Help pay for xds lawyer fees.
LR

PureFTPD SECURE Install using PureDB (Linux/BSD)

Posted on 11th October 2011 in Papers

Just a quick, handy tute, i found already and decided to also use and add my own touches for bsd..
By xd

Ok for debian/ubuntu/centos, is pretty straightforward, for starters get openssl and then is maybe good idea to remove default /bin/ftp using yum or apt-get remove , and clean that, then start the pureftpd, note for BSD, it is installed through usr/ports/../ftp/pure-ftpd/ or pure-ftpd-ipv6/ for IPv6 forced (this is not needed though, you can use a simpler way ill outline later…)
lets begin the process… since it is a configuration directory, and, in some places, could also be a pure-ftpd.conf , wich still will take the SAME values, you will just have to play with that in etc/ ,for centos i believe this is the case.. On Debian, it has a directory i will work with debian install, wich can then be ported across easily enough.

OK lets begin, as i said, makesure you have things in order.. like openssl.. but it will prompt you in this howto anyhow ;)

root@box:~# cd /etc/pure-ftpd/conf/
root@box:/etc/pure-ftpd/conf# ls -la
total 24K
-rw-r–r– 1 root 36 2007-06-22 02:01 AltLog
-rw-r–r– 1 root 5 2007-06-22 02:01 MinUID
-rw-r–r– 1 root 4 2007-06-22 02:01 NoAnonymous
-rw-r–r– 1 root 4 2007-06-22 02:01 PAMAuthentication
-rw-r–r– 1 root 28 2007-06-22 02:01 PureDB
-rw-r–r– 1 root 3 2007-06-22 02:01 UnixAuthentication

Each of those files describes a commandline option of the pure-ftpd server.
For example, the file AltLog contains the format of,and path to the transfer log file:
root@box:/etc/pure-ftpd/conf# cat AltLog
clf:/var/log/pure-ftpd/transfer.log

Let’s now set some of the basic options by editing those one-liners (our server will listen to port 21 on all available interfaces, and will use IP 12.34.56.78 and ports 4500-4600 for passive mode – don’t forget to forward those from your NAT router if you are behind one):

root@box:/etc/pure-ftpd/conf# echo ,21 > Bind
root@box:/etc/pure-ftpd/conf# echo 12.34.56.78 > ForcePassiveIP
root@box:/etc/pure-ftpd/conf# echo 4500 4600 > PassivePortRange

Now for some recommended security stuff:
root@box:/etc/pure-ftpd/conf# echo yes > ChrootEveryone
root@box:/etc/pure-ftpd/conf# echo yes > ProhibitDotFilesRead
root@box:/etc/pure-ftpd/conf# echo yes > ProhibitDotFilesWrite
root@box:/etc/pure-ftpd/conf# echo yes > NoChmod
root@box:/etc/pure-ftpd/conf# echo yes > BrokenClientsCompatibility

Let’s also set some limits to avoid abuse:
root@box:/etc/pure-ftpd/conf# echo 4 > MaxClientsPerIP
root@box:/etc/pure-ftpd/conf# echo 20 > MaxClientsNumber

Now the important thing we need to decide is what user authorization method(s) our server will support. Options include Unix Authentication (anyone with a login account on the server will have ftp access), but I chose PureDB authentication, which involves a dedicated pure-ftpd “virtual users” base.
So let’s disable Unix and PAM auth, set the path to the PureDB user file, and add PureDB as an auth method by linking to it from the /etc/pure-ftpd/auth directory:

root@box:/etc/pure-ftpd/conf# echo no > PAMAuthentication
root@box:/etc/pure-ftpd/conf# echo no > UnixAuthentication
root@box:/etc/pure-ftpd/conf# echo /etc/pure-ftpd/pureftpd.pdb > PureDB
root@box:/etc/pure-ftpd/conf# ln -s /etc/pure-ftpd/conf/PureDB ../auth/50pure

Let’s now create a (system) user and group that will be bound to all ftp virtual users. For security reasons, that special user should have no home directory (-d /dev/null) and no shell access (-s /bin/false) :

root@box:/etc/pure-ftpd/conf# groupadd -g 2001 ftpgroup
root@box:/etc/pure-ftpd/conf# useradd -u 2001 -s /bin/false -d /dev/null -c “pureftpd user” -g ftpgroup ftpuser

Now we use the pure-pw command to add our first virtual-user,
This is as secure as it gets folks!

NOTE:
Don’t forget the “pure-pw mkdb” command:
it is required to commit/confirm changes to the user file

root@box:/etc/pure-ftpd/conf# pure-pw useradd myfirstuser -u ftpuser -d /var/ftp/public/
Password:
Enter it again:
root@box:/etc/pure-ftpd/conf# pure-pw mkdb
root@box:/etc/pure-ftpd/conf# apt-get install openssl
root@box:/etc/pure-ftpd/conf# echo 1 > TLS
root@box:/etc/pure-ftpd/conf# openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Generating a 1024 bit RSA private key

…itll ask you a few questions, just answer and proceed…

root@box:/etc/pure-ftpd/conf# chmod 600 /etc/ssl/private/pure-ftpd.pem

OK we are done!
This is one heck of a secure box now.. just makesure to use pure-pw and pure-db for the users, this will keep uid safe,and ofcourse,drectorys safe, from home/ in the b0x.

Let’s finally restart the server with our all-new config :

root@box:/etc/pure-ftpd/conf# /etc/init.d/pure-ftpd restart

Also note -6 will FORCE Ipv6 if you wish this, then i recommend googling a IPv6 install guide, altho on bsd, it is just a matter of using the pure-ftpd-ipv6 port :-) .
xd

Ok so, here we can do a small mod, and make a simple script:

This will be good for starting it up…

#!bin/bash
echo "starting PureFTPd in SSL-TLS/Passive mode on all devices on port 21 ..
/usr/sbin/pure-ftpd -l puredb:/etc/pure-ftpd/pureftpd.pdb -X -b -u 1000 -C 4 -E -S ,21 -x -c 20 -R -A -p 4500:4600 -O clf:/var/log/pure-ftpd/transfer.log -Y 1 -P 12.34.56.78 -B
echo "Started PureFTPd Ok .."

…thats it!

Enjoy the PureFTPd server .. and like i said, just modify according to OS with the debian suites, its very simple, Bsd is also very simple, but sometimes they may want the pure-ftpd.conf, wich is just same things, in a conf, note also about ipv6, you can force it in cmdline ftp.sh by adding -6 ,and it will work, but makesure your ipv6 can do reverse ipv6 and ipv4 lookups!
xd loves j00

comments: 0 » tags: