To configure FTP on a Linux server in 2026, install an FTP daemon (vsftpd), create a dedicated user and directory, enable chroot and passive mode, secure it with TLS (FTPS), open firewall ports (21 and a passive range), and test with an FTP client. This guide walks you through each step on Ubuntu/Debian and RHEL/AlmaLinux.
Configuring FTP on a Linux server is straightforward once you understand the pieces: the FTP service, users and permissions, passive mode networking, and encryption (FTPS). In this step-by-step guide, you’ll learn exactly how to configure FTP on Linux server environments using vsftpd, harden it for production, and troubleshoot common issues—all aligned with 2026 best practices.
What You’ll Learn (Overview)
- Install and configure vsftpd on Ubuntu/Debian and RHEL/AlmaLinux
- Create FTP-only users and chroot them to home directories
- Enable passive mode and open the correct firewall ports
- Secure FTP with TLS (FTPS) and modern ciphers
- Harden vsftpd for production and enable logs
- Fix common errors (permissions, passive mode behind NAT, SELinux)
FTP vs SFTP vs FTPS: Which Should You Use?
Before we configure anything, align on protocols:
- FTP: Classic protocol over TCP/21. Unencrypted by default. Use only with TLS.
- FTPS (FTP over TLS): FTP + encryption. Recommended when your workflow or legacy apps require FTP, but you need security.
- SFTP: Runs over SSH (TCP/22). Different protocol and often simpler to secure and firewall. Preferred when you control both ends.
This guide focuses on FTPS with vsftpd, a lightweight, secure, and widely used FTP server for Linux.
Prerequisites
- A Linux server (Ubuntu 20.04/22.04/24.04, Debian 11/12, or RHEL/CentOS/AlmaLinux/Rocky 8/9)
- Root or sudo access
- Firewall access (UFW or firewalld) and ability to open ports
- Public IP or behind NAT with port forwarding configured
- Optional: a domain and Let’s Encrypt certificate for FTPS
Tip: If you prefer a managed VPS with pre-hardened FTP/FTPS and 24/7 support, YouStable can provision and secure it for you while you focus on your application.
Step-by-Step: Install and Configure vsftpd
1) Install vsftpd
# Ubuntu/Debian
sudo apt update
sudo apt install -y vsftpd
# RHEL/AlmaLinux/Rocky/CentOS
sudo dnf install -y vsftpd2) Create an FTP-Only User and Directory
Create a dedicated user, set a password, and limit shell access so it’s only used for FTP.
# Create a group and user
sudo groupadd ftpusers
sudo useradd -m -d /home/ftpuser -s /usr/sbin/nologin -G ftpusers ftpuser
sudo passwd ftpuser
# Create an upload directory inside the user home
sudo mkdir -p /home/ftpuser/uploads
sudo chown ftpuser:ftpusers /home/ftpuser/uploads
sudo chmod 755 /home/ftpuser
sudo chmod 750 /home/ftpuser/uploads3) Configure vsftpd (Basic Secure Settings)
Edit the main configuration file and enable local logins, write access, and chroot isolation.
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.bak
sudo nano /etc/vsftpd.confUse these recommended baseline settings:
# Core behavior
listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
# Chroot users to their home
chroot_local_user=YES
allow_writeable_chroot=YES
# Passive mode (adjust the range to your needs)
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=50000
# User management
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO # Only allow users in this file
# Logging
xferlog_enable=YES
xferlog_std_format=YES
dual_log_enable=YES
vsftpd_log_file=/var/log/vsftpd.log
# Security niceties
hide_ids=YES
max_clients=50
max_per_ip=10
idle_session_timeout=600
data_connection_timeout=120
# TLS/FTPS will be added in the next step
ssl_enable=NOAllow only specific users by populating the userlist file:
echo "ftpuser" | sudo tee -a /etc/vsftpd.userlist4) Enable Passive Mode in the Firewall
FTP requires TCP/21 plus a passive port range. Open both on your firewall and router/NAT if applicable.
