Learn about Centmin Mod LEMP Stack today
Register Now

Install CSF Pure-Ftpd in TLS mode

Discussion in 'Centmin Mod User Tutorials & Guides' started by EckyBrazzz, Mar 23, 2019.

Tags:
  1. EckyBrazzz

    EckyBrazzz Member

    85
    9
    8
    Mar 28, 2018
    Brazil
    Ratings:
    +20
    Local Time:
    8:01 PM
    1.15.12 with ngx_pagespeed
    10.3.14
    With a clean install of the latest CentMin beta install Pure-Ftpd does not accept TLS connections as described in https://community.centminmod.com/th...beta-pure-ftpd-virtual-ftp-user-support.2163/ These options have been removed from Filezilla.

    Instead you have to edit your pure-ftpd.conf file to accept ftp with TLS connections
    This instalation has been done on a Digitalocean Droplet, but should work on any VPS/Cloud Server.

    Afterwards you can setup your FTP Connection with :
    Encryption : Require explicit FTP over TLS

    Code:
    ############################################################
    #                                                          #
    #             Configuration file for pure-ftpd #
    #                                                          #
    ############################################################
    
    # If you want to run Pure-FTPd with this configuration
    # instead of command-line options, please run the
    # following command :
    #
    # /usr/sbin/pure-ftpd /etc/pure-ftpd/pure-ftpd.conf
    #
    # Online documentation:
    # https://www.pureftpd.org/project/pure-ftpd/doc
    
    
    # Restrict users to their home directory
    
    ChrootEveryone               yes
    
    # If the previous option is set to "no", members of the following group
    # won't be restricted. Others will be. If you don't want chroot()ing anyone,
    # just comment out ChrootEveryone and TrustedGID.
    
    # TrustedGID                   100
    
    # Turn on compatibility hacks for broken clients
    
    BrokenClientsCompatibility   no
    
    # Maximum number of simultaneous users
    
    MaxClientsNumber            1000
    
    # Run as a background process
    
    Daemonize                    yes
    
    # Maximum number of simultaneous clients with the same IP address
    
    MaxClientsPerIP             500
    
    # If you want to log all client commands, set this to "yes".
    # This directive can be specified twice to also log server responses.
    
    VerboseLog                   no
    
    # List dot-files even when the client doesn't send "-a".
    
    DisplayDotFiles              yes
    
    # Disallow authenticated users - Act only as a public FTP server.
    
    AnonymousOnly                no
    
    # Disallow anonymous connections. Only accept authenticated users.
    
    NoAnonymous                  no
    
    
    # Syslog facility (auth, authpriv, daemon, ftp, security, user, local*)
    # The default facility is "ftp". "none" disables logging.
    
    SyslogFacility               ftp
    
    # Display fortune cookies
    
    # FortunesFile                 /usr/share/fortune/zippy
    
    # Don't resolve host names in log files. Recommended unless you trust
    # reverse host names, and don't care about DNS resolution being possibly slow.
    
    DontResolve                  yes
    
    # Maximum idle time in minutes (default = 15 minutes)
    
    MaxIdleTime                  15
    
    # LDAP configuration file (see README.LDAP)
    
    # LDAPConfigFile                /etc/pure-ftpd/pureftpd-ldap.conf
    
    # MySQL configuration file (see README.MySQL)
    
    # MySQLConfigFile               /etc/pure-ftpd/pureftpd-mysql.conf
    
    # PostgreSQL configuration file (see README.PGSQL)
    
    # PGSQLConfigFile               /etc/pure-ftpd/pureftpd-pgsql.conf
    
    # PureDB user database (see README.Virtual-Users)
    
    PureDB                        /etc/pure-ftpd/pureftpd.pdb
    
    # Path to pure-authd socket (see README.Authentication-Modules)
    
    # ExtAuth                       /var/run/ftpd.sock
    
    # If you want to enable PAM authentication, uncomment the following line
    
    PAMAuthentication             yes
    
    # If you want simple Unix (/etc/passwd) authentication, uncomment this
    
    UnixAuthentication           yes
    
    # Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and
    # UnixAuthentication can be used specified once, but can be combined
    # together. For instance, if you use MySQLConfigFile, then UnixAuthentication,
    # the SQL server will be used first. If the SQL authentication fails because the
    # user wasn't found, a new attempt will be done using system authentication.
    # If the SQL authentication fails because the password didn't match, the
    # authentication chain stops here. Authentication methods are chained in
    # the order they are given.
    
