Novell Cool Solutions: Feature
By Damian Myerscough
Digg This -
Posted: 23 Oct 2007
This article was tested on SUSE Linux Enterprise Server and SUSE Linux Enterprise Desktop.
In this article I am going to cover setting up virtual users and administrating user accounts. Some of the tasks we will look at are; chrooting users, setting upload/download limits, restricting IP access and many other tasks. Pure-FTPd is an excellent service that provides a rich set of features and a high level of security as it is regularly audited for security vulnerabilities, Pure-FTPd also provides server messages in multiple languages which helps administrators that don't natively speak English.
The Pure-FTPd daemon can be installed from the SUSE installation disks. To check that it is not currently installed you can issue the "rpm" command with the following qualifiers "-q pure-ftpd" this will query the RPM database for the pure-ftpd package, as shown in Figure 1.
linux-1reo:~ # rpm -q pure-ftpd pure-ftpd-1.0.20-24.2
When you query the database for Pure-FTPd and nothing is returned you will need to install the daemon using the YaST utility either issue the command "yast" or "yast2" depending on your preference of interface.
Once Pure-FTPd has been installed you can start the service by using either the "service" command or the "rcpure-ftpd" as shown in Figure 1.1.
linux-1reo:~ # /sbin/service pure-ftpd start Starting pure-ftpd done
On a side note, whenever you make changes to the Pure-FTP daemon you are require to restart the daemon for the changes to take effect.
Once Pure-FTPd has been successfully installed you will need to configure the passive ports and the actual FTP port (21) on the firewall and in the "pure-ftpd.conf" configuration file which is located in the "/etc/pure-ftpd" directory.
The first step to do is define what port range we are going to use for passive connections, in the "pure-ftpd.conf" file the default is 30000 - 50000 which is fine all you need to do is uncomment the "PassivePortRange 30000 50000" directive as shown in Figure 1.2.
... ... PassivePortRange 30000 50000 ... ...
Once this has been uncommented you will need to restart the Pure-FTPd daemon. When you have restarted the Pure-FTPd daemon you will need to open the port range in the firewall as shown in Figure 1.3.
linux-1reo:~ # iptables -I INPUT 2 -p tcp --dport 30000:50000 -j ACCEPT linux-1reo:~ # iptables -I INPUT 2 -p udp --dport 30000:50000 -j ACCEPT linux-1reo:~ # iptables -I INPUT 2 -p tcp --dport 21 -j ACCEPT linux-1reo:~ # iptables -I INPUT 2 -p udp --dport 21 -j ACCEPT
The first rule shown in Figure 1.3 opens the passive port range for TCP connections, the second command does the same accept it opens the port range for UDP connections. The third rule opens port 21 for TCP connections and rule four opens port 21 for UDP connections.
Once the ports have been opened you can FTP from another machine to the server and login as the anonymous user. Once you have logged in as the anonymous user you can issue the "ls" command and you should be able see two directory "." and ".." as shown in Figure 1.4. If you issued the "ls" command and it stalled on "227 Entering Passive Mode (192,168,0,5,133,40)" message you have not configured the firewall correctly.
[damian@server2 ~]$ ftp 192.168.0.5 21 Connected to 192.168.0.5 (192.168.0.5). 220-Welcome to Pure-FTPd. 220-You are user number 2 of 10 allowed. 220-Only anonymous FTP is allowed here 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. Name (192.168.0.5:damian): anonymous 230 Anonymous user logged in Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (192,168,0,5,131,100) 150 Accepted data connection drwxr-xr-x 2 0 0 48 Jun 16 2006 . drwxr-xr-x 2 0 0 48 Jun 16 2006 .. 226-Options: -a -l 226 2 matches total ftp>
Enabling virtual users
Once the firewall has been configured you will need to edited two important directives within the "pure-ftpd.conf" configuration file. The first directive is "PureDB", by default this directive has been commented out, you will need to uncomment this directive. The second directive is "AnonymousOnly" this directive needs to be set to "no" otherwise Pure-FTPd will only allow anonymous logins.
The next step is to create a user and group that virtual users will be assigned to. This will reduce the total number of user IDs (UID) and group IDs (GID) that will be stored in the "/etc/passwd" file, as each virtual user needs a UID and a GID. The command used to create a group is "groupadd" as shown in Figure 2.
linux-1reo:~ # groupadd virftp
Once the "virftp" group has been created the next step is to create a user which will house all virtual users. The user we will create is "virftp" as shown in Figure 2.1.
linux-1reo:~ # useradd -g virftp -d /srv/home -s /bin/false virftp
The qualifiers that have been used in Figure 2.1 are listed in Table 1 with a description of what they do.
|-g||This qualifier sets the default group to virftp for the "virusr".|
|-d||This qualifier sets the users home directory to "/srv/home".|
|-s||This qualifier sets the default shell.|
Table 1: useradd qualifiers.
