How to Fix FTP on Linux Server? Passive Mode, TLS, and SELinux

To fix FTP on a Linux server, verify the daemon is running, confirm port 21 and passive ports are open, check logs for authentication or TLS errors, and correctly configure passive mode (especially behind NAT/firewalls). Resolve SELinux/AppArmor denials, validate user permissions and chroot settings, then retest with a client like FileZilla or curl.

FTP problems on Linux usually come from three places: service configuration, firewall/NAT, or authentication and permissions. In this guide, you’ll learn how to fix FTP on a Linux server step-by-step, whether you use vsftpd, ProFTPD, or Pure-FTPd. We’ll cover passive mode, FTPS, SELinux, and real error messages with working commands.

Primary keyword: how to fix FTP on Linux server. Secondary keywords: vsftpd troubleshooting, FTP connection refused, passive mode FTP, firewall ports FTP, SELinux FTP.

Quick checklist to diagnose FTP not working on Linux

• Identify your FTP server (vsftpd, ProFTPD, Pure-FTPd) and check service status.
• Confirm the server is listening on port 21 and a passive port range (PASV).
• Open ports in firewalld/ufw/iptables and cloud security groups.
• Configure passive mode with the correct public IP if behind NAT.
• Check logs for 530/425/550 errors and fix auth/permissions.
• Resolve SELinux/AppArmor denials and map passive ports to the right context.
• Validate FTPS/TLS settings and client compatibility.
• Retest with FileZilla, lftp, or curl.

Step 1: Identify your FTP server and service status

Most Linux servers use vsftpd by default. Some use ProFTPD or Pure-FTPd. Confirm which daemon is installed and whether it’s running.

Check installed package and version

# Debian/Ubuntu
dpkg -l | egrep 'vsftpd|proftpd|pure-ftpd'
# RHEL/CentOS/Rocky/Alma
rpm -qa | egrep 'vsftpd|proftpd|pure-ftpd'

Verify and enable service

# vsftpd example
sudo systemctl status vsftpd
sudo systemctl enable --now vsftpd

# ProFTPD
sudo systemctl status proftpd
sudo systemctl enable --now proftpd

# Pure-FTPd (service name may vary)
sudo systemctl status pure-ftpd
sudo systemctl enable --now pure-ftpd

If the service fails to start, check syntax and logs:

sudo journalctl -u vsftpd -xe
sudo tail -n 200 /var/log/vsftpd.log 2>/dev/null || true
sudo tail -n 200 /var/log/syslog 2>/dev/null || sudo tail -n 200 /var/log/messages

Step 2: Verify ports, listening sockets, and reachability

FTP control uses TCP 21. Data ports depend on active or passive mode. For passive mode, you must define and open a range (e.g., 21000–21010).

Check listening sockets

sudo ss -ltnp | egrep '(:21|:21000|:21001)'
sudo lsof -iTCP:21 -sTCP:LISTEN -nP

Test from client and server

# From a remote client
nc -vz your-server.example.com 21
nc -vz your-server.example.com 21000

# Simple FTP banner check
curl -v telnet://your-server.example.com:21

# Discover open ports externally
nmap -Pn -p 21,21000-21010 your-server.example.com

If you see “Connection refused,” the daemon is down or a firewall blocks it. “Timed out” usually indicates a firewall/NAT issue between the client and server.

Step 3: Fix firewall and NAT for active/passive FTP

Open port 21 and the passive range in your host firewall and any upstream devices (cloud security groups, load balancers, home routers).

firewalld (RHEL/Rocky/Alma/CentOS)

sudo firewall-cmd --permanent --add-service=ftp     # opens 21/tcp
sudo firewall-cmd --permanent --add-port=21000-21010/tcp
sudo firewall-cmd --reload

UFW (Ubuntu/Debian)

sudo ufw allow 21/tcp
sudo ufw allow 21000:21010/tcp
sudo ufw reload
sudo ufw status

iptables (legacy)

sudo iptables -I INPUT -p tcp --dport 21 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 21000:21010 -j ACCEPT
sudo service iptables save 2>/dev/null || sudo iptables-save | sudo tee /etc/iptables.rules

If your server is behind NAT, forward 21/tcp and the passive range from the edge to the server’s private IP. In AWS, Azure, or GCP, also allow these ports in security groups/firewall rules.

Step 4: Configure passive mode correctly (behind NAT/cloud)

Most modern clients use passive mode. The server must advertise a reachable public IP and open a defined port range.

# /etc/vsftpd/vsftpd.conf (key passive settings)
pasv_enable=YES
pasv_min_port=21000
pasv_max_port=21010
# Use your public IP or hostname
pasv_address=203.0.113.10
pasv_addr_resolve=YES

Restart the service after changes:

sudo systemctl restart vsftpd

For ProFTPD, use MasqueradeAddress and PassivePorts. For Pure-FTPd, use -P for public IP and -p for the passive range.

Step 5: Review authentication, users, and chroot

“530 Login incorrect” indicates credentials, PAM, or restrictions like /etc/ftpusers. “550 Permission denied” often points to directory ownership and file perms.

