Server

FTP Server

Overview

FTP (File Transfer Protocol) servers are server software that implements the basic protocol for sending and receiving files over the Internet. With the first version published in 1971, it is a historic protocol that has long been used as a standard file transfer method since the dawn of the Internet. Various implementations exist including vsftpd (Very Secure FTP Daemon), ProFTPD, and Pure-FTPd, each with different characteristics and use cases. While SFTP and HTTPS-based file transfer are often recommended due to security constraints, FTP continues to be used for compatibility with legacy systems and specific purposes.

Details

FTP Server 2025 edition focuses on security enhancements and adaptation to modern operational requirements as key evolution points. In response to traditional plain text communication challenges, secure operations through combinations with FTPS (FTP over SSL/TLS) and SFTP (SSH File Transfer Protocol) have become standardized. vsftpd provides lightweight and high security features, ProFTPD enables flexible customization through Apache-like configuration files, and Pure-FTPd features simplicity that allows setup in 5 minutes. Modern DevOps environments continue to utilize FTP for containerization, automation, and CI/CD pipelines, playing important roles in specific workflows and integration with existing systems.

Key Features

• Simple Protocol: Easy to understand and implement basic design
• Diverse Implementations: Different options like vsftpd, ProFTPD, Pure-FTPd with unique characteristics
• Wide Compatibility: Support from legacy clients to modern systems
• Flexible Authentication: Anonymous access, user authentication, virtual user support
• Resume Transfer: Support for interrupting and resuming large file transfers
• Bandwidth Limiting: Network usage control features

Pros and Cons

Pros

• High compatibility and stability through track record since Internet dawn
• Easy to understand and deploy due to simple protocol design
• Standard support across many platforms and client software
• Lightweight with low resource usage, works on low-spec servers
• Rich implementation examples in legacy systems and embedded devices
• Simple and reliable operation specialized for file transfer

Cons

• Security risks from plain text communication (password eavesdropping, etc.)
• Complex passive mode configuration in NAT firewall environments
• Inadequate support for modern security requirements (multi-factor authentication, etc.)
• Functional limitations compared to SFTP and HTTPS
• Risk of security holes due to configuration errors
• Requires additional security measures for use in modern cloud environments

Reference Pages

• vsftpd Official Site
• ProFTPD Project
• Pure-FTPd Official Site

Code Examples

vsftpd Installation and Basic Configuration

# Installation on Ubuntu/Debian
sudo apt update
sudo apt install vsftpd

# Installation on CentOS/RHEL/Fedora
sudo dnf install vsftpd

# Check service status
sudo systemctl status vsftpd

# Enable and start service
sudo systemctl enable vsftpd
sudo systemctl start vsftpd

# Backup configuration file
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.bak

# Basic configuration (/etc/vsftpd.conf)
sudo tee /etc/vsftpd.conf << 'EOF'
# Basic settings
listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES

# Security settings
chroot_local_user=YES
allow_writeable_chroot=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO

# Passive mode settings
pasv_enable=YES
pasv_min_port=30000
pasv_max_port=31000
pasv_address=your_server_ip

# Log settings
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES

# Performance settings
max_clients=50
max_per_ip=5
local_max_rate=1000000
EOF

ProFTPD Installation and Configuration

# Installation on Ubuntu/Debian
sudo apt install proftpd-basic

# Installation on CentOS/RHEL/Fedora
sudo dnf install proftpd

# Basic configuration (/etc/proftpd/proftpd.conf)
sudo tee /etc/proftpd/proftpd.conf << 'EOF'
# Basic settings
Include /etc/proftpd/modules.conf
UseIPv6 off
IdentLookups off
ServerName "ProFTPD Server"
ServerType standalone
DeferWelcome off

# Port settings
Port 21

# User/Group settings
User proftpd
Group nogroup
MaxInstances 30

# Security settings
RootLogin off
RequireValidShell off
AuthUserFile /etc/proftpd/ftpd.passwd
AuthGroupFile /etc/proftpd/ftpd.group
DefaultRoot ~

# Passive mode settings
PassivePorts 30000 31000

# Log settings
SystemLog /var/log/proftpd/proftpd.log
TransferLog /var/log/proftpd/xferlog

# Restriction settings
<Limit SITE_CHMOD>
  DenyAll
</Limit>

# Directory settings
<Directory />
  AllowOverwrite on
</Directory>

# Virtual host example
<VirtualHost ftp.example.com>
  ServerName "Example FTP Server"
  DefaultRoot /srv/ftp
  MaxClients 20
</VirtualHost>
EOF