# UFW (Ubuntu)
sudo ufw allow 21/tcp
sudo ufw allow 40000:50000/tcp
sudo ufw reload
# firewalld (RHEL/AlmaLinux)
sudo firewall-cmd --permanent --add-service=ftp
sudo firewall-cmd --permanent --add-port=40000-50000/tcp
sudo firewall-cmd --reload5) Add TLS/FTPS (Recommended)
Use a valid certificate (Let’s Encrypt) or a self-signed cert for testing. Then enforce encrypted logins and data.
# Self-signed certificate (testing)
sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
-keyout /etc/ssl/private/vsftpd.key \
-out /etc/ssl/certs/vsftpd.crt
# Adjust permissions
sudo chmod 600 /etc/ssl/private/vsftpd.keyAdd these FTPS settings to /etc/vsftpd.conf:
ssl_enable=YES
rsa_cert_file=/etc/ssl/certs/vsftpd.crt
rsa_private_key_file=/etc/ssl/private/vsftpd.key
require_ssl_reuse=NO
ssl_ciphers=HIGH
ssl_tlsv1=NO
ssl_tlsv1_1=NO
ssl_tlsv1_2=YES
ssl_tlsv1_3=YES
force_local_logins_ssl=YES
force_local_data_ssl=YES
allow_anon_ssl=NOIf you use Let’s Encrypt, point rsa_cert_file to fullchain.pem and rsa_private_key_file to privkey.pem.
6) Start, Enable, and Verify vsftpd
sudo systemctl enable --now vsftpd
sudo systemctl status vsftpd
# Check listening ports
sudo ss -tulpn | grep -E ":21|:40000"7) SELinux Notes (RHEL/AlmaLinux/Rocky)
If SELinux is enforcing, enable the right booleans and contexts for uploads and passive mode.
# Allow FTP passive mode and home directory access
sudo setsebool -P ftpd_use_passive_mode 1
sudo setsebool -P ftp_home_dir 1
# If writing outside home, you may need:
# sudo setsebool -P ftpd_full_access 1
# Label the upload directory if needed
sudo semanage fcontext -a -t public_content_rw_t "/home/ftpuser/uploads(/.*)?"
sudo restorecon -Rv /home/ftpuser/uploads8) Test with an FTP Client
- GUI: FileZilla/WinSCP/Cyberduck. Protocol: FTPS (explicit), Host: yourserver:21, Encryption: Require explicit FTP over TLS, Passive mode: Enabled.
- CLI: lftp is FTPS-aware.
# Install lftp
sudo apt install -y lftp # Ubuntu/Debian
sudo dnf install -y lftp # RHEL family
# Connect (explicit FTPS)
lftp -u ftpuser ftps://your.server.com
# Then run: put testfile.txt or get file.zipProduction Hardening Checklist
- Disable anonymous access (anonymous_enable=NO).
- Whitelist users with userlist_enable=YES and userlist_deny=NO.
- Chroot users (chroot_local_user=YES) and set owner/permissions carefully.
- Force TLS for logins and data, and disable TLSv1.0/1.1; prefer TLSv1.2+.
- Use a narrow passive port range and allow only from trusted IPs if possible.
- Limit concurrency (max_clients, max_per_ip) and set sensible timeouts.
- Enable logging and retain logs for audits (xferlog_enable, vsftpd_log_file).
- Consider Fail2ban to block brute-force attempts on port 21.
- Keep vsftpd and OpenSSL updated; rotate certificates annually.
Troubleshooting: Quick Fixes for Common Issues
Can’t List Directories or Transfers Hang
- Symptom: LIST command times out, directory listing fails.
- Fix: Ensure passive mode is enabled in vsftpd and client; open passive ports and forward them on your router/NAT; verify external IP matches DNS.
# Verify ports
sudo ss -tulpn | grep :21
sudo ss -tulpn | grep 40000
# From outside, test reachability
nc -vz your.server.com 21
nc -vz your.server.com 40001TLS Handshake or Certificate Errors
- Use a valid cert with the correct hostname (CN/SAN) or configure your client to trust the cert.
- Disable deprecated protocols and prioritize TLSv1.2/1.3.
- Check file permissions on the private key (should be 600) and ownership (root:root).
530 Login Incorrect or Permission Denied
- Ensure the user is in /etc/vsftpd.userlist and not locked.
- Confirm the shell is /usr/sbin/nologin (OK for FTP) and the home exists.
- Check directory permissions: home (755) and uploads (750/770) owned by user/group.
