############################################################ # # # Configuration file for pure-ftpd # # # ############################################################ # If you want to run Pure-FTPd with this configuration # instead of command-line options, please run the # following command : # # ${exec_prefix}/sbin/sbin/pure-ftpd /etc/pure-ftpd/pure-ftpd.conf # # Online documentation: # https://www.pureftpd.org/project/pure-ftpd/doc # Restrict users to their home directory ChrootEveryone yes # If the previous option is set to "no", members of the following group # won't be restricted. Others will be. If you don't want chroot()ing anyone, # just comment out ChrootEveryone and TrustedGID. # TrustedGID 100 # Turn on compatibility hacks for broken clients BrokenClientsCompatibility no # Maximum number of simultaneous users MaxClientsNumber 50 # Run as a background process Daemonize yes # Maximum number of simultaneous clients with the same IP address MaxClientsPerIP 8 # If you want to log all client commands, set this to "yes". # This directive can be specified twice to also log server responses. VerboseLog no # List dot-files even when the client doesn't send "-a". DisplayDotFiles yes # Disallow authenticated users - Act only as a public FTP server. AnonymousOnly no # Disallow anonymous connections. Only accept authenticated users. NoAnonymous yes # Syslog facility (auth, authpriv, daemon, ftp, security, user, local*) # The default facility is "ftp". "none" disables logging. SyslogFacility ftp # Display fortune cookies # FortunesFile /usr/share/fortune/zippy # Don't resolve host names in log files. Recommended unless you trust # reverse host names, and don't care about DNS resolution being possibly slow. DontResolve yes # Maximum idle time in minutes (default = 15 minutes) MaxIdleTime 15 # LDAP configuration file (see README.LDAP) # LDAPConfigFile /etc/pureftpd-ldap.conf # MySQL configuration file (see README.MySQL) # MySQLConfigFile /etc/pureftpd-mysql.conf # PostgreSQL configuration file (see README.PGSQL) # PGSQLConfigFile /etc/pureftpd-pgsql.conf # PureDB user database (see README.Virtual-Users) # PureDB /etc/pureftpd.pdb # Path to pure-authd socket (see README.Authentication-Modules) # ExtAuth /var/run/ftpd.sock # If you want to enable PAM authentication, uncomment the following line # PAMAuthentication yes # If you want simple Unix (/etc/passwd) authentication, uncomment this # UnixAuthentication yes # Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and # UnixAuthentication can be used specified once, but can be combined # together. For instance, if you use MySQLConfigFile, then UnixAuthentication, # the SQL server will be used first. If the SQL authentication fails because the # user wasn't found, a new attempt will be done using system authentication. # If the SQL authentication fails because the password didn't match, the # authentication chain stops here. Authentication methods are chained in # the order they are given. # 'ls' recursion limits. The first argument is the maximum number of # files to be displayed. The second one is the max subdirectories depth. LimitRecursion 10000 8 # Are anonymous users allowed to create new directories? AnonymousCanCreateDirs no # If the system load is greater than the given value, anonymous users # aren't allowed to download. MaxLoad 4 # Port range for passive connections - keep it as broad as possible. PassivePortRange 61001 65535 # Force an IP address in PASV/EPSV/SPSV replies. - for NAT. # Symbolic host names are also accepted for gateways with dynamic IP # addresses. # ForcePassiveIP 192.168.0.1 # Upload/download ratio for anonymous users. # AnonymousRatio 1 10 # Upload/download ratio for all users. # This directive supersedes the previous one. # UserRatio 1 10 # Disallow downloads of files owned by the "ftp" system user; # files that were uploaded but not validated by a local admin. AntiWarez yes # IP address/port to listen to (default=all IP addresses, port 21). # Bind 127.0.0.1,21 # Maximum bandwidth for anonymous users in KB/s # AnonymousBandwidth 8 # Maximum bandwidth for *all* users (including anonymous) in KB/s # Use AnonymousBandwidth *or* UserBandwidth, not both. # UserBandwidth 8 # File creation mask. : . # 177:077 if you feel paranoid. Umask 133:022 # Minimum UID for an authenticated user to log in. # For example, a value of 100 prevents all users whose user id is below # 100 from logging in. If you want "root" to be able to log in, use 0. MinUID 33 # Allow FXP transfers for authenticated users. AllowUserFXP no # Allow anonymous FXP for anonymous and non-anonymous users. AllowAnonymousFXP no # Users can't delete/write files starting with a dot ('.') # even if they own them. But if TrustedGID is enabled, that group # will exceptionally have access to dot-files. ProhibitDotFilesWrite no # Prohibit *reading* of files starting with a dot (.history, .ssh...) ProhibitDotFilesRead no # Don't overwrite files. When a file whose name already exist is uploaded, # it gets automatically renamed to file.1, file.2, file.3, ... AutoRename no # Prevent anonymous users from uploading new files (no = upload is allowed) AnonymousCantUpload no # Only connections to this specific IP address are allowed to be # non-anonymous. You can use this directive to open several public IPs for # anonymous FTP, and keep a private firewalled IP for remote administration. # You can also only allow a non-routable local IP (such as 10.x.x.x) for # authenticated users, and run a public anon-only FTP server on another IP. # TrustedIP 10.1.1.1 # To add the PID to log entries, uncomment the following line. # LogPID yes # Create an additional log file with transfers logged in a Apache-like format : # fw.c9x.org - jedi [13/Apr/2017:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338 # This log file can then be processed by common HTTP traffic analyzers. # AltLog clf:/var/log/pureftpd.log # Create an additional log file with transfers logged in a format optimized # for statistic reports. # AltLog stats:/var/log/pureftpd.log # Create an additional log file with transfers logged in the standard W3C # format (compatible with many HTTP log analyzers) # AltLog w3c:/var/log/pureftpd.log # Disallow the CHMOD command. Users cannot change perms of their own files. # NoChmod yes # Allow users to resume/upload files, but *NOT* to delete them. # KeepAllFiles yes # Automatically create home directories if they are missing # CreateHomeDir yes # Enable virtual quotas. The first value is the max number of files. # The second value is the maximum size, in megabytes. # So 1000:10 limits every user to 1000 files and 10 MB. # Quota 1000:10 # If your pure-ftpd has been compiled with standalone support, you can change # the location of the pid file. The default is /var/run/pure-ftpd.pid # PIDFile /var/run/pure-ftpd.pid # If your pure-ftpd has been compiled with pure-uploadscript support, # this will make pure-ftpd write info about new uploads to # /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and # spawn a script to handle the upload. # Don't enable this option if you don't actually use pure-uploadscript. # CallUploadScript yes # This option is useful on servers where anonymous upload is # allowed. When the partition is more that percententage full, # new uploads are disallowed. MaxDiskUsage 99 # Set to 'yes' to prevent users from renaming files. # NoRename yes # Be 'customer proof': forbids common customer mistakes such as # 'chmod 0 public_html', that are valid, but can cause customers to # unintentionally shoot themselves in the foot. CustomerProof yes # Per-user concurrency limits. Will only work if the FTP server has # been compiled with --with-peruserlimits. # Format is: : # For example, 3:20 means that an authenticated user can have up to 3 active # sessions, and that up to 20 anonymous sessions are allowed. # PerUserLimits 3:20 # When a file is uploaded and there was already a previous version of the file # with the same name, the old file will neither get removed nor truncated. # The file will be stored under a temporary name and once the upload is # complete, it will be atomically renamed. For example, when a large PHP # script is being uploaded, the web server will keep serving the old version and # later switch to the new one as soon as the full file will have been # transferred. This option is incompatible with virtual quotas. # NoTruncate yes # This option accepts three values: # 0: disable SSL/TLS encryption layer (default). # 1: accept both cleartext and encrypted sessions. # 2: refuse connections that don't use the TLS security mechanism, # including anonymous sessions. # Do _not_ uncomment this blindly. Double check that: # 1) The server has been compiled with TLS support (--with-tls), # 2) A valid certificate is in place, # 3) Only compatible clients will log in. TLS 1 # Cipher suite for TLS sessions. # The default suite is secure and setting this property is usually # only required to *lower* the security to cope with legacy clients. # Prefix with -C: in order to require valid client certificates. # If -C: is used, make sure that clients' public keys are present on # the server. #TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3 TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP # Certificate file, for TLS # The certificate itself and the keys can be bundled into the same # file or split into two files. # CertFile is for a cert+key bundle, CertFileAndKey for separate files. # Use only one of these. # CertFile /etc/ssl/private/pure-ftpd.pem # CertFileAndKey "/etc/pure-ftpd.pem" "/etc/pure-ftpd.key" # Unix socket of the external certificate handler, for TLS # ExtCert /var/run/ftpd-certs.sock # Listen only to IPv4 addresses in standalone mode (ie. disable IPv6) # By default, both IPv4 and IPv6 are enabled. # IPV4Only yes # Listen only to IPv6 addresses in standalone mode (i.e. disable IPv4) # By default, both IPv4 and IPv6 are enabled. # IPV6Only yes