FTP Configuration

Pure-FTPD Virtual FTP Users

Centmin Mod 1.2.3-eva2000.08+ and higher includes Pure-FTPD virtual FTP user support. When you create an Nginx vhost via centmin.sh menu option 2, a virtual FTP user is automatically created with access to the vhost directory.

This provides a basic virtual FTP user setup for access by yourself or trusted individuals. It is not a fully jailed/chrooted environment and should not be used for shared hosting with untrusted users.

Notes

This is not the full jailed/chrooted user setup but a more basic workaround. It is not fully isolated between virtual FTP user accounts and is intended for access by yourself or trusted users only.
If using WordPress, see the note about Direct FS Method setting in wp-config.php.
You can enable automatic malware and virus scanning for FTP uploads by installing the Centmin Mod maldet.sh addon. Full details here.
If your ISP IP address is being blocked when connecting to Pure-FTPD, check FAQ item 40.

Enable TLS/SSL

Centmin Mod configures Pure-FTPD with enforced TLS/SSL encrypted connections using a self-signed SSL certificate. No plain text connections are allowed by default.

Set your FTP client to use FTP explicit SSL mode and enable passive connections (PASV). Connect via your server's IP address on FTP port 21.
Disable SSL certificate validation in your FTP client, since a self-signed certificate is used.
Passive port range:
- 3000–3050 for Centmin Mod 123.08stable
- 30001–50011 for Centmin Mod 123.09 beta and higher
Upgrades to 123.09 beta and higher automatically reconfigure CSF Firewall to use the larger passive TCP port range. If your web host has its own internal firewall, you may need to whitelist these ports for TCP protocol.

Other Firewalls

The passive TCP port range (3000–3050 or 30001–50011) must be open for Pure-FTPD to accept connections. CSF Firewall installed by Centmin Mod handles this on the server side.
If you have firewalls between your connecting computer and the Centmin Mod server (e.g., Amazon AWS EC2, Google Cloud, Vultr, OVH), you may need to configure them to whitelist the required TCP ports. CSF Firewall config /etc/csf/csf.conf lists the default whitelisted ports in TCP_IN, TCP_OUT, TCP6_IN, TCP6_OUT, etc.
For Vultr Firewall, see the guide for replicating CSF Firewall inbound rules via Vultr API.

SecureFX FTP Client Configuration

When configuring SecureFX, select FTP over Explicit TLS/SSL as the connection protocol. Enable passive mode (PASV) and connect using your server's IP address on port 21. Disable SSL certificate validation since Pure-FTPD uses a self-signed certificate.

SecureFX Settings Summary

Protocol: FTP over Explicit TLS/SSL
Hostname: Your server IP address
Port: 21
Passive mode: Enabled
SSL validation: Disabled (self-signed cert)

Filezilla FTP/SFTP Client Configuration

In Filezilla, use the Site Manager to create a new connection with the following settings:

Filezilla Settings Summary

Protocol: FTP – File Transfer Protocol
Host: Your server IP address
Port: 21
Encryption: Require explicit FTP over TLS
Logon Type: Normal
Transfer Settings: Passive mode

When Filezilla prompts about the unknown self-signed certificate, select "Always trust this certificate" to avoid repeated prompts on future connections.

CSF Firewall Port Flood Protection

If you experience Pure-FTPD disconnections or connection issues when uploading many files at once, CSF Firewall's DDOS port flood protection may be the cause. Follow the guide at the community forums for troubleshooting steps.

How to Disable Pure-FTPD

Fresh Installs

Before initial install, set PUREFTPD_DISABLED=y in centmin.sh. Pure-FTPD will still be installed but disabled after the install. Nginx vhost menu option 2 will automatically skip Pure-FTPD virtual FTP user routines.

