taken from: https://hostio.solutions/kb/how-to-install/pure-ftpd/
How to Install Pure-FTPd with Let’s Encrypt
If you manage multiple servers, it is super important to make backups yourself. Hosting providers often do offer backup services, however, it’s also important to have a back-up server elsewhere so that you always have access to your own data. This is especially useful when, for example, your hosting provider is completely offline.
In this “how to install” we’ll explain step by step how you can setup an FTP server with Pure-FTPd and how you can secure it with a certificate.
For this setup, we recommend that you use a dedicated server with Debian 10.
Step 1: Update server
Make sure that your Debian 10 server is up-to-date.
Step 2: Pure-FTPd installation
When your server is up-to-date, we can install the FTP server with Pure FTPd. For this, we use the following command:
apt-get install pure-ftpd
Step 3: Configuration and setup of Pure-FTPd
To ensure that everything runs properly, the following commands must be executed:
echo "yes" > /etc/pure-ftpd/conf/Daemonize
echo "yes" > /etc/pure-ftpd/conf/NoAnonymous
echo "yes" > /etc/pure-ftpd/conf/ChrootEveryone
echo "2" > /etc/pure-ftpd/conf/TLS
We recommend setting your FTP to IPv4 only, as the performance of IPv6 is not the same for every provider. You can do this by using the following command:
echo "yes" > /etc/pure-ftpd/conf/IPV4Only
Now we are going to set the config. Out of experience we know that the following works best:
We start with deleting the existing config. To do this, you can use the following command:
rm -rf /etc/pure-ftpd/pure-ftpd.conf
Now that we’ve deleted the existing config, we can complete the config file with our settings. Open the pure-ftpd.conf.
nano /etc/pure-ftpd/pure-ftpd.conf
Now that we have the text editor open, you can copy & paste the following:
ChrootEveryone yes
BrokenClientsCompatibility no
MaxClientsNumber 50
Daemonize yes
MaxClientsPerIP 8
VerboseLog no
DisplayDotFiles yes
AnonymousOnly no
NoAnonymous no
SyslogFacility ftp
DontResolve yes
MaxIdleTime 15
LimitRecursion 10000
AnonymousCanCreateDirs no
MaxLoad 4
AntiWarez yes
Umask 133:022
MinUID 100
AllowUserFXP no
AllowAnonymousFXP no
ProhibitDotFilesWrite no
ProhibitDotFilesRead no
AutoRename no
AnonymousCantUpload no
MaxDiskUsage 99
CustomerProof yes
CertFile /etc/ssl/private/pure-ftpd.pem
Everything is now set up and configured.
Step 4: Secure the FTP server with Let’s Encrypt.
It’s important to make sure that you’re using a secure connection for your FTP traffic.
If you want to use an SSL/TLS, we first need to create the folder for it. The certificate will be placed in this folder. To do this, you can use the following command:
mkdir -p /etc/ssl/pure-ftpd
Secure your FTP server with the SSL of Let’s Encrypt
In order to use Let’s Encrypt we first have to install Certbot.
apt-get install certbot
Now that we have done the installation, it is time to request an SSL. Make sure you have a hostname and A record for your server and go through all the steps of certbot.
certbot certonly --standalone
Now we are going to merge the created Let’s Encrypt certificate files. We do this with the following command:
cat /etc/letsencrypt/live/*/privkey.pem /etc/letsencrypt/live/*/fullchain.pem > /etc/ssl/private/pure-ftpd.pem
After we’ve merged the certificates, we have to make sure that the renewed SSL is automatically merged via cronob:
nano /etc/cron.d/certbot
If all goes well, the last line should say:
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
Now we have to add the following to the last line:
&& cat /etc/letsencrypt/live/*/privkey.pem /etc/letsencrypt/live/*/fullchain.pem > /etc/ssl/private/pure-ftpd.pem
It should then look as follows:
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew && cat /etc/letsencrypt/live/*/privkey.pem /etc/letsencrypt/live/*/fullchain.pem > /etc/ssl/private/pure-ftpd.pem
If all went well, we can restart Pure-FTPd with the following command:
service pure-ftpd restart
Step 5: create user(s)
There are two ways: create a user with SSH access or create a user without SSH access and set a storage limit.
For every account that is created, a home profile is created at /home.
Easy way to create user(s)
Use the following command to easily create an user:
adduser USERNAME
After entering this command, you can set your password. After having set the password, everything will be ready for this user and a profile will be created on /home/username.
Create user with extra options
If you want to create a user with extra options, we first have to create a user group for FTP users without SSH access.
groupadd ftpgroup
Now we can create the user:
useradd -g ftpgroup -d /dev/null -s /etc USERNAME
pure-pw useradd USERNAME -u USERNAME -g ftpgroup -d /home/USERNAME
If you want to give the user a storage limit you can add: -N 1000.
This gives the user a storage limit of 1000MB.
Example of the command with a storage limit of 1000 MB:
pure-pw useradd USERNAME -u ftpuser -g ftpgroup -d /home/USERNAME -N 1000
Now we have to create the directory for the FTP user with the following command:
mkdir /home/USERNAME
chown -R USERNAME:ftpgroup /home/USERNAME
The next step is to update the Pure-FTPd database. You can do this with the following command:
pure-pw mkdb
ln -s /etc/pure-ftpd/pureftpd.passwd /etc/pureftpd.passwd
ln -s /etc/pure-ftpd/pureftpd.pdb /etc/pureftpd.pdb
ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/PureDB
Finally, we have to restart the Pure-FTPd:
service pure-ftpd restart
Every time you make changes to a user, the database must be updated:
pure-pw mkdb
Do you want to change the password for an FTP user? Then you can use the following command:
pure-pw passwd USERNAME
I