTP configuration in Suse

Pure-ftp has very interesting built-in security mechanisms, probably the most elaborate and well though out that I ever saw in any ftp daemon.

The first and pretty brilliant idea is to created two groups of users with different levels of access: one caged and the other privileged, usually wheel group -- 10 in the example below, not.

Cage in every user in his home directory

ChrootEveryone no


# If the previous option is set to "no", members of the following group
# won't be caged. Others will be. If you don't want chroot()ing anyone,
# just comment out ChrootEveryone and TrustedGID.

TrustedGID 10

The second very good idea is to set lower limit on UID of users who can use FTP. In the example below it is 100. that excludes possibility to use system accounts like httpd or apache2 for ftp access.

MinUID 100
The third good idea is to block access to dot file for users outside of trusted group.\

# Users can't delete/write files beginning with a dot ('.')
# even if they own them. If TrustedGID is enabled, this group
# will have access to dot-files, though.

ProhibitDotFilesWrite yes
Separation of IP spaces for anonymous FTP and authenticated users.

# Only connections to this specific IP address are allowed to be
# non-anonymous. You can use this directive to open several public IPs for
# anonymous FTP, and keep a private firewalled IP for remote administration.
# You can also only allow a non-routable local IP (like 10.x.x.x) to
# authenticate, and keep a public anon-only FTP server on another IP.

#TrustedIP 10.1.1.1
Apache style file transfer log

# Create an additional log file with transfers logged in a Apache-like format :
# fw.c9x.org - jedi [13/Dec/1975:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338
# This log file can then be processed by www traffic analyzers.
Ability to work either iv IPv4 or IPv6

AltLog clf:/var/log/pureftpd.log

Example of configuration

# grep -v "^#" pure-ftpd.conf | grep -v "^$"
ChrootEveryone              no
TrustedGID                  10
BrokenClientsCompatibility  no
MaxClientsNumber            10
Daemonize                   yes
MaxClientsPerIP             3
VerboseLog                  no
AllowDotFiles               yes
DisplayDotFiles             yes
AnonymousOnly               no
NoAnonymous                 yes
SyslogFacility              ftp
DontResolve                 no
MaxIdleTime                 45
PAMAuthentication           yes
LimitRecursion              2000 8
AnonymousCanCreateDirs      no
MaxLoad                     4
AntiWarez                   yes
MinUID                      100
AllowUserFXP                yes
AllowAnonymousFXP           no
ProhibitDotFilesWrite       yes
ProhibitDotFilesRead        no
AutoRename                  no
AnonymousCantUpload         yes
AltLog                      clf:/var/log/pureftpd.log
NoChmod                     no
CreateHomeDir               yes
MaxDiskUsage                99
NoRename                    no
CustomerProof               yes
IPV4Only                    yes

Copyright © 1996-2009 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Disclaimer:

The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with.
We do not warrant the correctness of the information provided or its fitness for any purpose
In no way this site is associated with or endorse cybersquatters using the term "softpanorama" with other main or country domains (e.g. softpanorama.com) with bad faith intent to profit from the goodwill belonging to someone else.

Last modified: February 08, 2010