# Create virtual user
sudo ftpasswd --passwd --name=testuser --uid=1001 --gid=1001 \
  --home=/srv/ftp/testuser --shell=/bin/false

Pure-FTPd Installation and Configuration

# Installation on Ubuntu/Debian
sudo apt install pure-ftpd

# Installation on CentOS/RHEL/Fedora
sudo dnf install pure-ftpd

# Basic configuration (configuration file approach)
sudo mkdir -p /etc/pure-ftpd/conf

# Various configuration items
echo "21" | sudo tee /etc/pure-ftpd/conf/Bind
echo "50" | sudo tee /etc/pure-ftpd/conf/MaxClientsNumber
echo "8" | sudo tee /etc/pure-ftpd/conf/MaxClientsPerIP
echo "no" | sudo tee /etc/pure-ftpd/conf/AnonymousOnly
echo "no" | sudo tee /etc/pure-ftpd/conf/NoAnonymous
echo "yes" | sudo tee /etc/pure-ftpd/conf/ChrootEveryone
echo "yes" | sudo tee /etc/pure-ftpd/conf/CreateHomeDir
echo "30000 31000" | sudo tee /etc/pure-ftpd/conf/PassivePortRange

# Virtual user configuration
echo "yes" | sudo tee /etc/pure-ftpd/conf/PureDB
sudo pure-pw useradd testuser -u 1001 -g 1001 -d /srv/ftp/testuser
sudo pure-pw mkdb

# TLS configuration
echo "1" | sudo tee /etc/pure-ftpd/conf/TLS

# Create certificate
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /etc/ssl/private/pure-ftpd.pem \
  -out /etc/ssl/private/pure-ftpd.pem \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=ftp.example.com"

sudo chmod 600 /etc/ssl/private/pure-ftpd.pem

Security Hardening Configuration

# vsftpd SSL/TLS configuration
sudo tee -a /etc/vsftpd.conf << 'EOF'

# SSL/TLS settings
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.key

# Additional security
hide_ids=YES
use_sendfile=YES
seccomp_sandbox=NO
isolate_network=YES
EOF

# Create certificate (for vsftpd)
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /etc/ssl/private/vsftpd.key \
  -out /etc/ssl/certs/vsftpd.pem \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=ftp.example.com"

# Firewall configuration
sudo ufw allow 21/tcp
sudo ufw allow 30000:31000/tcp

# fail2ban configuration (/etc/fail2ban/jail.local)
sudo tee -a /etc/fail2ban/jail.local << 'EOF'

[vsftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
maxretry = 3
bantime = 3600

[proftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 3
bantime = 3600
EOF

sudo systemctl restart fail2ban

User Management and Virtual User Configuration

# vsftpd virtual user configuration
# Create virtual user database
sudo mkdir -p /etc/vsftpd/users

# Create user list file
sudo tee /etc/vsftpd/virtual_users.txt << 'EOF'
user1
password1
user2
password2
EOF

# Convert to DB format
sudo db_load -T -t hash -f /etc/vsftpd/virtual_users.txt /etc/vsftpd/virtual_users.db
sudo chmod 600 /etc/vsftpd/virtual_users.db

# PAM configuration (/etc/pam.d/vsftpd_virtual)
sudo tee /etc/pam.d/vsftpd_virtual << 'EOF'
auth required pam_userdb.so db=/etc/vsftpd/virtual_users
account required pam_userdb.so db=/etc/vsftpd/virtual_users
session required pam_loginuid.so
EOF

# Add to vsftpd configuration
sudo tee -a /etc/vsftpd.conf << 'EOF'

# Virtual user settings
guest_enable=YES
guest_username=ftp
pam_service_name=vsftpd_virtual
user_config_dir=/etc/vsftpd/users
virtual_use_local_privs=YES
EOF

# Individual user configuration example
sudo mkdir -p /etc/vsftpd/users
sudo tee /etc/vsftpd/users/user1 << 'EOF'
local_root=/srv/ftp/user1
write_enable=YES
download_enable=YES
max_rate=500000
EOF

# Create directories for FTP users
sudo mkdir -p /srv/ftp/{user1,user2}
sudo chown ftp:ftp /srv/ftp/user*

Advanced Configuration and Performance Tuning

# High performance settings (vsftpd)
sudo tee -a /etc/vsftpd.conf << 'EOF'

# Performance settings
tcp_wrappers=YES
use_sendfile=YES
connect_timeout=60
data_connection_timeout=300
idle_session_timeout=600
accept_timeout=60

