Ansible PureFTPd

The geekoops-pureftpd role is a configurable ansible role for setting up a PureFTPd ftp server. I choose PureFTPd because it appears to be more secure than ProFTPd. In comparison to vsftp, one server program can run both IPv4 and IPv6.

This role works on openSUSE Leap.

Role Variables

PureFTPd is a highly configurable ansible role. See the following list of possible variables, but you probably don’t need much of them.

ValueDescriptionDefault
config_firewallApply firewall rulesfalse
firewall_zoneFirewall zone where ftp will be allowedpublic
MaxClientsNumberMaximum number of anonymous clients10
MaxClientsPerIPMaximum clients per IP address3
AnonymousOnlyForbid user loginyes
NoAnonymousDisallow anonymousno
PAMAuthenticationAllow PAM authenticationno
MaxIdleTimeMaximum idle time in minutes before disconnecting5
MaxLoadDisallow anonymous download if system load is above this value4
PassivePortMinPassive port range - lower bound30000
PassivePortMaxPassive port range - upper bound30100
ForcePassiveIPUse this IP for passive mode, useful if PureFTPd is behind a NAT"" (disabled)
BindBind address and port (e.g. 127.0.0.1,21)"" (disabled)
BandwidthMax bandwidth for all users in KB/s"" (disabled)
TrustedIPAllow login only from this IP"" (disabled)
MaxUserSessionsMaximum number of open session per user3
MaxAnonSessionsMaximum number of open anonymous sessions20
IPV4OnlyBind to IPv4 only. By default we bind to IPv4 and IPv6no
IPV6OnlyBind to IPv6 only. By default we bind to IPv4 and IPv6no

Example

With this example playbook we setup a PureFTPd server that allows only anonymous access. Because we have only some resources, we allow up to 100 session in parallel.

    - hosts: jellyfish
      user: root
      roles:
         - role: geekoops-pureftp
           vars:
             config_firewall: true
             AnonymousOnly: yes
             PassivePortMin: 30000
             PassivePortMax: 31000
             MaxAnonSessions: 100