Common vsftpd auth and chroot options

# /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
allow_writeable_chroot=YES
user_sub_token=$USER
local_root=/home/$USER/ftp

Create a user and set a proper home directory and permissions:

sudo useradd -m -s /usr/sbin/nologin ftpuser
echo "ftpuser:StrongPassword" | sudo chpasswd
sudo mkdir -p /home/ftpuser/ftp/upload
sudo chown -R ftpuser:ftpuser /home/ftpuser/ftp/upload
sudo chmod 755 /home/ftpuser/ftp
sudo chmod 750 /home/ftpuser/ftp/upload

Make sure the user isn’t blocked in /etc/ftpusers or /etc/vsftpd/user_list if those lists deny logins. For ProFTPD/Pure-FTPd, check corresponding auth modules and user lists.

Step 6: TLS/FTPS and client compatibility

Explicit FTPS (FTP over TLS on port 21) is common. Provide a certificate and tune options for modern clients like FileZilla.

# vsftpd FTPS
ssl_enable=YES
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.key
force_local_logins_ssl=YES
force_local_data_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO   # Helps with some clients (e.g., FileZilla)
ssl_ciphers=HIGH

Test TLS from the server or a remote host:

openssl s_client -starttls ftp -crlf -connect your-server.example.com:21

If clients fail to list directories but login succeeds, suspect passive ports, TLS session reuse settings, or a deep packet inspection firewall.

Step 7: SELinux/AppArmor and security tools

On RHEL-family systems, SELinux can block FTP writes and passive ports. Enable required booleans and label ports.

# Enable common SELinux booleans
sudo setsebool -P ftpd_full_access=1
sudo setsebool -P ftpd_use_passive_mode=1

# Map your passive port range to ftp_port_t
sudo semanage port -a -t ftp_port_t -p tcp 21000-21010 2>/dev/null || \
sudo semanage port -m -t ftp_port_t -p tcp 21000-21010

# Check for denials
sudo ausearch -m avc -ts recent | tail

On Ubuntu/Debian with AppArmor, check /etc/apparmor.d/usr.sbin.vsftpd and allow the directories you need, then reload profiles. If you use Fail2ban, ensure it isn’t banning your IP after failed logins.

Step 8: Read logs and decode common FTP errors

Logs tell you exactly where FTP is failing. Look at daemon logs and system logs:

sudo tail -f /var/log/vsftpd.log /var/log/auth.log 2>/dev/null
sudo journalctl -u vsftpd -f

• 421 Service not available: The daemon crashed or rate limits hit. Check system resources.
• 425 Can’t open data connection: Passive ports or NAT not configured, or TLS reuse issue.
• 530 Login incorrect: Wrong credentials, PAM issues, blocked user, or shell restrictions.
• 550 Permission denied: File/dir ownership or permissions, or chroot write restrictions.
• Connection refused: Service down or port blocked locally.

Step 9: Consider SFTP as a secure alternative

SFTP runs over SSH on port 22 and avoids passive/active port complexity. It’s simpler to secure and troubleshoot.

# Quick SFTP test
sftp user@your-server.example.com

# Ensure sshd has SFTP enabled in /etc/ssh/sshd_config
Subsystem sftp /usr/lib/openssh/sftp-server

For SFTP-only users with chroot, configure a Match block and correct directory ownership to root for the chroot directory. This is often easier than hardening FTP/FTPS for internet use.

Sample minimal vsftpd.conf (production-ready baseline)

# /etc/vsftpd/vsftpd.conf
listen=YES
listen_ipv6=NO

# Security
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
allow_writeable_chroot=YES

# Passive mode
pasv_enable=YES
pasv_min_port=21000
pasv_max_port=21010
pasv_address=203.0.113.10
pasv_addr_resolve=YES

# FTPS
ssl_enable=YES
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.key
force_local_logins_ssl=YES
force_local_data_ssl=YES
require_ssl_reuse=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

# Logging
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES

# Performance
idle_session_timeout=600
data_connection_timeout=120

# PAM and userlist
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=NO
# Create /etc/vsftpd/user_list and add allowed users

Troubleshooting scenarios and fixes

• FileZilla connects but directory listing fails: Open passive ports, set require_ssl_reuse=NO, and ensure NAT forwards the passive range.
• Uploads fail with 550: Fix ownership (chown user:user) and permissions (e.g., 750) on target directories; verify SELinux booleans.
• “Connection timed out” after login: Client cannot reach passive ports; update firewall/security groups.
• Cannot login as local user: Ensure local_enable=YES, the user is not in /etc/ftpusers, and PAM points to the right modules.
• Behind corporate firewall: Use explicit FTPS or SFTP; some networks block active mode and high-numbered ports.

When to escalate and how YouStable can help

If you’ve followed the steps and FTP still fails, the issue may be upstream (provider firewall, IDS/IPS, or misrouted NAT) or due to complex policies like AppArmor profiles. At YouStable, our managed VPS and dedicated servers come with SFTP/FTPS pre-hardened, correct firewall rules, and 24×7 expert support to diagnose edge-case networking and security problems.

We also migrate your sites securely, tune performance, and implement least-privilege access so you can stop firefighting FTP and focus on your projects.

FAQs