Secure existing PureFTPd installation

Pure-FTPd is a free, secure, production-quality and standard-conformant FTP daemon that was designed with security in mind. This cheatsheet provides instructions how to harden this FTP daemon.

Usually, the configuration parameters for Pure-FTPd are stored in file /etc/pure-ftpd.conf:

ChrootEveryone yes
NoAnonymous yes

MaxClientsNumber 50
MaxClientsPerIP 3
MaxIdleTime 10

LimitRecursion 500 8
Umask 133:022

Below is description for each directive which affect security:

Will make PureFTPd users people to see only their home directory and their own files. The feature is called "chroot"

The directive disallow anonymous connections. This means that in order to login to the server, users must have an account

Directive allows to specify the number of simultaneous users connected to PureFTPd. The above value is acceptable for most servers

Sets the number of simultaneous connections from the same IP address. Reducing the number will increase security.

The directive sets the idle time in minutes. When the time expires, PureFTPd disconnects inactive user

Sets the FTP daemon to display the number of files and directories in response to 'ls' command. This option helps avoid DoS service attacks which can consume CPU resources.

Sets the creation mask for files and directories. For security reasons it is recommended to have the value of umask 133 for files and 022 for directories.