FTP cheatsheet
Service and ports
| Check | Description |
|---|---|
systemctl status vsftpd | vsftpd service status |
ss -tlnp | grep :21 | Control port listening |
ss -tlnp | grep vsftpd | Passive data ports in use |
grep -v '^#' /etc/vsftpd/vsftpd.conf | Active vsftpd settings |
Interactive ftp client
ftp ftp.example.com
# login: user / password
ls
cd incoming
get remotefile.dat
put localfile.csv
binary # for non-text files
passive # PASV mode (default on many clients)
bye
lftp (scriptable)
lftp -u user,pass ftp.example.com -e "ls; get file.dat; bye"
lftp -u user sftp://host # SFTP — encrypted alternative
# Mirror remote dir to local
lftp -c "open -u user,pass ftp://host; mirror /remote /local"
curl one-liners
| Command | Description |
|---|---|
curl -u user:pass ftp://host/path/file.txt -O | Download file |
curl -T local.csv ftp://host/incoming/ -u user:pass | Upload file |
curl -v ftp://host/ | Verbose — debug PASV/ports |
vsftpd — common settings
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
allow_writeable_chroot=YES
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=40100
# Behind NAT — set public IP clients should use:
pasv_address=PUBLIC_IP
Firewall (passive range)
# Example: ufw allow 21, and passive range
ufw allow 21/tcp
ufw allow 40000:40100/tcp
# Test from client
curl -v ftp://user:pass@host/
Logs
| Location | Description |
|---|---|
/var/log/vsftpd.log | Transfers (if xferlog enabled) |
journalctl -u vsftpd -e | systemd journal |
grep vsftpd /var/log/messages | RHEL-style syslog |
Secure alternatives (prefer these)
| Protocol | Port | Notes |
|---|---|---|
| SFTP | 22 | SSH subsystem — SSH lab |
| FTPS | 21 / 990 | FTP + TLS |
| HTTPS / S3 | 443 | Modern B2B APIs |
Pro tips
- Plain FTP leaks passwords — use VPN/private links or migrate to SFTP/FTPS
- Directory listing hangs? Almost always passive ports or
pasv_address - Chroot breaks if home dir is writable by the FTP user — check vsftpd docs
- Finance partners often need fixed IPs, PASV range docs, and ASCII vs binary mode
curl -vshows the PASV IP:port the server advertises — verify it is reachable
Practice scenarios
Hands-on FTP scenarios on live Linux VMs: ftp