taken from: https://hostio.solutions/kb/how-to-install/pure-ftpd/

How to Install Pure-FTPd with Let’s Encrypt

If you manage multiple servers, it is super important to make backups yourself. Hosting providers often do offer backup services, however, it’s also important to have a back-up server elsewhere so that you always have access to your own data. This is especially useful when, for example, your hosting provider is completely offline.

In this “how to install” we’ll explain step by step how you can setup an FTP server with Pure-FTPd and how you can secure it with a certificate.

For this setup, we recommend that you use a dedicated server with Debian 10.

Step 1: Update server

Make sure that your Debian 10 server is up-to-date.

Step 2: Pure-FTPd installation

When your server is up-to-date, we can install the FTP server with Pure FTPd. For this, we use the following command:

apt-get install pure-ftpd

Step 3: Configuration and setup of Pure-FTPd

To ensure that everything runs properly, the following commands must be executed:

echo "yes" > /etc/pure-ftpd/conf/Daemonize
echo "yes" > /etc/pure-ftpd/conf/NoAnonymous
echo "yes" > /etc/pure-ftpd/conf/ChrootEveryone
echo "2" > /etc/pure-ftpd/conf/TLS

We recommend setting your FTP to IPv4 only, as the performance of IPv6 is not the same for every provider. You can do this by using the following command:

echo "yes" > /etc/pure-ftpd/conf/IPV4Only

Now we are going to set the config. Out of experience we know that the following works best:

We start with deleting the existing config. To do this, you can use the following command:

rm -rf /etc/pure-ftpd/pure-ftpd.conf

Now that we’ve deleted the existing config, we can complete the config file with our settings. Open the pure-ftpd.conf.

nano /etc/pure-ftpd/pure-ftpd.conf

Now that we have the text editor open, you can copy & paste the following:

ChrootEveryone               		yes
BrokenClientsCompatibility no
MaxClientsNumber 50
Daemonize yes
MaxClientsPerIP 8
VerboseLog no
DisplayDotFiles yes
AnonymousOnly no
NoAnonymous no
SyslogFacility ftp
DontResolve yes
MaxIdleTime 15
LimitRecursion 10000
AnonymousCanCreateDirs no
MaxLoad 4
AntiWarez yes
Umask 133:022
MinUID 100
AllowUserFXP no
AllowAnonymousFXP no
ProhibitDotFilesWrite no
ProhibitDotFilesRead no
AutoRename no
AnonymousCantUpload no
MaxDiskUsage 99
CustomerProof yes
CertFile /etc/ssl/private/pure-ftpd.pem

Everything is now set up and configured.

Step 4: Secure the FTP server with Let’s Encrypt.

It’s important to make sure that you’re using a secure connection for your FTP traffic.

If you want to use an SSL/TLS, we first need to create the folder for it. The certificate will be placed in this folder. To do this, you can use the following command:

mkdir -p /etc/ssl/pure-ftpd

Secure your FTP server with the SSL of Let’s Encrypt

In order to use Let’s Encrypt we first have to install Certbot.

apt-get install certbot

Now that we have done the installation, it is time to request an SSL. Make sure you have a hostname and A record for your server and go through all the steps of certbot.

certbot certonly --standalone

Now we are going to merge the created Let’s Encrypt certificate files. We do this with the following command:

cat /etc/letsencrypt/live/*/privkey.pem /etc/letsencrypt/live/*/fullchain.pem > /etc/ssl/private/pure-ftpd.pem

After we’ve merged the certificates, we have to make sure that the renewed SSL is automatically merged via cronob:

nano /etc/cron.d/certbot

If all goes well, the last line should say:

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

Now we have to add the following to the last line:

&& cat /etc/letsencrypt/live/*/privkey.pem /etc/letsencrypt/live/*/fullchain.pem > /etc/ssl/private/pure-ftpd.pem

It should then look as follows:

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew && cat /etc/letsencrypt/live/*/privkey.pem /etc/letsencrypt/live/*/fullchain.pem > /etc/ssl/private/pure-ftpd.pem

If all went well, we can restart Pure-FTPd with the following command:

service pure-ftpd restart

Step 5: create user(s)

There are two ways: create a user with SSH access or create a user without SSH access and set a storage limit.