    # 'ls' recursion limits. The first argument is the maximum number of
    # files to be displayed. The second one is the max subdirectories depth.
    
    LimitRecursion               10000 8
    
    # Are anonymous users allowed to create new directories?
    
    AnonymousCanCreateDirs       no
    
    # If the system load is greater than the given value, anonymous users
    # aren't allowed to download.
    
    MaxLoad                      4
    
    # Port range for passive connections - keep it as broad as possible.
    
    PassivePortRange             30001 50011
    
    # Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
    # Symbolic host names are also accepted for gateways with dynamic IP
    # addresses.
    
    ForcePassiveIP               XXX.XXX.XXX.XXX #Your server IP
    
    # Upload/download ratio for anonymous users.
    
    # AnonymousRatio               1 10
    
    # Upload/download ratio for all users.
    # This directive supersedes the previous one.
    
    # UserRatio                    1 10
    
    # Disallow downloads of files owned by the "ftp" system user;
    # files that were uploaded but not validated by a local admin.
    
    AntiWarez                    yes
    
    # IP address/port to listen to (default=all IP addresses, port 21).
    
    # Bind                         127.0.0.1,21
    
    # Maximum bandwidth for anonymous users in KB/s
    
    # AnonymousBandwidth           8
    
    # Maximum bandwidth for *all* users (including anonymous) in KB/s
    # Use AnonymousBandwidth *or* UserBandwidth, not both.
    
    # UserBandwidth                8
    
    # File creation mask. <umask for files>:<umask for dirs> .
    # 177:077 if you feel paranoid.
    
    Umask                        133:022
    
    # Minimum UID for an authenticated user to log in.
    # For example, a value of 100 prevents all users whose user id is below
    # 100 from logging in. If you want "root" to be able to log in, use 0.
    
    MinUID                      1000
    
    # Do not use the /etc/ftpusers file to disable accounts. We're already
    # using MinUID to block users with uid < 1000
    
    UseFtpUsers no
    
    # Allow FXP transfers for authenticated users.
    
    AllowUserFXP                 no
    
    # Allow anonymous FXP for anonymous and non-anonymous users.
    
    AllowAnonymousFXP            no
    
    # Users can't delete/write files starting with a dot ('.')
    # even if they own them. But if TrustedGID is enabled, that group
    # will exceptionally have access to dot-files.
    
    ProhibitDotFilesWrite        no
    
    # Prohibit *reading* of files starting with a dot (.history, .ssh...)
    
    ProhibitDotFilesRead         no
    
    # Don't overwrite files. When a file whose name already exist is uploaded,
    # it gets automatically renamed to file.1, file.2, file.3, ...
    
    AutoRename                   no
    
    # Prevent anonymous users from uploading new files (no = upload is allowed)
    
    AnonymousCantUpload         yes
    
    # Only connections to this specific IP address are allowed to be
    # non-anonymous. You can use this directive to open several public IPs for
    # anonymous FTP, and keep a private firewalled IP for remote administration.
    # You can also only allow a non-routable local IP (such as 10.x.x.x) for
    # authenticated users, and run a public anon-only FTP server on another IP.
    
    # TrustedIP                    10.1.1.1
    
    # To add the PID to log entries, uncomment the following line.
    
    # LogPID                       yes
    
    # Create an additional log file with transfers logged in a Apache-like format :
    # fw.c9x.org - jedi [13/Apr/2017:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338
    # This log file can then be processed by common HTTP traffic analyzers.
    
    AltLog                     clf:/var/log/pureftpd.log
    
    # Create an additional log file with transfers logged in a format optimized
    # for statistic reports.
    
    # AltLog                     stats:/var/log/pureftpd.log
    
    # Create an additional log file with transfers logged in the standard W3C
    # format (compatible with many HTTP log analyzers)
    
    # AltLog                     w3c:/var/log/pureftpd.log
    
    # Disallow the CHMOD command. Users cannot change perms of their own files.
    
    # NoChmod                      yes
    
    # Allow users to resume/upload files, but *NOT* to delete them.
    
    # KeepAllFiles                 yes
    
    # Automatically create home directories if they are missing
    
    # CreateHomeDir                yes
    
    # Enable virtual quotas. The first value is the max number of files.
    # The second value is the maximum size, in megabytes.
    # So 1000:10 limits every user to 1000 files and 10 MB.
    
