Softpanorama
May the source be with you, but remember the KISS principle ;-)

Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Pure-FTPd installation and configuration

News

pure ftpd Recommended Links Xinetd TCP Wrappers FAQ
wu-ftpd ProFTPD vsftpd FTP server security Humor Etc

If you forget to include the package in the initial Suse installation you can add using YaST.  The standard Suse RPM installs it as one of Xinetd services, not as a standalone daemon.  This is inconvenient as pure ftpd is a unique in a way that it does not reread its configuration file on HUP signal. 

There are three configuration files for Pure-FTPd in Suse:

You probably should disable the ability to run pure-ftpd as a standalone daemon as it is compileed without TCP wrappers support. So the proper way to run it is via xinetd. The commands to delete standalone init script is :

rm  /etc/init.d/pure-ftpd

After the installation of the package pure-ftpd is disabled  and configuration allows only anonymous ftp access tot he server. You need to enable it.

NOTE: It's a bad idea to use pure-ftpd from xinetd. In this case the arguments to control it's behaviour should be added to /etc/xinetd.d/pure-ftpd in the "server_args" line manually since the configuration file /etc/pure-ftpd.conf is not used by pure-ftpd and need to be compiled into set of invocation options.

The command "/usr/sbin/pure-config-args /etc/pure-ftpd/pure-ftpd.conf" compiles and print  the list of arguments that corresponds to the configuration options set in /etc/pure-ftpd/pure-ftpd.conf

In a typical server configuration only authenticated users can use the ftp daemon. So typically you need to disable anonymous ftp access and enable authenticated user access. It involved three steps:

  1. Changing /etc/xinetd.d/pure-ftpd file
  2. Editing or copying /etc/pure-ftpd/pure-ftpd.conf file
  3. Restarting pure-ftpd using service command (pure-ftpd does not reread its configuration file on HUP signal)

There are three configuration files for Pure-FTPs in Suse:

Pure-ftp has very interesting built-in security mechanisms, probably the most elaborate and well though out in comparison with other ftpd daemons.

  1. The first and pretty brilliant idea is to created two groups of users with different levels of access: one caged and the other privileged, usually wheel group -- 10 in the example below, not.
    Cage in every user in his home directory
    
    ChrootEveryone no
    
    
    # If the previous option is set to "no", members of the following group
    # won't be caged. Others will be. If you don't want chroot()ing anyone,
    # just comment out ChrootEveryone and TrustedGID.
    
    TrustedGID 10
  2. The second very good idea is to set lower limit on UID of users who can use FTP. In the example below it is 100.  That excludes possibility of abusing system accounts such as httpd or apache2 for ftp access.

    MinUID 100

  3. The third good idea is to block access to dot file for users outside of trusted group.\

    # Users can't delete/write files beginning with a dot ('.')
    # even if they own them. If TrustedGID is enabled, this group
    # will have access to dot-files, though.

    ProhibitDotFilesWrite yes

  4.  Separation of IP spaces for anonymous FTP and authenticated users.

    # Only connections to this specific IP address are allowed to be
    # non-anonymous. You can use this directive to open several public IPs for
    # anonymous FTP, and keep a private firewalled IP for remote administration.
    # You can also only allow a non-routable local IP (like 10.x.x.x) to
    # authenticate, and keep a public anon-only FTP server on another IP.

    #TrustedIP 10.1.1.1

  5. Apache style file transfer log

    # Create an additional log file with transfers logged in a Apache-like format :
    # fw.c9x.org - jedi [13/Dec/1975:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338
    # This log file can then be processed by www traffic analyzers.

  6. You can create alternative log file

    AltLog clf:/var/log/pureftpd.log

Example of configuration

Assuming that all sysadmins are enrolled in the wheel group (group 10 on Suse) the possible  configuration with authenticated users access and PAM authentication might  looks like

# grep -v "^#" pure-ftpd.conf | grep -v "^$"
ChrootEveryone              no
TrustedGID                  10
BrokenClientsCompatibility  no
MaxClientsNumber            10
Daemonize                   yes
MaxClientsPerIP             3
VerboseLog                  no
AllowDotFiles               yes
DisplayDotFiles             yes
AnonymousOnly               no
NoAnonymous                 yes
SyslogFacility              ftp
DontResolve                 no
MaxIdleTime                 3600
PAMAuthentication           yes
LimitRecursion              2000 8
AnonymousCanCreateDirs      no
MaxLoad                     4
AntiWarez                   yes
MinUID                      100
AllowUserFXP                yes
AllowAnonymousFXP           no
ProhibitDotFilesWrite       yes # group wheel still will have ability to write to doc files
ProhibitDotFilesRead        no
AutoRename                  no
AnonymousCantUpload         yes
AltLog                      clf:/var/log/pureftpd.log
NoChmod                     no
CreateHomeDir               yes
MaxDiskUsage                99
NoRename                    no
CustomerProof               yes
IPV4Only                    yes
 

Recommended Links

Cool Solutions Installing Pure-FTPd on SUSE Linux Professional

Pure-FTPd - About

Main documentation

pure-ftpd configuration - Bing

Setting up an FTP server on SUSE Linux 9.1 Professional [Archive] - Antionline Forums - Maximum Security for a Connected World

HOWTO Setup a Pure-FTPd server with virtual users - The FreeBSD Forums

Gentoo Wiki Archives - PureFTPd

No pain no gain Ľ Setting up PureFTPD on a virtual server

How I Got Pure-ftpd To Work - openSUSE Forums




Etc

Society

Groupthink : Understanding Micromanagers and Control Freaks : Toxic Managers : BureaucraciesHarvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Two Party System as Polyarchy : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

Skeptical Finance : John Kenneth Galbraith : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Oscar Wilde : Talleyrand : Somerset Maugham : War and Peace : Marcus Aurelius : Eric Hoffer : Kurt Vonnegut : Otto Von Bismarck : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Oscar Wilde : Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 26, No.1 (January, 2013) Object-Oriented Cult : Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks: The efficient markets hypothesis : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

 

The Last but not Least


Copyright © 1996-2014 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine. This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting hosting of this site with different providers to distribute and speed up access. Currently there are two functional mirrors: softpanorama.info (the fastest) and softpanorama.net.

Disclaimer:

The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: February 19, 2014