Setup FTP Server Using pure-ftpd on Debian Bullseye
Connect a Windows 11 Machine to the Debian FTP Server Using FileZilla
- Prerequisites
- Step-by-Step Process
Security Best Practices
Troubleshooting Common Issues

#Setup FTP Server Using `pure-ftpd` on Debian Bullseye

Update Your System
- Ensure your Debian system is up-to-date to avoid any compatibility issues. Open a terminal and execute the following commands:
  sudo apt-get update sudo apt-get upgrade
Install pure-ftpd
- Install the pure-ftpd package by running:
  sudo apt-get install pure-ftpd
Basic Configuration
- pure-ftpd comes with a sensible set of defaults, but you can customize its behavior by creating configuration files in /etc/pure-ftpd/conf/.
- Enable Passive Mode Ports:
  - Define a range of ports for passive mode to enhance firewall compatibility.
    echo "30000 35000" | sudo tee /etc/pure-ftpd/conf/PassivePortRange
- Restrict to Local Users:
  - Ensure only local system users can access the FTP server.
    echo "yes" | sudo tee /etc/pure-ftpd/conf/NoAnonymous
- Enable TLS (Optional for FTPS):
  - For encrypted connections, generate a TLS certificate.
    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem sudo chmod 600 /etc/ssl/private/pure-ftpd.pem echo "2" | sudo tee /etc/pure-ftpd/conf/TLS
- Restart pure-ftpd to Apply Changes:
  sudo systemctl restart pure-ftpd
Creating an FTP User
- It’s a good practice to create a dedicated user for FTP access to limit system exposure and enhance security.
- Create a New User ftpuser with a Home Directory:
  sudo useradd -m ftpuser -d /home/ftpuser -s /usr/sbin/nologin sudo passwd ftpuser
- Set Appropriate Permissions:
  - Ensure the FTP user has necessary permissions on their home directory.
    sudo chown -R ftpuser:ftpuser /home/ftpuser
Adjust Firewall Settings
- If you have a firewall enabled, ensure it allows traffic on the FTP port (21 by default) and the passive mode port range defined earlier.
- Using UFW:
  sudo ufw allow 21/tcp sudo ufw allow 30000:35000/tcp sudo ufw reload
- Using iptables:
  sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 30000:35000 -j ACCEPT sudo netfilter-persistent save
- Ensure that your server’s firewall rules are configured correctly to allow FTP traffic.
Start and Enable pure-ftpd
- To ensure pure-ftpd starts automatically at boot, enable it using:
  sudo systemctl enable pure-ftpd
- Start the pure-ftpd service:
  sudo systemctl start pure-ftpd
  
  #get information of the ftp server
  
```bash #!/bin/bash

#Script to gather and display Pure-FTPd server information on Debian Bullseye

echo “Gathering Pure-FTPd server information…” echo “—————————————–”

#— General System & Service Info —

IP_ADDRESSES=$(hostname -I 2>/dev/null | sed ‘s/ *$//g’ || echo “IP addresses not found”) SERVICE_STATUS=$(systemctl is-active pure-ftpd 2>/dev/null || echo “Status not determinable or service inactive”) PKG_VERSION=$(dpkg -s pure-ftpd 2>/dev/null | grep ‘^Version:’ | awk ‘{print $2}’ || echo “Package version not found”)

#Attempt to get pure-ftpd process command line.

#Tries direct pure-ftpd process first, then pure-ftpd-wrapper.

PROC_CMD_LINE_RAW=$( (ps auxw | grep ‘[p]ure-ftpd ‘ | grep -v ‘pure-ftpd-wrapper’ | head -n 1) ||
(ps auxw | grep ‘[p]ure-ftpd-wrapper’ | head -n 1) ||
echo “pure-ftpd process not found” )

PROC_ARGS_FULL=”Arguments not retrieved or process not found” if ! echo “$PROC_CMD_LINE_RAW” | grep -q “pure-ftpd process not found”; then PROC_ARGS_FULL=$(echo “$PROC_CMD_LINE_RAW” | sed -e ‘s/^[^ ]* [^ ] [^ ] [^ ] [^ ] //’ -e ‘s/^[ \t]//’) fi

