FTP guide

What FTP does in production

FTP exchanges files and directory listings between a client and server. The client issues commands (USER, PASS, RETR, STOR, LIST); the server reads and writes files on disk. Batch jobs, mainframes, and trading partners still push end-of-day reports via FTP because the protocol is simple and entrenched in contracts — not because it is secure.

Security: FTP is not encrypted

Standard FTP transmits usernames, passwords, and file data in cleartext. Anyone on the network path (Wi‑Fi, ISP, compromised router) can capture credentials and files. FTP should never cross the public internet without additional protection.

Better alternatives:

• SFTP — file transfer over SSH (encrypted); see the SSH lab
• FTPS — FTP with TLS (explicit or implicit SSL)
• SCP / rsync over SSH — scripted secure copy
• HTTPS APIs and object storage — S3, GCS with signed URLs

If you must run FTP, isolate it: private network, VPN, allowlisted partner IPs, dedicated service accounts, read-only chroots, and aggressive logging. In finance, SFTP/FTPS is common for new integrations, but plain FTP still appears for legacy settlement files, bank feeds, and vendor drops — your job is often to keep it working safely until migration.

How a session works

1. Control connection — client connects to server port 21 (TCP)
2. Authentication — USER / PASS (cleartext on plain FTP)
3. Commands — CWD, LIST, TYPE, etc. on the control channel
4. Data connection — separate TCP channel for directory listings and file transfers
5. Close — QUIT or timeout ends the session

Active vs passive mode

FTP uses two connections — control (21) and data. The data channel setup differs:

Active (PORT) — server connects back to a client-chosen port for data. Often blocked by client firewalls/NAT.

Passive (PASV) — server advertises an IP/port range; client connects for data. Default for most clients today. Server must publish a passive port range in config and open those ports on the firewall. Misconfigured PASV is the top cause of “directory listing hangs” or 500 Illegal PORT command.

Common Linux FTP servers

• vsftpd — Very Secure FTP Daemon; default on many RHEL/Debian images; config /etc/vsftpd/vsftpd.conf or /etc/vsftpd.conf
• ProFTPD — flexible, Apache-like config; common on shared hosting
• pure-ftpd — lightweight alternative

Users, chroot, and permissions

FTP users are usually system users or virtual users mapped by PAM/LDAP. Production setups often chroot users to a home directory so they cannot traverse the whole filesystem. File permissions on the chroot root must be owned by root and not writable by the user (vsftpd requirement). Use dedicated accounts per partner with minimal rights.

Clients and automation

• lftp — scriptable client (mirrors, queues, SFTP too)
• ftp — classic interactive client
• curl ftp://... — one-shot transfers in scripts
• ncftp — user-friendly client

FTPS vs SFTP (naming confusion)

FTPS is FTP + TLS on port 21 (explicit) or 990 (implicit). SFTP is an SSH subsystem — different protocol entirely, usually port 22. Vendors say “secure FTP” loosely; clarify which protocol and port before opening firewalls.

Learning resources

• vsftpd man page — vsftpd(8)
• RFC 959 (FTP) — RFC 959
• SFTP (SSH) — SadServers SSH lab