Ftp is easy to configure on a cPanel server using WHM or the pureFTP configuration file.  The FTP service configuration in WHM is a no-brainer, but for those looking to set up FTP from command line (such as for automation purposes), you can use cPanel’s built-in template system to apply configuration options that will not be overwritten during cPanel updates.

The pureFTP template is located in /var/cpanel/conf/pureftpd/main, and is set up YAML style similar to most of cPanel’s internal configuration files. The settings in the template correlate directly to the same options in /etc/pure-ftpd.conf, but it’s better to edit the template since cPanel tends to prefer template-based configuration to regenerate (overwrite) config files.

So let’s change an option in the FTP configuration. I’m going to change the LimitRecursion value from 2000 to 10000, which will allow the FTP server to display more than 2000 files in a single folder. To do this, I’ll edit the value in the template file mentioned previously, and then apply the changes using one of the WHM binaries invoked from command line:

/usr/local/cpanel/whostmgr/bin/whostmgr2 doftpconfiguration

What if I wanted to specify an option that isn’t in the template? Well, you can do this one of two ways:

1. Add the option to the template

If you do this, note the syntax in the other FTP options – yes and no are enclosed in single quotes, everything else is not. You also need to envoke doftpconfiguration via the whostmgr2 command as shown above.

2. Change the option to pure-ftp.conf

You can change an option in the FTP configuration file and run /scripts/ftpup –force, and the template will add the changed values to the template as long as they don’t already exist. If they do, the template will change the specified option in pure-ftpd.conf to match its own value.

Generally this would com in use if you’re automating server setups.  You can create a standard template for pureFTP, and download it to your server upon setup and update the configuration. This prevents you from having to modify anything manually, which can be a pain when deploying a large number of servers:

wget -O /var/cpanel/conf/pureftp/main http://yourrepo/pureftp/main

/usr/local/cpanel/whostmgr/bin/whostmgr2 doftpconfiguration

Additional Resources:

cPanel Documenation: FTP Configuration

This article will not go into detailed technicalities on identifying, troubleshooting, tracing, and fixing hacks. These topics are far too broad to cover in a single article, and is outside the scope of this article’s intent. This guide is to help you, the system admin, come up with a plan to handle situations involving breached security.

By default, your main FTP (cPanel) user will have and FTP path to the user’s home folder, and each FTP user you create after that will have a path that you specify with you create the account in cPanel > FTP accounts.

Unfortunately, cPanel’s interface does not currently let you change the FTP paths for your main account or sub-accounts, but you can easily change these in the FTP user configuration files. Each cPanel user has a file in /etc/proftpd (yes, even if you use pure-ftp), which contains the information about the FTP users for that account. A sample FTP user file for the cPanel ‘user1′ may look like this:

newuser:$1$K4v6EN_V$gmV/YZVYP1w/oJRy/72cg.:2110:2098:user1:/home/user1/public_html/newuser:/bin/ftpsh
user1:$1$21PI_llg$mkBe12xsL2K3YZPSkM.3..:2110:2098::/home/user1:/bin/ftpsh
user_logs:$1$21PI_llg$mkBe12xsL2K3YZPSkM.3..:2110:2098:user1:/usr/local/apache/domlogs/user1:/bin/ftpsh

If you want to change the FTP root for any of the users, simply make the change in this file and restart your FTP service.

Passive FTP is not enabled with pure-ftp by default. To enable this, edit /etc/pure-ftpd.conf and uncomment out this line:

PassivePortRange          30000 50000

This means that FTP will answer passively on the range of ports between 30000 and 50000, so you may want to narrow the scope to something like 30000 to 35000.  Once you do this, you need to restart FTP and open the range of ports you selected in your server’s firewall.

If you’re running ProFTP, you can edit /etc/proftpd.conf and add this line, if it doesn’t already exist elsewhere:

PassivePorts 30000 50000

FTP hacks seem to be on the rise nowadays, with viruses like Gumblar stealing FTP passwords and farming them out to hackers so they can upload malicious code into user files. What you end up with is a flood of complaints from users about errors on their site and being flagged by Google for malicious content.  And as you know, when  things like this happen the first person the customer tends to blame is the hosting provider.

While it’s really not something you as the hosting provider can control, there are measures you can take to secure your server against FTP hacks.

Lately FTP has been a problem for a lot of hosting providers. Especially since the recent influx of Gumblar-related attacks and FTP exploits, some hosting providers are now considering changing their FTP ports as an added measure of security. If you’re on a cPanel server you have a couple extra steps to go through, but it’s a rather easy change.

Pure-FTP

1) Edit /etc/pure-ftpd.conf and look for the following line:

Bind <addr> <port>

Where <addr> is a publically routable IP.  The default example, 127.0.0.1, will cause the socket to bind locally but then this connection won’t serve externally. <port> is the new port you wish to put the service on.

2) If necessary, add the new FTP port to your server’s firewall

3) Edit /etc/chkserv.d/ftpd and change the port, which is the first comma-separated entry to the right of ‘=’ on the line in the file, to match the port you put the service on.

Finally:

/etc/init.d/pure-ftpd restart
/etc/init.d/cpanel restart (restarts tailwatchd/chkservd)

ProFTP

Edit /etc/proftpd.conf and change:

Port 21

Then make sure to test to make sure FTP is working before notifying your users!