Difficulty with FTP servers and firewall:
If you configure a firewall for a host which runs an FTP server you normally need to leave the ports 1024-65365 range open, since you never know which port the FTP server will use to send data to the FTP client. This situation is quite critical if you have a host which has sensitive ports above 1024 which need to be closed to Internet. Of course you can select each port and close it in the firewall, but I definitely prefer using the firewall method which closes everything and opens only the ports that are needed access from Internet. Here is where pure-ftpd come to the rescue. This FTP server has the capability to select the range of ports which will be used for transferring data to the FTP client. This makes the configuration of a firewall much easier.
In the following example, pure-ftp has the following configuration:
– provides FTP and FTPS with jailed Users(Users are confined to their home directory).
– no anonymous clients
– IP Version 4 only
– ports for data transfer are limited to the range 20000-20099
STEPS:
apt-get install pure-ftpd
echo '20000 20099' > /etc/pure-ftpd/conf/PassivePortRange
echo "yes" > /etc/pure-ftpd/conf/NoAnonymous
echo "yes" > /etc/pure-ftpd/conf/ChrootEveryone
echo "yes" > /etc/pure-ftpd/conf/IPV4Only
echo "1" > /etc/pure-ftpd/conf/TLS
If you want to force clients to use TLS only for FTP connections then use the command
echo "3" > /etc/pure-ftpd/conf/TLS
Exceptions to chroot
If you want to confine all users to their home directories EXCEPT some trusted users, you need to:
– create a new system group where you add the trusted users in it
– instead of using the above command ‘echo “yes” > /etc/pure-ftpd/conf/ChrootEveryone’
insert the the GID of the trusted group into the file /etc/pure-ftpd/conf/TrustedGID.
Example: We want chroot for all users except ‘martin’ and ‘jannine’. Meaning martin and jannine will be able to navigate in other parts of the system other than their home directories, but all other users will be confined to their home directories:
groupadd ftptrusted
usermod -G ftptrusted martin
usermod -G ftptrusted jannine
GID=$(grep ftptrusted /etc/group | cut -d: -f3)
echo "$GID" > /etc/pure-ftpd/conf/TrustedGID
rm /etc/pure-ftpd/conf/ChrootEveryone
NOTE: To create a properly authority signed certificate file for pure-ftpd, make sure you have both following components in the file /etc/ssl/private/pure-ftpd.pem:
– Private key (in PEM format)
– Certificate (in PEM format)
If instead you want to run it with a self-signed certificate then run the following commands:
mkdir -p /etc/ssl/private/
openssl req -x509 -nodes -days 97300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
chmod 600 /etc/ssl/private/pure-ftpd.pem
Restart pure-ftpd to register the new configuration and certificate.
service pure-ftpd restart