For every account that is created, a home profile is created at /home.

Easy way to create user(s)

Use the following command to easily create an user:

adduser USERNAME

After entering this command, you can set your password. After having set the password, everything will be ready for this user and a profile will be created on /home/username.

Create user with extra options

If you want to create a user with extra options, we first have to create a user group for FTP users without SSH access.

groupadd ftpgroup

Now we can create the user:

useradd -g ftpgroup -d /dev/null -s /etc USERNAME 

pure-pw useradd USERNAME -u USERNAME -g ftpgroup -d /home/USERNAME

If you want to give the user a storage limit you can add: -N 1000.
This gives the user a storage limit of 1000MB.

Example of the command with a storage limit of 1000 MB:

pure-pw useradd USERNAME -u ftpuser -g ftpgroup -d /home/USERNAME -N 1000

Now we have to create the directory for the FTP user with the following command:

mkdir /home/USERNAME

chown -R USERNAME:ftpgroup /home/USERNAME

The next step is to update the Pure-FTPd database. You can do this with the following command:

pure-pw mkdb

ln -s /etc/pure-ftpd/pureftpd.passwd /etc/pureftpd.passwd

ln -s /etc/pure-ftpd/pureftpd.pdb /etc/pureftpd.pdb

ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/PureDB

Finally, we have to restart the Pure-FTPd:

service pure-ftpd restart

Every time you make changes to a user, the database must be updated:

pure-pw mkdb

Do you want to change the password for an FTP user? Then you can use the following command:

pure-pw passwd USERNAME

I

nano /etc/yum.repos.d/CentOS-Base.repo

[base]
name=CentOS-$releasever – Base
baseurl=http://vault.centos.org/6.10/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

released updates

[updates]
name=CentOS-$releasever – Updates
baseurl=http://vault.centos.org/6.10/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

additional packages that may be useful

[extras]
name=CentOS-$releasever – Extras
baseurl=http://vault.centos.org/6.10/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

additional packages that extend functionality of existing packages

[centosplus]
name=CentOS-$releasever – Plus
baseurl=http://vault.centos.org/6.10/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

contrib – packages by Centos Users

[contrib]
name=CentOS-$releasever – Contrib
baseurl=http://vault.centos.org/6.10/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

Yada basitce sunu yapiniz

wget -O /etc/yum.repos.d/CentOS-Base.repo http://shukko.com/Centos-Base.repo
yum clean all
yum -y update

directadminde /var/www/html php 7.3 calissin ama ana php surumu php 5.6 olsun , nasil mi ?

/etc/httpd/conf/extra/httpd-hostname.conf 

dosyasini editle

eger zaten php-fpm calistiriyorsan

proxy:unix:/usr/local/php73/sockets/webapps.sock

olarak guncelle

yok php-fpm degil mod_php calisiyor ise

artik oyle calistirma ya

aslinda php 5.x falan hic calistirma

8 cikti cikicak…

cikcikcik..

 ffmpeg -i Ralph.mkv -vcodec libx264 -crf 22 -preset:v veryfast -ac 2 -acodec aac -ab 128K -strict -2 output.mp4


mkdir /usr/local/directadmin/data/templates/custom/

chown diradmin.diradmin /usr/local/directadmin/data/templates/custom/

cd /usr/local/directadmin/data/templates/custom/

wget http://shukko.com/xmlrpcblock.tar.gz

tar zxvf xmlrpcblock.tar.gz

rm -rf xmlrpcblock.tar.gz

chmod 644 virtual_host2*

cd /usr/local/directadmin/custombuild/

./build rewrite_confs

proftpd kurulumu su sekildedir:

apt-get install proftpd

nano /etc/proftpd/proftpd.conf

ServerName “Debian”
DefaultRoot ~
Port 21
RootLogin off
AllowStoreRestart on

Bununla test et

proftpd -t

service proftpd restart

calistir gitsin

Sanal kullanicilar ile kolay kurulum duzenegi:

nano /etc/proftpd/proftpd.conf

DefaultRoot ~
RequireValidShell off
AuthUserFile /etc/proftpd/ftpd.passwd
AuthGroupFile /etc/proftpd/ftpd.group
AuthOrder mod_auth_file.c

