For our Blog Visitor only Get Additional 3 Month Free + 10% OFF on TriAnnual Plan YSBLOG10
Grab the Deal
youstable-blog-sidebar

How to Use FTP on Linux Server 2026? – (Step by Step Expert Guide)

Sanjeet Chauhan 7 min read

To use FTP on a Linux server: install an FTP service (vsftpd), open ports 21 and a passive range, create users and set permissions, enable TLS (FTPS) or prefer SFTP, then connect via a client (FileZilla) or CLI (ftp/lftp). Test, automate, and harden for production.

If you’re wondering how to use FTP on Linux server environments, this guide walks you through setup, secure configuration, and daily operations.

We’ll cover installing a production ready FTP service, opening firewalls, enabling FTPS, creating users, connecting from clients, and troubleshooting using practical, step by step commands you can copy & run.

What is FTP and When Should You Use it?

FTP (File Transfer Protocol) is a legacy protocol for transferring files between a client and server. It’s simple and widely supported, but it’s unencrypted by default.

For internet-facing workloads, use encrypted options like FTPS (FTP over TLS) or SFTP (over SSH). For private networks or legacy systems, FTP may still be appropriate.

FTP vs FTPS vs SFTP

  • FTP: Plain text credentials and data. Use only on trusted networks.
  • FTPS: FTP with TLS encryption. Works with traditional FTP clients; requires certificates.
  • SFTP: Runs over SSH (port 22), simpler through firewalls, strong security by default.

Modern best practice: prefer SFTP or FTPS. Only use plain FTP if you must—and never expose it to the public internet without compensating controls.

Prerequisites

What You Need

  • A Linux server (Ubuntu/Debian, AlmaLinux/Rocky/CentOS, or similar).
  • Root or sudo access via SSH.
  • Firewall access to open required ports.
  • Domain or public IP (especially when behind NAT).

Choosing Your FTP Server

  • vsftpd: Very secure and fast. Great defaults for production.
  • ProFTPD: Highly configurable, Apache-like syntax.
  • Pure-FTPd: Lightweight, easy virtual users, good performance.

This tutorial uses vsftpd because it’s widely available, efficient, and secure by design.

Install an FTP Server on Linux

Ubuntu/Debian

sudo apt update
sudo apt install -y vsftpd
sudo systemctl enable --now vsftpd
sudo systemctl status vsftpd

AlmaLinux/Rocky/CentOS/RHEL

sudo dnf install -y vsftpd
sudo systemctl enable --now vsftpd
sudo systemctl status vsftpd

Open Firewall Ports

FTP uses port 21 for control and a range of ports for passive data connections. Open both to allow transfers.

UFW (Ubuntu)

# Allow control channel
sudo ufw allow 21/tcp
# Allow a passive port range you will configure (e.g., 30000-31000)
sudo ufw allow 30000:31000/tcp
sudo ufw reload
sudo ufw status

firewalld (RHEL family)

sudo firewall-cmd --permanent --add-service=ftp
sudo firewall-cmd --permanent --add-port=30000-31000/tcp
sudo firewall-cmd --reload
sudo firewall-cmd --list-all

If SELinux Is Enforcing

# Allow vsftpd to read/write where appropriate (use sparingly)
sudo setsebool -P ftpd_full_access on
# Or enable passive mode usage
sudo setsebool -P ftpd_use_passive_mode on

# Label your FTP directory properly (example: /srv/ftp)
sudo semanage fcontext -a -t public_content_t "/srv/ftp(/.*)?"
sudo restorecon -Rv /srv/ftp

Prefer least privilege: enable only the booleans you need and label directories correctly instead of granting broad access.

Secure vsftpd Configuration (FTPS)

Backup and Edit the Config

sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.bak
sudo nano /etc/vsftpd.conf

Use the following sensible baseline. Adjust passive ports to match your firewall rules and set your public IP or hostname if you’re behind NAT.

