Ansible PureFTPd
The geekoops-pureftpd role is a configurable ansible role for setting up a PureFTPd ftp server. I choose PureFTPd because it appears to be more secure than ProFTPd. In comparison to vsftp, one server program can run both IPv4 and IPv6.
This role works on openSUSE Leap.
PureFTPd is a highly configurable ansible role. See the following list of possible variables, but you probably don’t need much of them.
| Value | Description | Default |
|---|---|---|
config_firewall | Apply firewall rules | false |
firewall_zone | Firewall zone where ftp will be allowed | public |
MaxClientsNumber | Maximum number of anonymous clients | 10 |
MaxClientsPerIP | Maximum clients per IP address | 3 |
AnonymousOnly | Forbid user login | yes |
NoAnonymous | Disallow anonymous | no |
PAMAuthentication | Allow PAM authentication | no |
MaxIdleTime | Maximum idle time in minutes before disconnecting | 5 |
MaxLoad | Disallow anonymous download if system load is above this value | 4 |
PassivePortMin | Passive port range - lower bound | 30000 |
PassivePortMax | Passive port range - upper bound | 30100 |
ForcePassiveIP | Use this IP for passive mode, useful if PureFTPd is behind a NAT | "" (disabled) |
Bind | Bind address and port (e.g. 127.0.0.1,21) | "" (disabled) |
Bandwidth | Max bandwidth for all users in KB/s | "" (disabled) |
TrustedIP | Allow login only from this IP | "" (disabled) |
MaxUserSessions | Maximum number of open session per user | 3 |
MaxAnonSessions | Maximum number of open anonymous sessions | 20 |
IPV4Only | Bind to IPv4 only. By default we bind to IPv4 and IPv6 | no |
IPV6Only | Bind to IPv6 only. By default we bind to IPv4 and IPv6 | no |
With this example playbook we setup a PureFTPd server that allows only anonymous access. Because we have only some resources, we allow up to 100 session in parallel.
- hosts: jellyfish
user: root
roles:
- role: geekoops-pureftpd
vars:
config_firewall: true
AnonymousOnly: yes
PassivePortMin: 30000
PassivePortMax: 31000
MaxAnonSessions: 100