“550 Permission denied” When Uploading in a Chroot
- Keep the user’s home not group-writable (typically 755) and create a writable subdirectory (uploads) with correct ownership.
- Set allow_writeable_chroot=YES if necessary (already included above).
SELinux Blocking Writes
- Enable ftpd_use_passive_mode and ftp_home_dir booleans.
- Relabel upload directories with public_content_rw_t and run restorecon.
- Inspect logs with journalctl -u vsftpd and /var/log/audit/audit.log.
sudo journalctl -u vsftpd -f
sudo tail -f /var/log/vsftpd.log
sudo ausearch -m avc -ts recent | audit2whyAdvanced Tips and Good-to-Knows
- NAT environments: Configure a stable passive range and port-forward it, plus port 21.
- DNS: Ensure your FTP clients connect via a hostname that resolves to the correct public IP.
- Rate limiting: Combine firewall rules with vsftpd max_clients to mitigate abuse.
- Automation: Script user creation and directory provisioning for multi-tenant environments.
- Monitoring: Track vsftpd logs and integrate with your SIEM for anomaly detection.
Alternatives: ProFTPD, Pure-FTPd, or SFTP
- ProFTPD: Highly configurable, Apache-style configs, rich modules.
- Pure-FTPd: Simple, secure defaults, virtual users, and quotas.
- SFTP (OpenSSH): Often simpler to secure and firewall; if your stack supports SFTP, prefer it over FTP/FTPS.
At YouStable, we typically recommend SFTP for greenfield deployments. If your applications require FTP, we deploy FTPS with strict hardening and logging.
Full Example: Minimal Secure vsftpd.conf
listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
chroot_local_user=YES
allow_writeable_chroot=YES
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO
xferlog_enable=YES
dual_log_enable=YES
vsftpd_log_file=/var/log/vsftpd.log
hide_ids=YES
max_clients=50
max_per_ip=10
idle_session_timeout=600
data_connection_timeout=120
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=50000
ssl_enable=YES
rsa_cert_file=/etc/ssl/certs/vsftpd.crt
rsa_private_key_file=/etc/ssl/private/vsftpd.key
require_ssl_reuse=NO
ssl_ciphers=HIGH
ssl_tlsv1=NO
ssl_tlsv1_1=NO
ssl_tlsv1_2=YES
ssl_tlsv1_3=YES
force_local_logins_ssl=YES
force_local_data_ssl=YES
allow_anon_ssl=NOFAQs: Configure FTP on Linux Server (2026)
Which ports should I open for FTP and FTPS?
Open TCP/21 for control, and a passive range (for example, 40000–50000) for data connections. For FTPS, the same ports apply; TLS is negotiated over port 21 (explicit FTPS). Make sure your firewall and any NAT device forward both 21 and the passive range to your server.
What’s the difference between FTPS and SFTP?
FTPS is FTP secured with TLS and uses port 21 plus passive ports. SFTP is a different protocol built into SSH (port 22). SFTP is often easier to firewall and is recommended unless your tools require FTP. When using FTP, always enable FTPS for encryption.
How do I fix directory listing failures behind NAT?
Enable passive mode in vsftpd and specify a narrow passive port range. Forward the same passive range and port 21 on your router to the server. Ensure the client is set to passive mode and connects to the public hostname that resolves to the correct IP.
How can I restrict users to a single directory?
Chroot the user (chroot_local_user=YES) and create a writable subdirectory (uploads). Set the home directory to the chroot path and adjust permissions so the home is not group-writable (755) while uploads is writable by the user/group (750 or 770).
Can I use a Let’s Encrypt certificate with vsftpd?
Yes. Install Certbot, obtain a certificate for your domain, then set rsa_cert_file to /etc/letsencrypt/live/your.domain/fullchain.pem and rsa_private_key_file to /etc/letsencrypt/live/your.domain/privkey.pem. Reload vsftpd after renewal (use a post-renewal hook).
Final Thoughts
You’ve learned how to configure FTP on Linux server environments with vsftpd, enable FTPS, open passive ports, and harden your setup for production. Keep your packages updated, rotate certificates, and monitor logs. If you want a zero-hassle, secure deployment with expert support, YouStable can manage this entire stack for you.