LISTENING_PORTS=$(ss -tlpn 2>/dev/null | grep ‘pure-ftpd’ | awk ‘{print $4}’ | sed ‘s/.*://’ | sort -u | tr ‘\n’ ‘ ‘ | sed ‘s/ *$//g’) if [ -z “$LISTENING_PORTS” ]; then LISTENING_PORTS=”Not found via ss or pure-ftpd not listening”; fi

#— Configuration from /etc/pure-ftpd/conf/ —

PASSIVE_PORTS_CONF_VAL=”File /etc/pure-ftpd/conf/PassivePortRange not found or not readable.” if [ -f /etc/pure-ftpd/conf/PassivePortRange ]; then PASSIVE_PORTS_CONF_VAL=$(cat /etc/pure-ftpd/conf/PassivePortRange 2>/dev/null) if [ -z “$PASSIVE_PORTS_CONF_VAL” ]; then PASSIVE_PORTS_CONF_VAL=”File /etc/pure-ftpd/conf/PassivePortRange is empty or unreadable.” fi fi

NO_ANON_CONF_RAW=”File not found” NO_ANON_CONF_MSG=”Config file /etc/pure-ftpd/conf/NoAnonymous not found or not set.” if [ -f /etc/pure-ftpd/conf/NoAnonymous ]; then NO_ANON_CONF_RAW=$(cat /etc/pure-ftpd/conf/NoAnonymous 2>/dev/null) if [ “$NO_ANON_CONF_RAW” = “yes” ]; then NO_ANON_CONF_MSG=”Yes (Anonymous login disabled as per /etc/pure-ftpd/conf/NoAnonymous)” else NO_ANON_CONF_MSG=”Value ‘$NO_ANON_CONF_RAW’ in /etc/pure-ftpd/conf/NoAnonymous (implies anonymous potentially enabled if not ‘yes’)” fi fi

TLS_CONF_RAW=”File not found” TLS_CONF_MSG=”Config file /etc/pure-ftpd/conf/TLS not found or not set. (0=off, 1=TLS optional, 2=FTPS required)” if [ -f /etc/pure-ftpd/conf/TLS ]; then TLS_CONF_RAW=$(cat /etc/pure-ftpd/conf/TLS 2>/dev/null) if [ “$TLS_CONF_RAW” = “0” ]; then TLS_CONF_MSG=”0 (TLS Disabled as per /etc/pure-ftpd/conf/TLS)”; elif [ “$TLS_CONF_RAW” = “1” ]; then TLS_CONF_MSG=”1 (TLS for control & data, optional client cert, as per /etc/pure-ftpd/conf/TLS)”; elif [ “$TLS_CONF_RAW” = “2” ]; then TLS_CONF_MSG=”2 (FTPS: TLS for control & data required, no client cert, as per /etc/pure-ftpd/conf/TLS)”; else TLS_CONF_MSG=”Value ‘$TLS_CONF_RAW’ in /etc/pure-ftpd/conf/TLS (Unknown value)”; fi fi

#— FTP User Information (based on tutorial’s ‘ftpuser’) —

FTPUSER_EXISTS_MSG=”User ‘ftpuser’ (from tutorial) not found in /etc/passwd.” FTPUSER_HOME_DIR=”N/A” # Renamed to avoid conflict with $HOME FTPUSER_SHELL=”N/A” if getent passwd ftpuser >/dev/null 2>&1; then FTPUSER_EXISTS_MSG=”User ‘ftpuser’ (from tutorial) exists.” FTPUSER_HOME_DIR=$(getent passwd ftpuser | cut -d: -f6) FTPUSER_SHELL=$(getent passwd ftpuser | cut -d: -f7) fi

#— Displaying Information —

echo -e “\nGeneral System & Service Info:” echo -e “ System IP Addresses: $IP_ADDRESSES” echo -e “ Pure-FTPd Service Status (systemctl): $SERVICE_STATUS” echo -e “ Pure-FTPd Package Version (dpkg): $PKG_VERSION” echo -e “ Running pure-ftpd Command Line (best effort from ps): $PROC_ARGS_FULL” echo -e “ Listening FTP Port(s) (from ss): $LISTENING_PORTS (Typically 21 for control)”

echo -e “\nConfiguration (Values from /etc/pure-ftpd/conf/ unless overridden by command line args above):” echo -e “ Passive Port Range (from /etc/pure-ftpd/conf/PassivePortRange): $PASSIVE_PORTS_CONF_VAL” echo -e “ Anonymous Login (from /etc/pure-ftpd/conf/NoAnonymous): $NO_ANON_CONF_MSG” echo -e “ TLS Mode (from /etc/pure-ftpd/conf/TLS): $TLS_CONF_MSG” echo -e “ TLS Certificate: Path is typically set via a command-line option (e.g., -T /path/to/cert.pem) or uses a default compiled-in path. Check the running process arguments above. The tutorial uses /etc/ssl/private/pure-ftpd.pem.” echo -e “ Chroot Behavior: Default is often to chroot users. Check for /etc/pure-ftpd/conf/NoChroot (if present, may disable chroot for some) or -A/-a flags in running command line args above.”

