{"id":3115,"date":"2022-09-25T10:34:42","date_gmt":"2022-09-25T14:34:42","guid":{"rendered":"https:\/\/dft.wiki\/?p=3115"},"modified":"2026-06-08T17:23:43","modified_gmt":"2026-06-08T21:23:43","slug":"ftp-vs-ftps-vs-sftp-and-installation-on-ubuntu-20-04","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=3115","title":{"rendered":"FTP vs FTPS vs SFTP and Installation on Ubuntu"},"content":{"rendered":"<p>FTP (File Transfer Protocol) is a legacy protocol that should only be used to publicly share non-sensitive files over the Internet, such as public repositories of open source files available for download. Even for this purpose, a web server like Apache or NGINX can do better (using Directory Listing over HTTPS with Basic Authentication [<a href=\"https:\/\/dft.wiki\/?p=674#BasicAuthentication\">Link<\/a>]).<\/p>\n<p>Because FTP does not offer any encryption, all information is transferred in plain text, including user credentials (username and password). That is why FTPS and SFTP were created.<\/p>\n<ul>\n<li><strong>FTP<\/strong>\n<ul>\n<li><strong>Completely unencrypted<\/strong> communication.<\/li>\n<\/ul>\n<\/li>\n<li><strong>FTPS<\/strong>\n<ul>\n<li>Uses SSL\/TLS (like HTTPS) to <strong>wrap the FTP protocol with an encrypted layer<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<li><strong>SFTP<\/strong>\n<ul>\n<li>This is <strong>NOT FTP. It is actually SSH<\/strong> that, after authentication, behaves (same commands) like an FTP server.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<p><strong>FTP<\/strong><\/p>\n<p>FTP can allow anonymous connections (using the username <em>anonymous<\/em> and anything as the password). This is the only recommended way to use this protocol when directly exposed to the internet.<\/p>\n<p>To safely use FTP over the internet, a <strong>VPN<\/strong> is required to establish an encrypted tunnel through which the FTP communication can pass.<\/p>\n<hr \/>\n<p><strong>FTPS<\/strong><\/p>\n<p>FTPS uses additional modules of the FTP server to establish a Secure Socket Layer (using an SSL certificate), switching the plain text communication over SSL encryption.<\/p>\n<p>See the following posts for how to configure <strong>vsFTPd<\/strong> [<a href=\"https:\/\/dft.wiki\/?p=500\">Link<\/a>] and <strong>ProFTPd<\/strong> [<a href=\"https:\/\/dft.wiki\/?p=377\">Link<\/a>] to achieve FTPS.<\/p>\n<hr \/>\n<p><strong>SFTP<\/strong><\/p>\n<p>As mentioned, this is not FTP but SSH that behaves like FTP after the session is established.<\/p>\n<ul>\n<li><strong>PROS<\/strong>\n<ul>\n<li>In addition to password authentication, it can use or enforce (recommended) SSH keys.<\/li>\n<\/ul>\n<\/li>\n<li><strong>CONS<\/strong>\n<ul>\n<li>If misconfigured, it has the potential of exposing the server with a very powerful shell. Do a risk assessment before implementing this solution.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Since SFTP requires SSH, make sure OpenSSH Server is installed, then edit its configuration.<\/p>\n<pre>sudo apt update &amp;&amp; sudo apt install openssh-server -y\r\nsudo nano \/etc\/ssh\/sshd_config<\/pre>\n<p>Append the following lines to the end of the file:<\/p>\n<pre>Match Group sftp\r\n  ForceCommand internal-sftp\r\n  ChrootDirectory \/sftp-root\r\n  PasswordAuthentication <strong>yes<\/strong>    # <span style=\"text-decoration: underline;\">Not recommended for production<\/span>. Change to <strong>no<\/strong> after testing.\r\n  X11Forwarding no\r\n  AllowTcpForwarding no<\/pre>\n<p><strong>Note:<\/strong> This configuration block checks whether the user logging in is a member of the <strong>sftp<\/strong> group, then overrides the default parameters for that session. It enforces <strong>internal-sftp<\/strong> mode, changes the file system root to a safe path (<strong>\/sftp-root<\/strong>), and disables unnecessary features. The <strong>\/home<\/strong> directory could be used instead, but it is recommended to <span style=\"text-decoration: underline;\">keep SFTP users away from the system users&#8217; home directories<\/span>.<\/p>\n<p>Hardening the SSH server is outside the scope of this post, but keep in mind that many other tweaks may be necessary to protect your server, such as:<\/p>\n<ul>\n<li>Do not allow empty passwords (preferably no passwords at all) or root login,<\/li>\n<li>Require SSH keys and a secondary factor such as an <strong>OTP<\/strong> mobile app [<a href=\"https:\/\/dft.wiki\/?p=2379\">Link<\/a>] or a USB\/NFC <strong>Hardware Key<\/strong> [<a href=\"https:\/\/dft.wiki\/?p=2494\">Link<\/a>],<\/li>\n<li>Only allow specific users or groups, or use restrictive rules to allow connections matching a specific pattern,<\/li>\n<li>Always use <strong>Fail2Ban<\/strong> in combination with most of your publicly facing services [<a href=\"https:\/\/dft.wiki\/?p=401\">Link<\/a>].<\/li>\n<\/ul>\n<p>Create the <strong>sftp<\/strong> group and the safe path for its users.<\/p>\n<pre>sudo addgroup sftp\r\nsudo mkdir \/sftp-root<\/pre>\n<p>Create users as follows, repeating for each user:<\/p>\n<pre>sudo useradd -m <strong>userName<\/strong> -g sftp\r\nsudo mkdir \/sftp-root\/<strong>userName<\/strong>\r\nsudo chmod 700 \/sftp-root\/<strong>userName<\/strong><\/pre>\n<p><strong>Note:<\/strong> Each user will have their own home directory automatically created under <strong>\/home<\/strong>, but when they log in they will only see the contents of <strong>\/sftp-root<\/strong> and will only be able to access (read\/write) their own directory within it.<\/p>\n<pre>sftp <strong>userName<\/strong>@127.0.0.1<\/pre>\n<p>Add the public key for each created user to the file <strong>\/home\/userName\/.ssh\/authorized_keys<\/strong>.<\/p>\n<p>See the post <strong>Setting Up SSH Keys<\/strong> [<a href=\"https:\/\/dft.wiki\/?p=423\">Link<\/a>] to learn how to create a key pair.<\/p>\n<p>If everything was set up correctly, the user will no longer be prompted for a password and will authenticate automatically using the SSH key. At that point, change <strong>PasswordAuthentication<\/strong> to <strong>no<\/strong>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>FTP (File Transfer Protocol) is a legacy protocol that should only be used to publicly [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3115","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/3115","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3115"}],"version-history":[{"count":5,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/3115\/revisions"}],"predecessor-version":[{"id":5665,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/3115\/revisions\/5665"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}