Lampros - Weird Bricks

PureFTPd with TLS support (encryption)

30 January, 2012 | PureFTPd

Hi everyone,

So I was looking to install an FTP server on FreeBSD that wouldn't be hard to administrate and would have encryption support too.

As such I stumbled upon PureFTPd.

These are the steps I took to setup PureFTPd with encryption.

Please note that these instructions are based on this excellent post here..Respect.

1. Start by installing PureFTPd as a port - unfortunately the package does not have encryption support.

cd /usr/ports/ftp/pure-ftpd ;time make install clean



2. Make sure you select TLS,PERUSERLIMITS,THROTTLING and LARGEFILE

Took less than 5 minutes.

3. Switch to PureFTPd config directory:

cd /usr/local/etc



4. Make PureFTPd start on boot:

echo 'pureftpd_enable="YES"' >> /etc/rc.conf



5. Copy the sample config file to what PureFTPd expects to find:

cp pure-ftpd.conf.sample pure-ftpd.conf



6. Change permissions:

chmod 644 pure-ftpd.conf



7. Edit the config file:

ee pure-ftpd.conf



8. Go to line 59:
edit it from:

VerboseLog no


to:

VerboseLog yes



9. We don't want anyone logging in without a username and password (aka no anonymous logins allowed!):
go to line 77:
edit it from:

NoAnonymous no


to:

NoAnonymous yes



10. Use PureDB database for users (PureDB is the built-in PureFTPd database)
go to line 126:
edit it from:

# PureDB /etc/pureftpd.pdb


to:

PureDB /usr/local/etc/pureftpd.pdb



11. Have PureFTPd create home user directories:
NOTE: dirs will be created under /home/vftp/USERNAME
go to line 336:
edit it from:

#CreateHomeDir yes


to:

CreateHomeDir yes



12. Exit and save the file

13. Create a system account for PureFTPd:

pw useradd vftp -s /sbin/nologin -w no -d /usr/home/vftp -c "Virtual FTP user" -m



14. Start PureFTPd

/usr/local/etc/rc.d/pure-ftpd start




15. Before we add any users make sure to rehash first:

rehash



16. Add a user from the command line: (in this example user weirdbricks with password weirdpass)

(echo weirdpass; echo weirdpass) | pure-pw useradd weirdbricks -u vftp -g vftp -d /usr/home/vftp/weirdbricks -m



17. Next refresh the PureDB database:

pure-pw mkdb



18. Set size quota (in MB) (OPTIONAL-you can safely skip this if you don't want a quota)
This will set the maximum allowed uploads to 100MB

pure-pw usermod weirdbricks -N 100 -m



19. Before we add TLS let's test it with everyone's favorite FTP client: FileZilla!


FileZilla is very straightforward. Just use your FreeBSD IP address and the username/password you used above and that's it.

20. The above is all good - but unencrypted. In other words anything you upload can be sniffed, including your username/password. Don't believe me? See for yourselves.

Back to your FreeBSD shell, type:

tcpdump -A -i em0 port 21


Where em0 is your ethernet device and port 21 is the standard FTP port.

Close FileZilla and connect - you'll get something like this:

@.@.fZ.............:.i...I....................
02:21:51.175504 IP 192.168.2.3.53641 > anubis.ftp: Flags [.], ack 1, win 16425, length 0
E..(wf@....     ...............I.:.jP.@).4........
02:21:51.178454 IP anubis.ftp > 192.168.2.3.53641: Flags [P.], ack 1, win 8212, length 314
E..bO.@.@.e..............:.j...IP. .....220---------- Welcome to Pure-FTPd [privse
02:21:51.181895 IP 192.168.2.3.53641 > anubis.ftp: Flags [P.], ack 315, win 16346, length 18
E..:wg@....................I.:..P.?.....USER weirdbricks

02:21:51.182733 IP anubis.ftp > 192.168.2.3.53641: Flags [P.], ack 19, win 8212, length 44
E..TO.@.@.f(.............:.....[P. .....331 User weirdbricks OK. Password required
02:21:51.202084 IP 192.168.2.3.53641 > anubis.ftp: Flags [P.], ack 359, win 16335, length 16
E..8wh@....................[.:..P.?.dF..PASS weirdpass



Looks like a bunch of ugly text? well it is a bunch of ugly text! Look closer....

USER weirdbricks


looks familiar? even worse:

PASS weirdpass



Yup, so now you know why you need encryption.

21. Create a directory for our self signed certificate:

mkdir -p /etc/ssl/private



22. Create a self-signed certificate:

openssl req -x509 -nodes -newkey rsa:1024 -keyout 
  /etc/ssl/private/pure-ftpd.pem 
  -out /etc/ssl/private/pure-ftpd.pem


Answer the few questions that come up with just Enter - the only one that's important is the Common Name (CN) - you probably want this set to your server's hostname, for example: anubis.weirdbricks.com You can leave all the other ones blank.

23. Change the permissions on the certificate:

chmod 600 /etc/ssl/private/*.pem



24. Make PureFTPd aware of the cert, edit the config file again:

ee /usr/local/etc/pure-ftpd.conf



25. Go to line 423:
edit it from:

#TLS 1


to:

TLS 3



If you want to find out more about those options look here. For now you can know that "TLS 3" means no cleartext communications at all are allowed here.

26. Go to line 428:
edit it from:

# TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3


to:

TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3



When changing TLS settings you may have to completely stop PureFTPD (make sure to #also kill any hanging processes) and restart it! :)

27. Restart PureFTPd:

/usr/local/etc/rc.d/pure-ftpd restart



If doing that you see this kind of an error message:

Running: /usr/local/sbin/pure-ftpd -g/var/run/pure-ftpd.pid -A -c50 -B -C8 -d -D -E -fftp -H -I15 -lpuredb:/usr/local/etc/pureftpd.pdb -L10000:8 -m4 -s -U133:022 -u100 -X -j -k99 -Z -Y3
pure-ftpd: invalid option -- Y
pure-ftpd: invalid option -- 3


That means you most likely haven't compiled PureFTPd with the TLS option.

28. Try connecting with FileZilla again:

You'll most likely see this error:

Which actually is GOOD news that no cleartext sessions are no longer allowed!

29. Click on the 'Open Site Manager' icon:


30. Click on 'New Site' and enter your Host IP address your 'User:' and 'Password:' - the important thing here is the 'Encryption:' - make sure it's set to 'Require explicit FTP over TLS'

Now click 'Connect'.

31. You will most likely get this warning message - all it means it's a self-signed certificate (but we know that...:))


32. If you take a look at the output of tcpdump again you'll see something like this:

03:05:11.623133 IP anubis.ftp > 192.168.2.3.53964: Flags [P.], ack 11, win 8212, length 18
E..:Z[@.@.Z..............j.,s...P. .....234 AUTH TLS OK.

03:05:11.638768 IP 192.168.2.3.53964 > anubis.ftp: Flags [P.], ack 339, win 16340, length 111
E...vd@.................s....j.>P.?.........j...f..O&yh..Y.     f.a..Dy)P%zM..Nq.{..
03:05:11.651885 IP anubis.ftp > 192.168.2.3.53964: Flags [P.], ack 122, win 8212, length 1306
E..BZ@.@.U..............j.>s..{P. .........Q...M..O&yg....R...s"...)md.....HKU...



Yup - exactly - it's COMPLETELY garbled up now! That's the point of encryption! You can still see AUTH TLS OK being issued and the IP address of the client and server though!

33. To list users:

pure-pw list



34. To delete a user

pure-pw userdel username