Kullanici Olustur:

ftpasswd –passwd –file=/etc/proftpd/ftpd.passwd –name=test –uid=60 –gid=60 –home=/srv/ftp/test/ –shell=/bin/false

Grup Olustur:

ftpasswd –group –name=nogroup –file=/etc/proftpd/ftpd.group –gid=60 –member test

Bununla test et

proftpd -t

Sifre degistirmek icin:

ftpasswd –passwd –file=/etc/proftpd/ftpd.passwd –name=test –change-password

kullanici silmek icin:

ftpasswd –passwd –file=/etc/proftpd/ftpd.passwd –name=test –delete-user

Open the ProFTPd configuration in any text editor:

1sudo nano /etc/proftpd/proftpd.conf

Specify the parameters:

12345DefaultRoot ~RequireValidShell offAuthUserFile /etc/proftpd/ftpd.passwdAuthGroupFile /etc/proftpd/ftpd.groupAuthOrder mod_auth_file.c

As you can see, only module mod_auth_file.c is used for authorization of users, so logins and passwords are taken only from /etc/proftpd/ftpd.passwd file.

Now create an example user, test:

1sudo ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=test --uid=60 --gid=60 --home=/srv/ftp/test/ --shell=/bin/false

After this command, the /etc/proftpd/ftpd.passwd file of the similar structure with /etc/passwd will be created.
UID and GID can be specified any, preferably except 0 (this is root) and those specified in /etc/passwd.
You can also specify the UID and GID similar to the user in /etc/passwd, for example, 33 as a www-data user, to provide similar rights to web files and specify the home directory of /var/www.
You can create users with the same UID and GID, different home directories and taking into account that they are not allowed to go above their directory level (DefaultRoot ~ parameter in the server configuration).

Create an ftpd.group file:

1sudo ftpasswd --group --name=nogroup --file=/etc/proftpd/ftpd.group --gid=60 --member test

Let’s check the configuration:

1sudo proftpd -t

Restart ProFTPd to apply the changes:

1sudo /etc/init.d/proftpd restart

Since the passwords in the file are stored in encrypted form, you can change the password to the user as follows:

1sudo ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=test --change-password

You can lock/unlock the user (add/remove the ! character in the ftpd.passwd file before the password hash, thereby making it impossible for the user to connect):

12sudo ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=test2 --locksudo ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=test --unlock

You can delete the user as follows:

1sudo ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=test --delete-user

Open the ProFTPd configuration in any text editor:

1sudo nano /etc/proftpd/proftpd.conf

Specify the parameters:

12345DefaultRoot ~RequireValidShell offAuthUserFile /etc/proftpd/ftpd.passwdAuthGroupFile /etc/proftpd/ftpd.groupAuthOrder mod_auth_file.c

As you can see, only module mod_auth_file.c is used for authorization of users, so logins and passwords are taken only from /etc/proftpd/ftpd.passwd file.

Now create an example user, test:

1sudo ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=test --uid=60 --gid=60 --home=/srv/ftp/test/ --shell=/bin/false

After this command, the /etc/proftpd/ftpd.passwd file of the similar structure with /etc/passwd will be created.
UID and GID can be specified any, preferably except 0 (this is root) and those specified in /etc/passwd.
You can also specify the UID and GID similar to the user in /etc/passwd, for example, 33 as a www-data user, to provide similar rights to web files and specify the home directory of /var/www.
You can create users with the same UID and GID, different home directories and taking into account that they are not allowed to go above their directory level (DefaultRoot ~ parameter in the server configuration).

Create an ftpd.group file:

1sudo ftpasswd --group --name=nogroup --file=/etc/proftpd/ftpd.group --gid=60 --member test

Let’s check the configuration:

1sudo proftpd -t

Restart ProFTPd to apply the changes:

1sudo /etc/init.d/proftpd restart

Since the passwords in the file are stored in encrypted form, you can change the password to the user as follows:

1sudo ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=test --change-password

You can lock/unlock the user (add/remove the ! character in the ftpd.passwd file before the password hash, thereby making it impossible for the user to connect):

12sudo ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=test2 --locksudo ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=test --unlock

You can delete the user as follows:

