To set up FTP on a Linux server, install and configure vsftpd, create a restricted FTP user, open firewall ports (21 and a passive range), enable optional TLS for encryption, and test with an FTP client. This guide shows step-by-step instructions for Ubuntu\/Debian and RHEL\/CentOS\/AlmaLinux with secure, production-ready settings.<\/p>\n\n\n\n
If you\u2019re wondering how to set up FTP on a Linux server, you\u2019re in the right place. In this tutorial, I\u2019ll walk you through installing and hardening an FTP server<\/a> with vsftpd, opening firewall and SELinux rules, enabling FTPS encryption, and testing with FileZilla or lftp. The process is beginner-friendly but follows enterprise-grade best practices I use for production environments.<\/p>\n\n\n\n FTP is a legacy file transfer<\/a> protocol that sends data in plain text. SFTP (part of OpenSSH) encrypts traffic end-to-end and is generally preferred for security. If you must use classic FTP for compatibility, always enable TLS (FTPS) to encrypt credentials and data. This guide focuses on vsftpd (very secure FTP daemon) with optional TLS.<\/p>\n\n\n\n We\u2019ll deploy vsftpd because it\u2019s fast, stable, and widely available. Steps cover Ubuntu\/Debian and RHEL\/CentOS\/AlmaLinux. We\u2019ll configure passive mode, chroot jails, user allowlists, and (optionally) FTPS so you can pass security scans and work smoothly with GUI clients like FileZilla.<\/p>\n\n\n\n If the service is active, you can proceed to configuration.<\/p>\n\n\n\n Back up the default config and open it for editing:<\/p>\n\n\n\n Use these secure, production-ready settings. Add or update the following lines:<\/p>\n\n\n\n Save and restart:<\/p>\n\n\n\n Create a dedicated user and prevent shell access. We\u2019ll also add nologin to \/etc\/shells so PAM allows FTP logins with that shell.<\/p>\n\n\n\n Now allow the user to log in via the allowlist:<\/p>\n\n\n\n Using passive mode avoids complex NAT traversal and is recommended for cloud servers behind security groups or load balancers.<\/p>\n\n\n\n Enable home directory access and passive mode; then inform SELinux about your passive port range:<\/p>\n\n\n\n If semanage isn\u2019t found, install the policycoreutils-python-utils package (already covered above).<\/p>\n\n\n\n Encrypting FTP (FTPS) protects credentials and data in transit. Generate a self-signed certificate or use a valid one from your CA.<\/p>\n\n\n\n Edit vsftpd.conf and add:<\/p>\n\n\n\n Restart the service:<\/p>\n\n\n\n In clients like FileZilla, choose \u201cFTP over TLS (explicit)\u201d to avoid plaintext logins.<\/p>\n\n\n\n In many cases, SFTP is simpler and more secure. It\u2019s usually enabled by default with SSH<\/a>. Create a user and connect with an SFTP client on port 22. You can chroot SFTP-only users by editing Before You Begin: FTP vs SFTP and What You Should Choose<\/strong><\/h2>\n\n\n\n
What We\u2019ll Use<\/strong><\/h3>\n\n\n\n
Prerequisites<\/strong><\/h2>\n\n\n\n
\n
Step 1: Install vsftpd<\/strong><\/h2>\n\n\n\n
Ubuntu\/Debian<\/strong><\/h3>\n\n\n\n
sudo apt update\nsudo apt install -y vsftpd\nsudo systemctl enable --now vsftpd\nsudo systemctl status vsftpd<\/code><\/pre>\n\n\n\nRHEL\/CentOS\/AlmaLinux<\/strong><\/h3>\n\n\n\n
sudo dnf install -y vsftpd policycoreutils-python-utils\nsudo systemctl enable --now vsftpd\nsudo systemctl status vsftpd<\/code><\/pre>\n\n\n\nStep 2: Back Up and Harden the vsftpd Configuration<\/strong><\/h2>\n\n\n\n
sudo cp \/etc\/vsftpd.conf \/etc\/vsftpd.conf.bak\nsudo nano \/etc\/vsftpd.conf<\/code><\/pre>\n\n\n\nanonymous_enable=NO\nlocal_enable=YES\nwrite_enable=YES\nlocal_umask=022\n\nuse_localtime=YES\nxferlog_enable=YES\nconnect_from_port_20=YES\n\n# Chroot users into their home\nchroot_local_user=YES\nallow_writeable_chroot=YES\n\n# Passive mode for firewalls\/NAT\npasv_enable=YES\npasv_min_port=40000\npasv_max_port=40100\n\n# Allowlist specific users only\nuserlist_enable=YES\nuserlist_file=\/etc\/vsftpd.userlist\nuserlist_deny=NO\n\n# Improve security hygiene\npam_service_name=vsftpd\nseccomp_sandbox=YES<\/code><\/pre>\n\n\n\nsudo systemctl restart vsftpd<\/code><\/pre>\n\n\n\nStep 3: Create a Restricted FTP User<\/strong><\/h2>\n\n\n\n