    # Quota                        1000:10
    
    # If your pure-ftpd has been compiled with standalone support, you can change
    # the location of the pid file. The default is /var/run/pure-ftpd.pid
    
    #PIDFile                     /var/run/pure-ftpd.pid
    
    # If your pure-ftpd has been compiled with pure-uploadscript support,
    # this will make pure-ftpd write info about new uploads to
    # /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and
    # spawn a script to handle the upload.
    # Don't enable this option if you don't actually use pure-uploadscript.
    
    # CallUploadScript             yes
    
    # This option is useful on servers where anonymous upload is
    # allowed. When the partition is more that percententage full,
    # new uploads are disallowed.
    
    MaxDiskUsage                   99
    
    # Set to 'yes' to prevent users from renaming files.
    
    # NoRename                     yes
    
    # Be 'customer proof': forbids common customer mistakes such as
    # 'chmod 0 public_html', that are valid, but can cause customers to
    # unintentionally shoot themselves in the foot.
    
    CustomerProof                yes
    
    # Per-user concurrency limits. Will only work if the FTP server has
    # been compiled with --with-peruserlimits.
    # Format is: <max sessions per user>:<max anonymous sessions>
    # For example, 3:20 means that an authenticated user can have up to 3 active
    # sessions, and that up to 20 anonymous sessions are allowed.
    
    # PerUserLimits                3:20
    
    # When a file is uploaded and there was already a previous version of the file
    # with the same name, the old file will neither get removed nor truncated.
    # The file will be stored under a temporary name and once the upload is
    # complete, it will be atomically renamed. For example, when a large PHP
    # script is being uploaded, the web server will keep serving the old version and
    # later switch to the new one as soon as the full file will have been
    # transferred. This option is incompatible with virtual quotas.
    
    # NoTruncate                   yes
    
    # This option accepts three values:
    # 0: disable SSL/TLS encryption layer (default).
    # 1: accept both cleartext and encrypted sessions.
    # 2: refuse connections that don't use the TLS security mechanism,
    #    including anonymous sessions.
    # Do _not_ uncomment this blindly. Double check that:
    # 1) The server has been compiled with TLS support (--with-tls),
    # 2) A valid certificate is in place,
    # 3) Only compatible clients will log in.
    
    TLS                          1
    
    
    # Cipher suite for TLS sessions.
    # The default suite is secure and setting this property is usually
    # only required to *lower* the security to cope with legacy clients.
    # Prefix with -C: in order to require valid client certificates.
    # If -C: is used, make sure that clients' public keys are present on
    # the server.
    
    TLSCipherSuite               HIGH
    
    # Certificate file, for TLS
    
    #CertFile                     /etc/ssl/private/pure-ftpd.pem
    
    # Listen only to IPv4 addresses in standalone mode (ie. disable IPv6)
    # By default, both IPv4 and IPv6 are enabled.
    
    # IPV4Only                     yes
    
    # Listen only to IPv6 addresses in standalone mode (i.e. disable IPv4)
    # By default, both IPv4 and IPv6 are enabled.
    
    # IPV6Only                     yes
    
    # UTF-8 support for file names (RFC 2640)
    # Set the charset of the server filesystem and optionally the default charset
    # for remote clients that don't use UTF-8.
    # Works only if pure-ftpd has been compiled with --with-rfc2640
    
    # FileSystemCharset                big5
    # ClientCharset                    big5
    
    After the change donĀ“t forget to restart the Pur-Ftpd server
    Code:
    service pure-ftpd restart
    
    Note about the certificate:
    Code:
    #CertFile                     /etc/ssl/private/pure-ftpd.pem
    
    This has to be disabled because CentMin uses the Certificate that was created during the installation.

    Make sure to open the PassivePortRange 30001 50011 into the CFS firewall. (also in the DigitalOcean / Your cloud Firewall)
     
  2. eva2000

    eva2000 Administrator Staff Member

    39,199
    8,654
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,307
    Local Time:
    9:01 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    I won't disable pure-ftpd TLS for security reasons.