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES

# Restrict users to their home
chroot_local_user=YES
allow_writeable_chroot=YES

# Passive mode
pasv_enable=YES
pasv_min_port=30000
pasv_max_port=31000
# If behind NAT, set your public IP or DNS name
# pasv_address=203.0.113.10

# Logging
xferlog_enable=YES
xferlog_std_format=YES

# TLS/FTPS
ssl_enable=YES
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
require_ssl_reuse=NO
ssl_ciphers=HIGH

# Optional: allow only TLS and disable SSLv3 older protocols
ssl_tlsv1=YES
ssl_tlsv1_1=YES
ssl_tlsv1_2=YES
ssl_sslv2=NO
ssl_sslv3=NO

Create a TLS Certificate

sudo mkdir -p /etc/ssl/private
sudo openssl req -x509 -nodes -days 365 \
  -newkey rsa:2048 \
  -keyout /etc/ssl/private/vsftpd.pem \
  -out /etc/ssl/private/vsftpd.pem
sudo chmod 600 /etc/ssl/private/vsftpd.pem

Restart vsftpd

sudo systemctl restart vsftpd
sudo systemctl status vsftpd

At this point, your server supports FTPS (explicit TLS). Most clients will connect to port 21 and negotiate TLS automatically.

Create FTP Users and Set Permissions

Create a User and Directory

# Example: user 'webuser' with home directory /srv/ftp/web
sudo useradd -m -d /srv/ftp/web -s /usr/sbin/nologin webuser
sudo passwd webuser

# Ensure ownership and secure permissions
sudo chown -R webuser:webuser /srv/ftp/web
sudo chmod -R 755 /srv/ftp/web

For uploads, give write access to specific subfolders (e.g., /srv/ftp/web/uploads) instead of the root of the chroot to maintain security.

Optional: Virtual Users

vsftpd supports virtual users mapped to a system account for large multi-user environments. It offers isolation without creating many shell users. For most small teams, standard local users with chroot is sufficient.

Connect to the Server (CLI and GUI)

Command Line (ftp and lftp)

# Plain FTP (not encrypted) - only use on trusted networks
ftp -inv your-server.tld 21
# inside ftp:
# user <username> <password>
# ls
# put localfile
# get remotefile
# bye

# Recommended: lftp (supports FTPS and robust mirroring)
sudo apt install -y lftp  # or: sudo dnf install -y lftp
lftp -u webuser your-server.tld
# For explicit FTPS:
lftp -u webuser -e "set ftp:ssl-force true; set ssl:verify-certificate no" your-server.tld

SFTP (Safer, Over SSH)

SFTP doesn’t require vsftpd—if you already have SSH, you have SFTP. It’s simpler through firewalls and fully encrypted.

# Connect via SFTP
sftp webuser@your-server.tld
# Upload/download
put localfile
get remotefile
# Recursive
put -r localdir
get -r remotedir

Graphical Clients (FileZilla, WinSCP, Cyberduck)

  • Protocol: choose FTPS (Explicit TLS) or SFTP.
  • Host: your domain or IP.
  • Username/Password: the account you created.
  • Passive mode: enabled.
  • Port: 21 for FTPS, 22 for SFTP.

Passive Mode and NAT Considerations

FTP opens separate data connections. Passive mode is mandatory behind firewalls/NAT. Set a narrow passive range in vsftpd, open it in your firewall, and, if behind NAT, set pasv_address to your public IP or DNS. This prevents data channel timeouts.