Existing Installs

Set the variable in persistent config and stop the service:

Add to /etc/centminmod/custom_config.inc:

PUREFTPD_DISABLED=y

Then disable the service:

service pure-ftpd stop
chkconfig pure-ftpd off

To re-enable:

service pure-ftpd start
chkconfig pure-ftpd on

Disable Forced TLS/SSL Encrypted Mode

Security Warning: Disabling forced TLS/SSL allows unencrypted FTP connections. This is strongly discouraged for security reasons. Only do this if you are having connection issues and need to troubleshoot.

Edit /etc/pure-ftpd/pure-ftpd.conf and change TLS 2 to TLS 1:

Before (TLS required):

TLS                      2

After (TLS optional):

TLS                      1

TLS values reference:

0 – Disable SSL/TLS encryption (default for upstream Pure-FTPD)
1 – Accept both traditional and encrypted sessions
2 – Refuse connections that don't use TLS/SSL (Centmin Mod default)

Then restart the service:

service pure-ftpd restart

Pure-FTPD Log File

The Pure-FTPD log file is located at /var/log/pureftpd.log. On some systems, logs are written to /var/log/messages and can be filtered with grep:

grep pure-ftpd /var/log/messages | tail -25

Change Pure-FTPD Username or Password

Centmin Mod auto-generated Nginx vhosts have an accompanying Pure-FTPD virtual FTP username and password. You can manage these using the pure-pw command. See the pure-pw manual and Virtual Users documentation.

List All Virtual FTP Users

pure-pw list

Delete a Virtual FTP User

pure-pw userdel FTPUSERNAME
pure-pw mkdb

Change FTP User Password

pure-pw passwd FTPUSERNAME
pure-pw mkdb

Show FTP User Details

pure-pw show FTPUSERNAME

Re-create Pure-FTPD User for Vhost

If you deleted the auto-generated Pure-FTPD virtual FTP user for an Nginx vhost, you can re-create it. Do not set the directory higher than /home/nginx/domains/domain.com.

For a Domain

pure-pw useradd YOURFTPUSERNAME -u nginx -g nginx -d /home/nginx/domains/domain.com
pure-pw mkdb

For a Subdomain

pure-pw useradd YOURFTPUSERNAME -u nginx -g nginx -d /home/nginx/domains/subdomain.domain.com
pure-pw mkdb

Example: Adding an Nginx Vhost with FTP User

Sample output from centmin.sh menu option 2 (Add Nginx vhost domain) showing the automatic Pure-FTPD virtual FTP user creation:

---------------------------------------------
Enter vhost domain name you want to add (without www. prefix): domain1.com
Create FTP username for vhost domain (enter username): ftpuser4
Create FTP password for ftpuser4 (enter password): pass

FTP username you entered: ftpuser4
FTP password you entered: pass

Password:
Enter it again:

---------------------------------------------
service nginx reload
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
Reloading nginx:                                           [  OK  ]
service pure-ftpd restart
Stopping pure-ftpd:                                        [  OK  ]
Starting pure-ftpd:                                        [  OK  ]

---------------------------------------------
FTP hostname : ipaddress
FTP port : 21
FTP mode : FTP (explicit SSL)
FTP Passive (PASV) : ensure is checked/enabled
FTP username created for domain1.com : ftpuser4
FTP password created for domain1.com : pass
---------------------------------------------
vhost for domain1.com created successfully
vhost conf file for domain1.com created: /usr/local/nginx/conf/conf.d/domain1.com.conf
upload files to /home/nginx/domains/domain1.com/public
vhost log files directory is /home/nginx/domains/domain1.com/log

Current vhost listing at: /usr/local/nginx/conf/conf.d/

Jan 1   00:37   798    ssl.conf
Jan 1   00:37   1.1K   demodomain.com.conf
Jan 1   00:37   1.4K   virtual.conf
Jan 17  21:53   1.3K   domain1.com.conf
---------------------------------------------

After vhost creation, use the FTP connection details shown in the output to connect with your FTP client. Remember to use FTP explicit SSL mode and passive (PASV) transfer mode.