Guide

Concepts and learning path

Troubleshooting

Failure modes and fixes

Cheatsheet

Commands to keep handy

FTP troubleshooting

Connection refused on port 21

Server not running or firewall blocks control port. Check systemctl status vsftpd and ss -tlnp | grep :21. Verify listen=YES in config. SELinux or cloud security groups must allow TCP 21. Read logs: journalctl -u vsftpd -e.

Login authentication failed

Wrong password, user in /etc/ftpusers deny list, or PAM blocking shell-less users. For vsftpd, local_enable=YES required for system users. Check /etc/vsftpd/ftpusers and userlist_deny settings. Test with curl -u user:pass ftp://host/. Remember credentials travel in cleartext on plain FTP.

Directory listing hangs / times out (PASV)

Classic passive-mode firewall issue. Client connects to 21 fine; data channel fails. Server must define pasv_min_port / pasv_max_port and firewall must allow that range. Behind NAT, set pasv_address to the public IP clients reach. Debug with curl -v ftp://host/ — look for 227 Entering Passive Mode and verify the advertised IP:port is reachable from the client.

500 Illegal PORT command

Active mode rejected — server disallows PORT (common with port_enable=NO) or NAT breaks active mode. Switch client to passive mode: passive in ftp, lftp set ftp:passive-mode on. Ensure PASV range is configured if passive still fails.

553 Could not create file / permission denied

Upload directory not writable by FTP user, SELinux context wrong, or chroot restrictions. Check ownership: ls -la /home/ftpuser/. With chroot_local_user=YES, root of chroot cannot be writable by the user — use subdirs for uploads. RHEL: setsebool -P ftpd_full_access on only if policy requires it.

Transfer corrupt or line-ending mangled

Wrong transfer mode: ASCII converts newlines (breaks binaries); use binary for CSV in some encodings, ZIP, images, fixed-width finance files. In ftp client: binary. In lftp: set xfer:clobber on if overwriting matters.

Partner cannot connect (finance / B2B)

Document allowlisted IPs, port 21, passive port range, and whether FTPS is required. Partners behind corporate firewalls often block active mode. Provide SFTP as upgrade path — see SSH lab. Until migration, monitor logs for brute-force on port 21 and rate-limit at the firewall.

425 Unable to build data connection

Data channel blocked — same family as PASV issues. Confirm passive ports open end-to-end. For local test from the server itself, use curl ftp://127.0.0.1/ vs external IP to separate local config from firewall/NAT problems.

Debugging workflow

1. Control channel

systemctl status vsftpd ss -tlnp | grep :21 curl -v -u user:pass ftp://HOST/

2. Passive ports and NAT

grep pasv /etc/vsftpd/vsftpd.conf ss -tlnp | grep vsftpd # From client: note 227 response IP and port range

3. Permissions and logs

ls -la /home/ftpuser tail -f /var/log/vsftpd.log journalctl -u vsftpd -f

Practice scenarios

Hands-on FTP scenarios on live Linux VMs: ftp

Cheatsheet →