Pure-FTPD Virtual FTP Users

Centmin Mod 1.2.3-eva2000.08+ and higher has added Pure-FTPD virtual FTP user support. Full example below with both SecureFX and Filezilla FTP/SFTP client configuration examples.



Notes

  1. This is not the full jailed/chrooted user preview setup I outlined but a much more basic workaround for now. So still not suited to full own shared hosting as it isn't fully isolated between virtual ftp user accounts. Still the purpose is for access by yourself or trusted folks. I wouldn't offer shared hosting to unknown users using this!
  2. If using Wordpress see note about Direct FS Method setting in wp-config.php
  3. You can enable support for automatic malware and virus scanning for ftp uploads if you install Centmin Mod maldet.sh addon. Full details here
  4. If you're ISP IP address is being blocked when connecting to Pure-FTPD via Pure-FTPD virtual FTP user, check out FAQ item 40.

Enable TLS/SSL

  • I went one step further beyond just adding pure-ftpd virtual user support, I also enabled and forced TLS SSL only mode by creating a self-signed SSL certificate for pure-ftpd. So there's enforced encryption for more secure FTP connection.
  • As such you need to set your FTP client to use FTP explicit SSL mode and enable and check Passive connections (PASV) and connect via your server's ip address for hostname and use FTP port 21 (not actually used in PASV mode with FTP TLS/SSL).
  • You also have to disable in your FTP client SSL validation as a self-signed certificate was used.
  • Note passive ports if needed to be set in FTP client are in range between 3000 to 3050 for Centmin Mod 123.08stable or 30001 to 50011 for Centmin Mod 123.09 beta and higher i.e. for Filezilla. Upgrades to Centmin Mod 123.09 beta and higher auto reconfigure CSF Firewall to the larger passive TCP ftp passive port range. However, if you are using a web host with their own internal firewall in place, you may need to whitelist these respective passive port ranges for TCP protocol (either 3000 to 3050 or 30001 to 50011). Otherwise, you will not be able to connect to your server via Pure-FTPD details provided by Centmin Mod.


Other Firewalls

  • Note passive TCP ports in range between 3000 to 3050 for Centmin Mod 123.08stable or 30001 to 50011 for Centmin Mod 123.09 beta and higher are required to be open for Pure-ftpd server to accept connections. CSF Firewall installed by Centmin Mod takes care of this on server side.
  • However, if you have other firewalls between your connecting computer and the Centmin Mod server, they may block connections as well. Some web hosts such as Amazon AWS EC2, Google Cloud Compute, Vultr and OVH (OVH Gaming servers) may have their own firewall in front of your server which you can either turn off or configure to whitelist the required TCP ports. CSF Firewall config file /etc/csf/csf.conf has a list of default ports in comma separated listing that are whitelisted for variables TCP_IN, TCP_OUT, TCP6_IN, TCP6_OUT, UDP_IN, UDP_OUT, UDP6_IN and UDP6_OUT that you can reference. If your local PC or router has restricted ports, you may also need to whitelist them at that level as well.
  • For Vultr Firewall, there is a guide for using Vultr API to replicate CSF Firewall minimum ruleset for inbound access here.


Screenshots for SecureFX SFTPD Client

securefx

securefx

securefx

securefx


Screenshots for Filezilla FTP/SFTP Client

filezilla

filezilla

filezilla

filezilla

filezilla

filezilla


Pure-FTPD CSF Firewall Port Flood Protection

If you are having pure-ftpd disconnection or connection issues when uploading many files at once, it could be CSF Firewall's DDOS protection for Port Flooding in play. To check you can follow the guide written here


How to Disable Pure-FTPD?

On fresh Centmin Mod .08 installs centmin.sh has a new option PUREFTPD_DISABLED=n. Before initial install, change that to PUREFTPD_DISABLED=y to disable pure-ftpd service post initial install. It's still installed but disabled after install and nginx add vhost menu option 2 in centmin.sh automatically detects PUREFTPD_DISABLED=y and doesn't prompt or do any pure-ftpd virtual ftp user routines and skips those for old method prior to pure-ftpd.

For existing installs to disable Pure-FTP, just set in persistent config file at /etc/centminmod/custom_config.inc the variable PUREFTPD_DISABLED=y and stop the pure-ftpd service:

service pure-ftpd stop
chkconfig pure-ftpd off

To re-enable:

service pure-ftpd start
chkconfig pure-ftpd on    


How to Disable Pure-FTPD Forced TLS/SSL Encrypted Mode?

On fresh Centmin Mod .08 installs, Pure-FTPD is configured for encrypted TLS/SSL connections only via self-signed certificate so no plain text connections allowed. However, if you are having issues, you can disable the forced TLS/SSL requirement by editing /etc/pure-ftpd/pure-ftpd.conf config file and changing TLS 2 to TLS 1 - keep the exact spacing format below just in case in future centmin.sh does some auto magic for changes. However, for security reasons I highly recommend you DO NOT disable TLS/SSL encrypted connections!