# Create user and set password\nsudo adduser ftpuser\nsudo passwd ftpuser\n\n# Restrict shell access\nsudo usermod -s \/usr\/sbin\/nologin ftpuser\necho \/usr\/sbin\/nologin | sudo tee -a \/etc\/shells\n\n# Optional: create a dedicated FTP directory\nsudo mkdir -p \/home\/ftpuser\/ftp\nsudo chown -R ftpuser:ftpuser \/home\/ftpuser\/ftp<\/code><\/pre>\n\n\n\necho \"ftpuser\" | sudo tee -a \/etc\/vsftpd.userlist\nsudo systemctl restart vsftpd<\/code><\/pre>\n\n\n\nStep 4: Open Firewall Ports (FTP + Passive Range)<\/strong><\/h2>\n\n\n\n
UFW (Ubuntu\/Debian)<\/strong><\/h3>\n\n\n\n
sudo ufw allow 21\/tcp\nsudo ufw allow 40000:40100\/tcp\nsudo ufw reload\nsudo ufw status<\/code><\/pre>\n\n\n\nfirewalld (RHEL\/CentOS\/AlmaLinux)<\/strong><\/h3>\n\n\n\n
sudo firewall-cmd --permanent --add-service=ftp\nsudo firewall-cmd --permanent --add-port=40000-40100\/tcp\nsudo firewall-cmd --reload\nsudo firewall-cmd --list-all<\/code><\/pre>\n\n\n\nStep 5: Configure SELinux for FTP (RHEL-Based Only)<\/strong><\/h2>\n\n\n\n
sudo setsebool -P ftp_home_dir 1\nsudo setsebool -P ftpd_use_passive_mode 1\nsudo semanage port -a -t ftp_port_t -p tcp 40000-40100 || \\\nsudo semanage port -m -t ftp_port_t -p tcp 40000-40100<\/code><\/pre>\n\n\n\nStep 6: Enable TLS\/FTPS Encryption (Recommended)<\/strong><\/h2>\n\n\n\n
# Generate a self-signed cert (valid 3 years)\nsudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 \\\n -keyout \/etc\/ssl\/private\/vsftpd.key \\\n -out \/etc\/ssl\/certs\/vsftpd.crt \\\n -subj \"\/CN=$(hostname -f)\"\n\n# Set permissions\nsudo chmod 600 \/etc\/ssl\/private\/vsftpd.key<\/code><\/pre>\n\n\n\nssl_enable=YES\nallow_anon_ssl=NO\nforce_local_logins_ssl=YES\nforce_local_data_ssl=YES\n\nrsa_cert_file=\/etc\/ssl\/certs\/vsftpd.crt\nrsa_private_key_file=\/etc\/ssl\/private\/vsftpd.key\n\n# Harden TLS\nssl_sslv2=NO\nssl_sslv3=NO\nssl_tlsv1=YES\nrequire_ssl_reuse=NO\nssl_ciphers=HIGH<\/code><\/pre>\n\n\n\nsudo systemctl restart vsftpd<\/code><\/pre>\n\n\n\nStep 7: Test Your FTP Server<\/strong><\/h2>\n\n\n\n
Command-Line Test<\/strong><\/h3>\n\n\n\n
# Install lftp (recommended)\nsudo apt install -y lftp # Ubuntu\/Debian\nsudo dnf install -y lftp # RHEL\/CentOS\/AlmaLinux\n\n# Connect (replace server_ip or domain)\nlftp -u ftpuser ftp:\/\/server_ip\n\n# With FTPS:\nlftp -u ftpuser ftps:\/\/server_ip\n# If certificate is self-signed:\nset ssl:verify-certificate no<\/code><\/pre>\n\n\n\nGUI Test (FileZilla)<\/strong><\/h3>\n\n\n\n
\n
Troubleshooting Common FTP Errors<\/strong><\/h2>\n\n\n\n
\n
\/etc\/vsftpd.userlist<\/code>, the password is correct, and \/usr\/sbin\/nologin<\/code> is listed in \/etc\/shells<\/code>.<\/li>\n\n\n\nallow_writeable_chroot=YES<\/code> or make the user\u2019s chroot directory non-writable (and use a writable subfolder).<\/li>\n\n\n\nrequire_ssl_reuse=NO<\/code> in vsftpd.conf<\/code> and restart.<\/li>\n\n\n\nftp_home_dir<\/code>, ftpd_use_passive_mode<\/code>, and assign passive ports with semanage<\/code>.<\/li>\n<\/ul>\n\n\n\nBest Practices to Keep Your FTP Server Secure<\/strong><\/h2>\n\n\n\n
\n
userlist_enable=YES<\/code> and allow only specific accounts.<\/li>\n\n\n\n\/var\/log\/vsftpd.log<\/code> and system logs for suspicious activity.<\/li>\n\n\n\nQuick Alternative: Use SFTP (Built into OpenSSH)<\/strong><\/h2>\n\n\n\n
\/etc\/ssh\/sshd_config<\/code> with a Match<\/code> block and restarting sshd<\/code>. If strict compliance or legacy software mandates FTP, stick with FTPS.<\/p>\n\n\n\nFAQs: How to Set Up FTP on Linux Server<\/strong><\/h2>\n\n\n