echo -e “\nFTP User Information (based on tutorial’s ‘ftpuser’):” echo -e “ FTP User for Connection: System user (the tutorial guides creating ‘ftpuser’).” echo -e “ Password for FTP User: [This cannot be retrieved. Use the password you set for the system user, e.g., ‘ftpuser’.]” echo -e “ Status of ‘ftpuser’: $FTPUSER_EXISTS_MSG” echo -e “ Home Directory for ‘ftpuser’ (if exists): $FTPUSER_HOME_DIR” echo -e “ Shell for ‘ftpuser’ (if exists): $FTPUSER_SHELL”

echo -e “\nFirewall (UFW Example - run the check command with sudo for current status):” echo -e “ Expected Ports (as per tutorial): 21/tcp (FTP Control), 30000-35000/tcp (Passive FTP)” echo -e “ To check UFW status for these ports, run: sudo ufw status verbose | grep -E ‘21/tcp|30000:35000/tcp’”

echo “—————————————–” echo “Script finished.” ```

#Connect a Windows 11 Machine to the Debian FTP Server Using FileZilla

#Prerequisites

FTP Server Details: Ensure you have the Debian server’s IP address, FTP username (ftpuser), and password.
FileZilla Client Installed: Download and install the FileZilla Client on your Windows machine.

#Step-by-Step Process

Download and Install FileZilla
- Visit the FileZilla download page to download the FileZilla FTP client for Windows.
- Run the installer and follow the on-screen instructions to complete the installation.
Launch FileZilla
- Open the FileZilla application. Upon first launch, a welcome pop-up may appear; click OK to proceed.
Configure FTP Connection
- At the top of the FileZilla window, locate the Quickconnect bar with fields for Host, Username, Password, and Port.
- Enter the Following Details:
  - Host: <IP-of-the-FTP-Server> (e.g., 192.168.1.100)
  - Username: ftpuser
  - Password: Your FTP user’s password
  - Port: 21 for FTP or 22 for SFTP (if configured)
- Example:
  Host: 192.168.1.100 Username: ftpuser Password: yourpassword Port: 21
  
  Note: Do not include ftp:// in the Host field.
Connect to the FTP Server
- Click the Quickconnect button.
- Security Prompt: If connecting via FTPS, a certificate warning may appear. Verify the certificate details and click Yes to trust the connection.
- Successful Connection Indicators:
  - The Remote Site pane (right side) will populate with directories from the Debian FTP server.
  - The Local Site pane (left side) displays your Windows machine’s directories.
Browse and Transfer Files
- Uploading Files:
  - Navigate to the desired local directory in the Local Site pane.
  - Drag and drop files or folders to the desired location in the Remote Site pane.
- Downloading Files:
  - Navigate to the desired directory in the Remote Site pane.
  - Drag and drop files or folders to the desired location in the Local Site pane.
- File transfers will display progress and status in the bottom pane.
Using Site Manager for Future Connections (Optional)
- Save Connection Details for Easy Access:
  - Go to File > Site Manager.
  - Click New Site and enter a name (e.g., Debian FTP Server).
  - Enter Connection Details:
    - Host: <IP-of-the-FTP-Server>
    - Port: 21 for FTP or 22 for SFTP
    - Protocol: Choose FTP - File Transfer Protocol or SFTP - SSH File Transfer Protocol based on your server configuration.
    - Encryption: Select Use explicit FTP over TLS if available for FTPS or Only use plain FTP (not recommended).
    - Logon Type: Select Normal.
    - User: ftpuser
    - Password: Your FTP user’s password
  - Click Connect to save and establish the connection.
- Access Saved Sites Quickly:
  - Launch FileZilla and open Site Manager.
  - Select your saved site and click Connect to establish a connection without re-entering credentials.

#Security Best Practices

Use SFTP or FTPS: To secure your FTP connections, consider using SFTP (which uses SSH) or FTPS (FTP over TLS). This encrypts data transfers, protecting sensitive information.
Strong Passwords: Ensure that FTP user accounts use strong, unique passwords to prevent unauthorized access.
Limit User Permissions: Restrict FTP users to only the directories they need access to, minimizing potential security risks.
Regular Updates: Keep both the FTP server (pure-ftpd) and FileZilla client updated to the latest versions to benefit from security patches and new features.

#Troubleshooting Common Issues

Cannot Connect to FTP Server:
- Check Server Status: Ensure that the pure-ftpd service is running on the Debian server.
  sudo systemctl status pure-ftpd
- Verify Firewall Settings: Confirm that the firewall allows traffic on the FTP and passive ports.
- Confirm Credentials: Double-check the FTP username and password for accuracy.
Connection Times Out:
- Network Issues: Verify that both machines are on the same network or that the server is accessible over the internet.
- Port Blocking: Ensure that no intermediate firewalls or network policies are blocking FTP ports.
Permission Denied Errors:
- User Permissions: Ensure the FTP user has the necessary permissions for the target directories.
- Directory Ownership: Verify that directories are owned by the FTP user.
  sudo chown -R ftpuser:ftpuser /home/ftpuser
Encryption Errors with FTPS/SFTP:
- Certificate Validity: Ensure that the TLS certificate is correctly configured and not expired.
- Protocol Compatibility: Confirm that both FileZilla and pure-ftpd are configured to use compatible encryption settings.

URL: https://ib.bsb.br/ftpd