How to Set up a Secure FTP Server with Pure FTPd on Ubuntu 16.04

Pure FTPd is a free open-source FTP server designed with security in mind. In this tutorial, we are going to take a look at how to set up a secure FTP server on Ubuntu 16.04 server with Pure FTPd and how to enforce TLS encryption.

Pure FTPd features:

  • It supports SSL/TLS encryption and thus passwords and commands can be protected.
  • It can run on most Unix-like systems: Linux, BSDs, Solaris, Darwin, HPUX, AIX and even iPhone.
  • Available in 21 languages.
  • Allows you to monitor active sessions.
  • Supports a virtual quota system.
  • And much more

For a complete list of features, please go to Pure FTPd official website.

Installing Pure FTPd on Ubuntu 16.04 Server

It’s in the software repository, so issue the following command to install the FTP server.

sudo apt install pure-ftpd

Once installed, Pure FTPd will be automatically started, as can be seen with this command:

systemctl status pure-ftpd


   Loaded: loaded (/etc/init.d/pure-ftpd; bad; vendor preset: enabled)
   Active: active (running) since Mon 2016-12-12 21:51:46 EST; 23s ago
     Docs: man:systemd-sysv-generator(8)
   CGroup: /system.slice/pure-ftpd.service
           └─3435 pure-ftpd (SERVER)

preset: enabled indicates it will auto start at system boot time.

And it’s listening on TCP port 21, the control port, as can be seen with

sudo netstat -lnpt | grep pure-ftpd

pure-ftpd secure ftp server

Anonymous access is disabled by default. From now on you can use your system account to login, but plain text FTP is insecure and strongly discouraged. To have a secure FTP server, we need to encrypt communication with TLS.

How to Enforce TLS Encryption

To enable both plain-text and TLS encryption, run the following command, which create the /etc/pure-ftpd/conf/TLS file and put number 1 into the file.

echo 1 | sudo tee /etc/pure-ftpd/conf/TLS

But it’s recommended to disable plain-text and use TLS encryption only, so put the number 2 to the file instead.

echo 2 | sudo tee /etc/pure-ftpd/conf/TLS

Obtaining a TLS Certificate

If you have a CA signed certificate, skip this step, go to the next step.

If you don’t have a certificate, then you can obtain a free one from Let’s Encrypt. Self-signed certificate is not recommended because the user will get a warning like the screenshot below.

nautilus ftps

To obtain a TLS certificate from Let’s Encrypt, install the Let’s Encrypt (certbot) client.

sudo apt install letsencrypt

Then run the following command.

sudo letsencrypt certonly --agree-tos --email your-email-address -d

Your certificate will be save at  /etc/letsencrypt/archive/ directory.

Installing the Certificate

Pure FTPd requires that the certificate and private key are combined into one file named pure-ftpd.pem and stored under /etc/ssl/private/ directory.

You can use cat command to combine two files into one like below.

cat cert.pem privatekey.pem > pure-ftpd.pem

Let’s Encrypt signed certificate is named fullchain1.pem and private key is named privkey1.pem.

Then move pure-ftpd.pem file to /etc/ssl/private/ directory.

sudo mv pure-ftpd.pem /etc/ssl/private/

And make sure only root user can read the file.

sudo chmod 600 /etc/ssl/private/pure-ftpd.pem

Restart Pure FTPd.

sudo systemctl restart pure-ftpd

Now you can connect to your FTP server over TLS.

If you use Nautilus file manager to connect to FTP server via plain text ftp:// protocol

nautilus connect to ftp server

The connection will be refused.

cleartext sessions are not accepted on this server

Instead of ftp://, you must use ftps://.

Please note that Filezilla doesn’t trust any certificate (self-signed or CA signed) by default. Users must choose to trust certificate for themselves.

filezilla unknown certificate

FileZilla Unknown Certificate Warning

That’s it!

I hope this tutorial helped you set up a secure FTP server with Pure FTPd on Ubuntu 16.04. As always, if you found this post useful, then subscribe to our free newsletter. You can also follow us on Google+ Twitter or like our Facebook page.

Rate this tutorial
[Total: 4 Average: 5]

4 Responses to “How to Set up a Secure FTP Server with Pure FTPd on Ubuntu 16.04

  • LinuxGuy
    1 year ago

    What port should I open in firewall?

  • Wesley Santos
    12 months ago

    Hi Xiao, do you have a tutorial for setting up FTP server on Ubuntu 18.04 or Debian 10?

    best regards,
    Wesley Santos

    • ports 20 and 21 are used for when FTP is in the active mode. some clients behind firewalls out of their own reach however will find they need passive mode, and then you need to open just port 21/tcp and a range of ports on the high end, to get ftp working. but you would need to tell pure-ftpd about it like so:

       # echo "55521 55522" > /etc/pure-ftpd/conf/PassivePortRange

      This writes a port range 55521-55522 into the file PassivePortRange, in our example pure-ftpd would have two ports to connect two times to (a) client(s) at max. If you want to have more connections, just add some more ports to the range. like write “55521 55530” if you want to have 10 ports, which pure-ftpd will then be able to choose randomly for sessions.

      Hope that helps someone.

      then restart the service

      # servicepure-ftpd-mysql restart

      make sure you open the ports you gave pure-ftpd for passive connections in your firewall, like Xiao Guo An explained above.

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community ( for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB.
You can upload: image.