From

# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS                      2

To:

# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS                      1

then restart pure-ftpd service

service pure-ftpd restart


Pure-FTPD Log File

You can find the Pure-FTPD log file at /var/log/pureftpd.log. On some systems it's logged to system log at /var/log/messages so you can filter using grep. Like showing the last 25 lines of the file:

grep pure-ftpd /var/log/messages | tail -25


Change Pure-FTPD username or password

Centmin Mod auto generated Nginx vhosts have an accompanying Pure-FTPD virtual ftp username and password generated as well. You can use pure-pw command to change the ftp username and password. The pure-pw manual is here and http://download.pureftpd.org/pub/pure-ftpd/doc/README.Virtual-Users

list all pure-ftpd created virtual FTP users

pure-pw list

to delete virtual FTP user

pure-pw userdel FTPUSERNAME
pure-pw mkdb

change virtual FTP user's password

pure-pw passwd FTPUSERNAME
pure-pw mkdb

show full details for an specific pure-ftpd virtual FTP user

pure-pw show FTPUSERNAME


How to re-create Pure-FTPD user for Vhost?

If you deliberately or accidentally deleted the auto generated pure-ftpd virtual FTP user for your Nginx vhost site, you can re-create it using below commands. For example if you deleted FTP user = YOURFTPUSERNAME for Nginx vhost site domain.com, you would use the following commands to re-create it - DO NOT set it higher than directory level at /home/nginx/domains/domain.com

pure-pw useradd YOURFTPUSERNAME -u nginx -g nginx -d /home/nginx/domains/domain.com
pure-pw mkdb

If it was subdomain.domain.com Nginx vhost:

pure-pw useradd YOURFTPUSERNAME -u nginx -g nginx -d /home/nginx/domains/subdomain.domain.com
pure-pw mkdb


Example

Sample centmin.sh menu option 2 add Nginx vhost output from Centmin Mod .08 beta below

--------------------------------------------------------
Centmin Mod 1.2.3-eva2000.08 - http://centminmod.com
--------------------------------------------------------
                   Centmin Mod Menu                   
--------------------------------------------------------
1).  Centmin Install
2).  Add Nginx vhost domain
3).  NSD setup domain name DNS
4).  Nginx Upgrade / Downgrade
5).  PHP Upgrade / Downgrade
6).  XCache Re-install
7).  APC Cache Re-install
8).  XCache Install
9).  APC Cache Install
10). Memcached Server Re-install
11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
12). Zend OpCache Install/Re-install
13). Install ioping.sh vbtechsupport.com/1239/
14). SELinux disable
15). Install/Reinstall ImagicK PHP Extension
16). Change SSHD Port Number
17). Multi-thread compression: pigz,pbzip2,lbzip2...
18). Suhosin PHP Extension install
19). Install FFMPEG and FFMPEG PHP Extension
20). NSD Re-install
21). Update - Nginx + PHP-FPM + Siege
22). Add Wordpress Nginx vhost + WP Super Cache
23). Update Centmin Mod Code Base
24). Exit
--------------------------------------------------------
Enter option [ 1 - 24 ] 2
--------------------------------------------------------

---------------------------------------------
Enter vhost domain name you want to add (without www. prefix): domain1.com
Create FTP username for vhost domain (enter username): ftpuser4
Create FTP password for ftpuser4 (enter password): pass

FTP username you entered: ftpuser4
FTP password you entered: pass

Password:
Enter it again:

---------------------------------------------
service nginx reload
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
Reloading nginx:                                           [  OK  ]
service pure-ftpd restart
Stopping pure-ftpd:                                        [  OK  ]
Starting pure-ftpd:                                        [  OK  ]

---------------------------------------------
FTP hostname : ipaddress
FTP port : 21
FTP mode : FTP (explicit SSL)
FTP Passive (PASV) : ensure is checked/enabled
FTP username created for domain1.com : ftpuser4
FTP password created for domain1.com : pass
---------------------------------------------
vhost for domain1.com created successfully
vhost conf file for domain1.com created: /usr/local/nginx/conf/conf.d/domain1.com.conf
upload files to /home/nginx/domains/domain1.com/public
vhost log files directory is /home/nginx/domains/domain1.com/log

Current vhost listing at: /usr/local/nginx/conf/conf.d/

Jan 1   00:37   798    ssl.conf
Jan 1   00:37   1.1K   demodomain.com.conf
Jan 1   00:37   1.4K   virtual.conf
Jan 17  21:53   1.3K   domain1.com.conf
---------------------------------------------