# /etc/vsftpd.conf (excerpt)
pasv_enable=YES
pasv_min_port=30000
pasv_max_port=31000
pasv_address=203.0.113.10  # your public IP or hostname

Automate Transfers and Backups

lftp Mirror Examples

# Upload a local directory to the server via FTPS
lftp -u webuser -e "set ftp:ssl-force true; mirror -R ./site /public_html; bye" your-server.tld

# Download a remote directory
lftp -u webuser -e "set ftp:ssl-force true; mirror /public_html ./backup; bye" your-server.tld

Schedule with Cron

crontab -e
# Nightly sync at 2:30 AM
30 2 * * * lftp -u webuser -e "set ftp:ssl-force true; mirror -R ./site /public_html; bye" your-server.tld

Troubleshooting FTP on Linux

Check Services, Ports, and TLS

# Service health
sudo systemctl status vsftpd

# Confirm listening ports
sudo ss -tulpn | grep :21

# Test connectivity from client
nc -vz your-server.tld 21
nc -vz your-server.tld 30005

# Test FTPS negotiation
openssl s_client -connect your-server.tld:21 -starttls ftp

Review Logs

sudo tail -f /var/log/vsftpd.log
sudo journalctl -u vsftpd -f
# SELinux denials
sudo ausearch -m avc -ts recent | audit2why
sudo ausearch -m avc -ts recent | audit2allow -M ftpfix && sudo semodule -i ftpfix.pp

Common Errors and Fixes

  • 530 Login incorrect: wrong credentials or user shell set to nologin without PAM mapping; reset password and verify user exists.
  • Timeouts listing or transferring: passive ports/firewall not open; set pasv_min/max and open the range.
  • 426/425 errors: NAT not configured; set pasv_address to public IP.
  • TLS handshake fails: certificate path/permissions wrong; ensure 600 on PEM and correct path in config.
  • Chroot write errors: add allow_writeable_chroot=YES and create dedicated writable subfolders.

Best Practices and Hardening

  • Prefer SFTP or FTPS; disable plain FTP on the public internet.
  • Disable anonymous access; enforce strong passwords or SSH keys.
  • Use chroot to isolate users to their home directories.
  • Limit passive port ranges and restrict firewall rules.
  • Enable fail2ban to block brute-force attempts.
  • Keep vsftpd and OS packages updated.
  • Audit logs regularly and rotate TLS certificates on schedule.
  • If compliance-bound, restrict ciphers to modern suites and disable outdated TLS versions.

When Managed Hosting Makes Life Easier

If you’d rather avoid deep server tuning, a managed VPS or cloud server can help. At YouStable, our engineers configure secure SFTP/FTPS, firewall rules, and monitoring for you, so you can focus on development and content instead of protocols and ports. Ask our team for a hardened setup tailored to your stack.

FAQ’s

Is FTP or SFTP better for a Linux server?

SFTP is generally better. It runs over SSH, is encrypted by default, and requires only port 22. FTPS is also secure but needs certificates and multiple ports. Avoid plain FTP on the public internet because credentials and data are unencrypted.

Which ports do I open for FTP?

Open TCP 21 for the control channel and a passive range for data (for example, 30000–31000). Configure the same range in vsftpd.conf and your firewall. For SFTP, only TCP 22 is needed.

How do I enable passive mode in vsftpd?

Set pasv_enable=YES and define pasv_min_port/pasv_max_port. If the server is behind NAT, set pasv_address to the public IP or DNS. Open the same port range in the firewall to avoid timeouts.

How can I restrict a user to a specific directory?

Enable chroot_local_user=YES and allow_writeable_chroot=YES in vsftpd.conf. Create the user with a dedicated home (e.g., /srv/ftp/user) and set ownership to that user. Provide write access only to necessary subfolders.

What’s the easiest way to transfer entire folders?

Use lftp’s mirror command for FTPS or the sftp -r flag for SFTP. Example: lftp -u user -e “set ftp:ssl-force true; mirror -R ./site /public_html; bye” host.tld or sftp user@host.tld then put -r ./folder.

With the steps above, you now know how to use FTP on Linux server instances securely and efficiently—from installation to automation. For production deployments where uptime and security matter, consider managed hosting from YouStable to get expert-built FTP/SFTP that just works.

Sanjeet Chauhan

Sanjeet Chauhan is a blogger & SEO expert, dedicated to helping websites grow organically. He shares practical strategies, actionable tips, and insights to boost traffic, improve rankings, & maximize online presence.

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Articles

Scroll to Top