1sudo ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=test --delete-user

ftpasswd is a script written in Perl, usually located in /usr/sbin/ftpasswd.

lsof en sevdigim komuttur.

lsof -c httpd | grep cwd demek cok nefis birseydir.

fazlasi icin buraya bakabilirim sonra

/etc/system_filter_exim

ekle:::

if first_delivery
and (
("$h_from:" matches ".+@.+\\\\.ml[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.ro[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.stream[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.gr[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.in[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.ca[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.co.in[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.gen.in[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.ua[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.net.in[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.ar[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.be[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.co.id[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.pl[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.au[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.cz[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.ir[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.ae[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.mx[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.br[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.co.uk[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.jp[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.ci[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.download[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.co.ug[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.kz[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.se[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.com.hk[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.co.ke[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.co.ce[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.com.pe[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.tv[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.my[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.xyz[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.com.ph.tk[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.sk[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.pe[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.me[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.co.th[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.hr[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.cl[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.host[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.ga[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.ml[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.online[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.win[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.top[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.bid[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.us[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.tk[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.site[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.club[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.info[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.click[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.space[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.gdn[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.fun[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.rest[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.best[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.pro[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.monster[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.live[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.pw[^a-zA-Z0-9_]")

)
then
seen finish
endif

Openvz icin bir iki komut.

vzlist -o ctid,laverage

node ustundeki containerlerin yuk durumunu listele

-------------------
vzlist -H -o veid,hostname,diskspace | awk '{ printf("%d\t%s\t%.2f GB\n", $1, $2, $3/(1024*1024))}'

node ustundeki aktif containlerin ne kadar disk kullandigini listele


vzlist -H -o veid,hostname,diskspace | awk '{ printf("%d\t%s\t%.2f GB\n", $1, $2, $3/(1024*1024))} {sum += $3} END {printf("Total disk usage: %.2f GB\n", sum/(1024*1024))}'

yukaridakine ek toplam kullanilan disk alaninida goster.

If you want help your router to support 2x DDoS you’re receiving now, disable route cache. You will see your cpu usage immediately goes down.

Put rp_filter in loose mode and enable tcp syncookie.

Set (only if you use router as border one and you not do nat or similar services)
/ip firewall connection tracking set enabled=no

Use only raw rules and setup something like this:

/ip firewall raw
add    chain=prerouting action=jump jump-target=udp-filters in-interface=NETIX log=no log-prefix="" protocol=udp

add    chain=prerouting action=jump jump-target=tcp-filters in-interface=NETIX log=no log-prefix="" protocol=tcp

add   chain=udp-filters action=accept in-interface=NETIX src-port=53 limit=2500,100:packet log=no log-prefix="" protocol=udp

add    chain=udp-filters action=drop in-interface=NETIX src-port=53 log=no log-prefix="" protocol=udp

add  chain=udp-filters action=drop in-interface=NETIX src-port=389 log=no log-prefix="" protocol=udp comment=LDAP

add  chain=udp-filters action=drop in-interface=NETIX src-port=80 log=no log-prefix="" protocol=udp comment="UDP SRC 80"

add  chain=udp-filters action=drop in-interface=NETIX src-port=443 log=no log-prefix="" protocol=udp comment="UDP SRC 443"

add  chain=udp-filters action=drop in-interface=NETIX dst-port=80 log=no log-prefix="" protocol=udp comment="UDP DST 80"

add  chain=udp-filters action=drop in-interface=NETIX dst-port=443 log=no log-prefix="" protocol=udp comment="UDP DST 443"

add    chain=udp-filters action=notrack log=no log-prefix=""

add    chain=tcp-filters action=notrack log=no log-prefix=""

add    chain=prerouting action=notrack log=no log-prefix=""

/ip firewall filter

add chain=forward protocol=tcp tcp-flags=syn,rst action=drop

You will block most know UDP Amplification script.

this is the best configuration we found to allow MT absorb attacks, you can’t get better performance.

Now to do real tcp mitigation you should apply an external device (in line or out of line is your choice) to filter some more specific packets (strings, ttl, flags…). If you not feel safe to use in line, consider to use fastnemon that detect a ddos and inject a route to forward /32 to that device.

Or if you have a budget, choose a company that does ddos mitigation and you will sleep better