# Concurrent connection limits
max_clients=100
max_per_ip=10
local_max_rate=2000000
anon_max_rate=1000000

# Bandwidth limiting (bytes/second)
local_max_rate=0  # Unlimited
anon_max_rate=100000  # 100KB/s limit
EOF

# System limits configuration
sudo tee -a /etc/security/limits.conf << 'EOF'
ftp soft nofile 65536
ftp hard nofile 65536
ftp soft nproc 32768
ftp hard nproc 32768
EOF

# Kernel parameter tuning
sudo tee -a /etc/sysctl.conf << 'EOF'
# FTP performance improvement
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_congestion_control = bbr
EOF

sudo sysctl -p

Monitoring and Log Management

# Log monitoring script
cat > /usr/local/bin/ftp-monitor << 'EOF'
#!/bin/bash
# FTP monitoring script

echo "=== FTP Server Status $(date) ==="
systemctl is-active vsftpd
echo

echo "=== Active Connections ==="
netstat -an | grep :21
echo

echo "=== Recent Transfers ==="
tail -20 /var/log/vsftpd.log | grep -E "(UPLOAD|DOWNLOAD)"
echo

echo "=== Failed Login Attempts ==="
tail -50 /var/log/auth.log | grep vsftpd | grep -i fail
echo

echo "=== Disk Usage ==="
df -h /srv/ftp
echo
EOF

chmod +x /usr/local/bin/ftp-monitor

# Log rotation configuration (/etc/logrotate.d/vsftpd)
sudo tee /etc/logrotate.d/vsftpd << 'EOF'
/var/log/vsftpd.log {
    daily
    missingok
    rotate 52
    compress
    delaycompress
    notifempty
    copytruncate
}
EOF

# Real-time monitoring
sudo tail -f /var/log/vsftpd.log

# Connection statistics
sudo netstat -an | grep :21 | wc -l  # Active connections

# Transfer statistics
grep "$(date '+%Y %m %d')" /var/log/vsftpd.log | grep UPLOAD | wc -l
grep "$(date '+%Y %m %d')" /var/log/vsftpd.log | grep DOWNLOAD | wc -l

Automation and Backup

# Automatic backup script
cat > /etc/cron.daily/ftp-backup << 'EOF'
#!/bin/bash
# FTP configuration and data backup

BACKUP_DIR="/backup/ftp/$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR

# Backup configuration files
cp /etc/vsftpd.conf $BACKUP_DIR/
cp -r /etc/vsftpd/ $BACKUP_DIR/vsftpd-config/
cp /etc/pure-ftpd/ $BACKUP_DIR/pure-ftpd-config/ 2>/dev/null || true

# Backup user data
tar -czf $BACKUP_DIR/ftp-data.tar.gz /srv/ftp/

# Backup logs
cp /var/log/vsftpd.log $BACKUP_DIR/
cp /var/log/proftpd/ $BACKUP_DIR/proftpd-logs/ 2>/dev/null || true

# Remove old backups (30 days retention)
find /backup/ftp/ -type d -mtime +30 -exec rm -rf {} \;

echo "FTP backup completed: $BACKUP_DIR"
EOF

chmod +x /etc/cron.daily/ftp-backup

# Configuration validation script
cat > /usr/local/bin/ftp-validate << 'EOF'
#!/bin/bash
# FTP configuration validation

echo "=== FTP Configuration Validation ==="

# vsftpd configuration check
if [ -f /etc/vsftpd.conf ]; then
    echo "Checking vsftpd configuration..."
    vsftpd -olisten=NO /etc/vsftpd.conf
    echo "vsftpd config: OK"
fi

# Port check
echo "Checking FTP ports..."
netstat -tlnp | grep :21 && echo "FTP port 21: OK" || echo "FTP port 21: NOT LISTENING"

# SSL certificate check
if [ -f /etc/ssl/certs/vsftpd.pem ]; then
    echo "Checking SSL certificate..."
    openssl x509 -in /etc/ssl/certs/vsftpd.pem -text -noout | grep "Not After"
fi

# Disk space check
echo "Checking disk space..."
df -h /srv/ftp

echo "Validation completed."
EOF

chmod +x /usr/local/bin/ftp-validate