Once the user and group have been successfully created you will need to create a home directory for the "virftp" user as shown in Figure 2.2.
linux-1reo:~ # mkdir /srv/home
Create a virtual user
Once the "virftp" user and group has been created you can begin to create virtual users. When creating the first virtual users you will need to issue the "pure-pw mkdb" command which creates the virtual user(s) database. The user we will create in this article is "damian". The command we will be using is "pure-pw useradd" as shown in Figure 3.
linux-1reo:~ # pure-pw useradd damian -u virftp -g virftp -d /srv/home/damian Password: Enter it again: linux-1reo:~# pure-pw mkdb
Once the user has been created there home directory needs to be created manually and needs the user and group owner of "virftp" as shown in Figure 3.1.
linux-1reo:~ # mkdir /srv/home/damian linux-1reo:~ # chown virftp:virftp /srv/home -R
Once the user has been successfully created and there home directory has been created and has the appropriate permissions set you can now login as that user. The "pure-pw mkdb" dose not need to be issued again after the first user has been created as the "-m" qualifier will update the database automatically.
When adding virtual users to your system by default they are automatically chrooted however, if this is not what you want you can use the "-D" qualifier which will not chroot user into their home directory.
Setting upload and download limits is very simple as there are only two simple qualifiers that control upload and download speeds. The two qualifiers that control the upload and download speeds are; "-t" for download and "-T" for upload.
Setting download limit
In this article we are going to limit the user "damian" to 10Kbps even though the network speed is 100Mbps. The command to modify the user is "pure-pw" along with the "usermod" argument, as shown in Figure 4.
linux-1reo:~ # pure-pw usermod damian -t 10 -m
Once you have set the download limit to 10Kbps you can view this by issuing the "pure-pw" command with the "show" argument, as shown in Figure 4.1.
linux-1reo:~# pure-pw show damian Login : damian Password : $2a$07$O039xkKSDHXXAAow./djsswkw7j2nxcv9b8 UID : 1001 (virftp) GID : 1001 (virftp) Directory : /srv/home/damian/./ Full name : Download bandwidth : 0 kb (unlimited) Upload bandwidth : 0 kb (unlimited) Max files : 0 (unlimited) Max size : 0 Mb (unlimited) Ratio : 0:0 (unlimited:unlimited) Allowed local IPs : Denied local IPs : Allowed client IPs : Time restrictions : 0000-0000 (unlimited) Max sim sessions : 0 (unlimited)
Once the download limit has been set you should connect to your FTP server and download a test file, if all has gone well the user should not be able to download faster than 10Kpbs.
Setting upload limit
We are now going to limit the user "damian" to 10Kbps, similar to what we have done with the download speed. The command we are going to use is "pure-pw" along with the "usermod" argument as shown in Figure 4.2.
linux-1reo:~ # pure-pw usermod damian -T 10 -m
Once the upload limit has been set you can view the effect by using the "pure-pw" command with the "show" argument as shown in Figure 4.1.
Restricting access based on IP addresses is very simple. The qualifier that is used to block IP addresses is "-R" followed by the IP address as shown in Figure 5.
linux-1reo:~# pure-pw usermod damian -R 192.168.0.2 -m
The example shown in Figure 5 will deny access to the host 192.168.0.2 trying to login as the user "damian" even if the user enters the correct password they will be denied access.
Setting time restrictions is very easy with Pure-FTP. The time notation that Pure-FTP uses is 24 hour, so to allow the user "damian" to access the FTP server between 1PM and 5PM you would enter the time as follows "1300-1700" as shown in Figure 6.
linux-1reo:~ # pure-pw usermod damian -z 1300-1700 -m
The Pure-FTP daemon provides a utility called: "pure-ftpwho" which allows you to see what activities are happening on your FTP server such as; who is logged in, what they are doing, were they are connecting from. Figure 7 shows the output of the "pure-ftpwho" command.
linux-1reo:~ # pure-ftpwho +---------+-------------+---------------+------------+------------------+ | PID | Login | For/Spd | What | File/IP | +---------+-------------+---------------+------------+------------------+
When dealing with virtual users you may also find you want to reset certain fields such as download/upload limits, time restrictions and any of the other fields. The way you set set the values is by supplying two quotes ('') with the qualifier as shown in Figure 7.1.
linux-1reo:~ # pure-pw usermod damian -R '' -m linux-1reo:~ # pure-pw usermod damian -t '' -m
The two commands shown in Figure 7.1 reset the "Denied clients IPs" and "Download bandwidth" fields.
The Pure-FTP daemon has shown that it is very powerful and very feature rich allowing administrators to easily manage their users and apply strict policy. I would also recommend visiting the Pure-FTP website  as they provide guides on setting Pure-FTP up with MySQL and PostgreSQL.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com