FTP: File Transfer Protocol Complete Guide
FTP (File Transfer Protocol) is one of the oldest internet protocols, designed for transferring files between computers over TCP/IP networks. While newer alternatives exist, FTP remains widely used for website management, file sharing, and data transfer. This comprehensive guide explains FTP, its variants, security considerations, and modern alternatives.
What is FTP?
FTP is a standard network protocol used to transfer files from one host to another over a TCP-based network, such as the internet. Developed in 1971, it predates the modern internet but remains in use today.
FTP Basics
Protocol characteristics:
Layer: Application layer (Layer 7)
Transport: TCP
Ports: 20 (data), 21 (control)
Authentication: Username/password
Encryption: None (plain FTP)
Status: Legacy, being replaced
Learn more about IP addresses and TCP/IP model.
Purpose:
Upload files to servers
Download files from servers
Manage remote files
Website deployment
Backup and archiving
How FTP works:
1. Client connects to server (port 21)
2. Client authenticates (username/password)
3. Client sends commands
4. Server responds
5. Data transferred (port 20 or dynamic)
6. Connection closed
FTP Connection Modes
Active Mode
How it works:
1. Client connects to server port 21 (control)
2. Client sends PORT command with IP and port
3. Server connects back to client (port 20 → client port)
4. Data transferred
Connection flow:
Client (random port) → Server (port 21) [Control]
Client (random port) ← Server (port 20) [Data]
Issues:
Firewall problems: Server initiates data connection
NAT issues: Client behind NAT
Port forwarding: Required for client
Modern networks: Often blocked
Passive Mode (PASV)
How it works:
1. Client connects to server port 21 (control)
2. Client sends PASV command
3. Server responds with IP and port
4. Client connects to server (data connection)
5. Data transferred
Connection flow:
Client (random port) → Server (port 21) [Control]
Client (random port) → Server (random port) [Data]
Advantages:
Firewall friendly: Client initiates both connections
NAT compatible: Works behind NAT
Modern standard: Preferred mode
Configuration:
Server must allow passive port range
Firewall must allow passive ports
Typical range: 49152-65534
FTP Commands
Common Commands
Connection:
USER username: Specify username
PASS password: Specify password
QUIT: Disconnect
Navigation:
PWD: Print working directory
CWD /path: Change directory
CDUP: Change to parent directory
LIST: List files
Transfer:
RETR filename: Download file
STOR filename: Upload file
APPE filename: Append to file
DELE filename: Delete file
Mode:
TYPE A: ASCII mode (text)
TYPE I: Binary mode (images, executables)
PASV: Enter passive mode
PORT: Specify client port (active mode)
FTP Response Codes
1xx - Preliminary:
150: File status okay, opening data connection
2xx - Success:
200: Command okay
220: Service ready
226: Closing data connection, transfer complete
230: User logged in
3xx - Intermediate:
331: Username okay, need password
350: Requested file action pending
4xx - Temporary failure:
421: Service not available
425: Can't open data connection
426: Connection closed, transfer aborted
450: File unavailable
5xx - Permanent failure:
500: Syntax error, command unrecognized
501: Syntax error in parameters
502: Command not implemented
530: Not logged in
550: File unavailable (not found, no access)
FTP Clients
Command Line
Linux/macOS (ftp):
# Connect
ftp ftp.example.com
# Login
Name: username
Password: ********
# Commands
ftp> pwd
ftp> ls
ftp> cd directory
ftp> get file.txt
ftp> put file.txt
ftp> mget *.txt
ftp> mput *.txt
ftp> binary
ftp> ascii
ftp> bye
lftp (advanced):
# Connect and login
lftp -u username,password ftp.example.com
# Or interactive
lftp ftp.example.com
lftp> login username
# Commands
lftp> ls
lftp> get file.txt
lftp> put file.txt
lftp> mirror /remote/dir /local/dir
lftp> mirror -R /local/dir /remote/dir
lftp> pget -n 4 largefile.zip # parallel download
lftp> exit
curl:
# Download
curl -u username:password ftp://ftp.example.com/file.txt -o file.txt
# Upload
curl -u username:password -T file.txt ftp://ftp.example.com/
# List directory
curl -u username:password ftp://ftp.example.com/directory/
wget:
# Download
wget ftp://username:password@ftp.example.com/file.txt
# Download directory
wget -r ftp://username:password@ftp.example.com/directory/
GUI Clients
FileZilla (Cross-platform):
Features:
- Drag and drop
- Site manager
- Transfer queue
- Directory comparison
- SFTP/FTPS support
- Free and open source
WinSCP (Windows):
Features:
- Windows integration
- Scripting support
- Synchronization
- SFTP/SCP support
- Portable version
Cyberduck (macOS/Windows):
Features:
- Cloud storage integration
- Bookmark management
- External editor
- SFTP/S3 support
- Clean interface
Transmit (macOS):
Features:
- Fast transfers
- Sync folders
- Multiple connections
- Cloud services
- Commercial
FTP Security Issues
Plain FTP Problems
Unencrypted credentials:
Username: Transmitted in clear text
Password: Transmitted in clear text
Risk: Easy to intercept
Impact: Account compromise
Unencrypted data:
Files: Transferred in clear text
Content: Readable by anyone
Risk: Data theft
Impact: Privacy breach
Man-in-the-middle:
Attacker: Intercepts connection
Can: Read all data
Can: Modify files
Can: Steal credentials
Port scanning:
FTP: Well-known ports (20, 21)
Detection: Easy to find
Target: Common attack vector
Packet Capture Example
What an attacker sees:
USER alice
331 Password required for alice
PASS secretpassword123
230 User alice logged in
RETR confidential.doc
150 Opening BINARY mode data connection
[entire file contents visible]
226 Transfer complete
Secure FTP Alternatives
FTPS (FTP over SSL/TLS)
Explicit FTPS (FTPES):
Port: 21 (starts unencrypted)
Command: AUTH TLS
Upgrade: Switches to encrypted
Compatibility: Better
Implicit FTPS:
Port: 990
Encryption: From start
Legacy: Older method
Compatibility: Limited
Configuration:
Encryption: SSL/TLS
Certificate: Required
Ports: 21 (explicit), 990 (implicit)
Firewall: Passive mode recommended
Advantages:
Encrypted credentials
Encrypted data
FTP compatibility
Certificate authentication
Disadvantages:
Complex firewall configuration
Passive mode port range
Certificate management
Less common than SFTP
SFTP (SSH File Transfer Protocol)
Characteristics:
Protocol: SSH-based (not FTP)
Port: 22
Encryption: Always encrypted
Authentication: SSH keys or password
How it works:
1. SSH connection established
2. SFTP subsystem started
3. Encrypted file transfer
4. All data encrypted
Advantages:
Single port (22)
Always encrypted
SSH key authentication
Firewall friendly
Widely supported
Disadvantages:
Not FTP (different protocol)
Requires SSH server
Different commands
SFTP client:
# Connect
sftp username@example.com
# Commands (similar to FTP)
sftp> ls
sftp> cd directory
sftp> get file.txt
sftp> put file.txt
sftp> exit
SFTP with key:
# Generate key
ssh-keygen -t ed25519
# Copy to server
ssh-copy-id username@example.com
# Connect (no password)
sftp username@example.com
SCP (Secure Copy)
Characteristics:
Protocol: SSH-based
Port: 22
Purpose: Simple file copy
Encryption: Always encrypted
Usage:
# Upload
scp file.txt username@example.com:/path/
# Download
scp username@example.com:/path/file.txt .
# Directory (recursive)
scp -r directory/ username@example.com:/path/
# Multiple files
scp file1.txt file2.txt username@example.com:/path/
Advantages:
Simple syntax
Always encrypted
SSH integration
Fast for single files
Disadvantages:
No resume capability
No directory browsing
Less features than SFTP
FTP Server Configuration
vsftpd (Very Secure FTP Daemon)
Installation:
# Debian/Ubuntu
sudo apt install vsftpd
# RHEL/CentOS
sudo yum install vsftpd
Configuration (/etc/vsftpd.conf):
# Basic settings
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
# Security
chroot_local_user=YES
allow_writeable_chroot=YES
# Passive mode
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=50000
# Logging
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
# Performance
max_clients=50
max_per_ip=5
Start service:
sudo systemctl start vsftpd
sudo systemctl enable vsftpd
Firewall:
# Allow FTP
sudo ufw allow 21/tcp
sudo ufw allow 40000:50000/tcp
# Or iptables
sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 40000:50000 -j ACCEPT
ProFTPD
Installation:
sudo apt install proftpd
Configuration (/etc/proftpd/proftpd.conf):
ServerName "FTP Server"
ServerType standalone
DefaultServer on
Port 21
# Passive mode
PassivePorts 49152 65534
# Security
DefaultRoot ~
RequireValidShell off
# Logging
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
TLS configuration:
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol TLSv1.2 TLSv1.3
TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
TLSOptions NoSessionReuseRequired
</IfModule>
FTP Use Cases
Website Deployment
Traditional workflow:
1. Develop website locally
2. Connect to web host via FTP
3. Upload files to public_html/
4. Test website
5. Update as needed
Modern alternatives:
Git deployment
CI/CD pipelines
SFTP instead of FTP
Rsync over SSH
File Sharing
Internal file sharing:
Setup: FTP server on local network
Access: Employees upload/download
Security: Local network only
Alternative: Network shares, cloud storage
Public file distribution:
Setup: Anonymous FTP
Access: Public downloads
Security: Read-only
Alternative: HTTP/HTTPS, CDN
Backup and Archiving
Automated backups:
#!/bin/bash
# Backup script
lftp -u username,password ftp.backup.com <<EOF
cd backups
mput /path/to/backup/*.tar.gz
bye
EOF
Alternatives:
rsync over SSH
Cloud backup (S3, Backblaze)
Dedicated backup software
FTP Best Practices
Security
1. Use SFTP or FTPS:
Never use plain FTP
Always encrypt credentials
Always encrypt data
Use SSH keys when possible
2. Strong authentication:
Complex passwords
SSH key authentication
Two-factor authentication (if supported)
Disable anonymous access
3. Restrict access:
Chroot users to home directory
Limit file permissions
IP whitelisting
Disable unnecessary features
4. Monitor and log:
Enable transfer logging
Monitor failed logins
Alert on suspicious activity
Regular log review
Performance
1. Use passive mode:
Better firewall compatibility
NAT friendly
Modern standard
2. Binary mode for non-text:
TYPE I for images, executables
TYPE A only for text files
Prevents corruption
3. Parallel transfers:
Multiple connections (lftp)
Segmented downloads
Faster for large files
4. Compression:
Compress before transfer
Reduces transfer time
Trade CPU for bandwidth
Maintenance
1. Regular updates:
Update FTP server software
Security patches
Bug fixes
2. Certificate management:
Renew before expiration
Use trusted CAs
Monitor expiration
3. User management:
Remove inactive accounts
Review permissions
Audit access
4. Backup configuration:
Document settings
Version control
Test restoration
Troubleshooting FTP
Connection Issues
Can't connect:
Check: Server running
Check: Firewall rules
Check: Port 21 open
Check: Network connectivity
Test: telnet ftp.example.com 21
Timeout:
Check: Passive mode enabled
Check: Passive port range open
Check: NAT configuration
Check: Firewall timeout settings
Authentication failed:
Check: Username/password correct
Check: User account exists
Check: User has FTP access
Check: Account not locked
Transfer Issues
Transfer fails:
Check: File permissions
Check: Disk space
Check: Transfer mode (binary/ASCII)
Check: Firewall blocking data connection
Slow transfers:
Check: Network bandwidth
Check: Server load
Check: Passive mode
Try: Parallel transfers
Corrupted files:
Cause: Wrong transfer mode
Solution: Use binary mode
Verify: File checksums
Passive Mode Issues
425 Can't open data connection:
Cause: Passive ports blocked
Solution: Open passive port range
Configure: Firewall rules
PASV command fails:
Check: Server passive mode enabled
Check: Passive port range configured
Check: NAT/firewall configuration
Modern Alternatives to FTP
SFTP
Why choose SFTP:
Always encrypted
Single port (22)
SSH key authentication
Widely supported
Modern standard
HTTPS/WebDAV
Advantages:
Browser-based
Firewall friendly (port 443)
No special client needed
Encrypted
Cloud Storage
Options:
Dropbox, Google Drive, OneDrive
S3, Backblaze B2
Nextcloud, ownCloud
Advantages:
Easy sharing
Automatic sync
Version history
No server management
rsync
For backups and sync:
# Sync directories
rsync -avz /local/dir/ user@server:/remote/dir/
# Over SSH
rsync -avz -e ssh /local/dir/ user@server:/remote/dir/
# Advantages:
- Only transfers changes
- Compression
- Preserves permissions
- Resume capability
Conclusion
FTP is a legacy protocol that served the internet well for decades but has significant security flaws. Plain FTP transmits credentials and data unencrypted, making it unsuitable for modern use. SFTP and FTPS provide encrypted alternatives, with SFTP being the preferred choice for most use cases due to its simplicity and security.
Related Articles
Secure Protocols
- SSH - SFTP uses SSH
- SSL/TLS - FTPS uses TLS
- HTTP vs HTTPS - Web protocols
- SMTP - Email protocol
Network Concepts
- TCP/IP Model - Protocol stack
- Port Forwarding - FTP port forwarding
- Firewall Basics - FTP firewall issues
- NAT - FTP and NAT problems
Security
- IP Spoofing - FTP vulnerabilities
- Firewall Basics - Securing FTP
Explore More
- Protocols - Internet protocols hub
- Security & Privacy - Security resources
Key takeaways: - FTP: Legacy, unencrypted, insecure - FTPS: FTP with SSL/TLS encryption - SFTP: SSH-based, always encrypted, preferred - Plain FTP: Never use for sensitive data - Passive mode: Modern standard, firewall-friendly - Authentication: Use SSH keys when possible - Alternatives: SFTP, HTTPS, cloud storage, rsync - Security: Encryption essential - Modern standard: SFTP over plain FTP - Migration: Move to SFTP or HTTPS
Bottom line: If you're still using plain FTP, migrate to SFTP immediately. The security risks of unencrypted credentials and data transmission are unacceptable in today's threat landscape. SFTP provides all the functionality of FTP with strong encryption and better firewall compatibility, making it the clear choice for secure file transfer.