    Didn't know filezilla removed the options, are you sure ?? Change log for Filezilla still has references to FTP servers
    Code (Text):
    3.41.2 (2019-03-18)
    
    ! Backport a security fix from PuTTY 0.71 affecting SFTP connections: Fix an integer overflow in the RSA key exchange preceeding host key verification
    
    3.41.1 (2019-03-06)
    
    - Fix a regression introduced in 3.41.1 with slow FTP servers needlessly waiting for a bidirectional shutdown of the data connection during downloads
    

    and latest 3.41.2 still shows the settings available for FTP with explicity FTP over TLS
    upload_2019-3-23_3-1-3.png
     
  3. eva2000

    eva2000 Administrator Staff Member

    39,199
    8,654
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,307
    Local Time:
    9:01 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    which version of Centmin Mod you using 123.08stable or 123.09beta01 ? both versions should have pure-ftpd already supporting FTP TLS connections out of the box just 123.08stable has different passive port ranges than 123.09beta01 for it outlined at https://centminmod.com/ftp.html
     
  4. EckyBrazzz

    EckyBrazzz Member

    85
    9
    8
    Mar 28, 2018
    Brazil
    Ratings:
    +20
    Local Time:
    8:01 PM
    1.15.12 with ngx_pagespeed
    10.3.14
    In the link https://community.centminmod.com/th...beta-pure-ftpd-virtual-ftp-user-support.2163/ you wrote
    In the SSL/TLS settings menu check "allow Explicit SSL/TLS on normal connections" and check "Disallow plain unencrypted FTP" and "Force PROT P to encrypt file transfers in SSL/TLS mode"

    The part check "Disallow plain unencrypted FTP" and "Force PROT P to encrypt file transfers in SSL/TLS mode" is missing in FileZilla.

    I used the 123.09beta01, as you could see in the configuration files on the ports that I used.
     
  5. eva2000

    eva2000 Administrator Staff Member

    39,199
    8,654
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,307
    Local Time:
    9:01 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  6. EckyBrazzz

    EckyBrazzz Member

    85
    9
    8
    Mar 28, 2018
    Brazil
    Ratings:
    +20
    Local Time:
    8:01 PM
    1.15.12 with ngx_pagespeed
    10.3.14
    As told before I would do a new fresh install of the 123.09beta01 and Pure-ftpd would not connect into TLS mode because TLS is disable in the configuration file.

    Filezilla gives this message after a fresh install:
    Code:
    Status:    Connecting to xxx.xxx.xxx.xxx:21...
    Status:    Connection established, waiting for welcome message...
    Status:    Insecure server, it does not support FTP over TLS.
    Status:    Logged in
    Status:    Retrieving directory listing...
    Status:    Directory listing of "/" successful
    Find below the default pure-ftpd configuration file with some errors. The above file in post #1 is the correct one that should be created when installing the 123.09beta01

    After the edits as show below

    Code:
    PassivePortRange             30001 50011
    ForcePassiveIP               XXX.XXX.XXX.XXX #Your server IP
    TLS                          1
    TLSCipherSuite               HIGH
    
    Some items only need to be uncommented, PassivePortRange needs to be adjusted for the 123.09beta01 version

    and after a restart with
    Code:
    service pure-ftpd restart
    Filezilla connects fine with TLS and shows the TLS Certificate to trust
    Code:
    Connecting to xxx.xxx.xxx.xxx:21...
    Status:    Connection established, waiting for welcome message...
    Status:    Initializing TLS...
    Status:    Verifying certificate...
    Status:    TLS connection established.
    Status:    Logged in
    Status:    Retrieving directory listing...
    Status:    Directory listing of "/" successful
    
     
    • Informative Informative x 1
  7. eva2000

    eva2000 Administrator Staff Member

    39,199
    8,654
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,307
    Local Time:
    9:01 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    strange I will have to test this maybe it's a bug in centmin mod routine i.e. I use sed replacements to enable this so if formatting of pure-ftpd config file changes it could render the sed replacements useless.
     
    • Informative Informative x 1
  8. eva2000

    eva2000 Administrator Staff Member

    39,199
    8,654
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,307
    Local Time:
    9:01 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
..