{"id":3115,"date":"2022-09-25T10:34:42","date_gmt":"2022-09-25T14:34:42","guid":{"rendered":"https:\/\/dft.wiki\/?p=3115"},"modified":"2026-04-21T13:31:08","modified_gmt":"2026-04-21T17:31:08","slug":"ftp-vs-ftps-vs-sftp-and-installation-on-ubuntu-20-04","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=3115","title":{"rendered":"FTP vs FTPS vs SFTP and Installation on Ubuntu"},"content":{"rendered":"<p>FTP (File Transfer Protocol) is a legacy protocol that should only be used for absolutely no other than publicly share non sensitive files over the Internet. For example, public repositories of open source files for download. But even for this purpose a web-server like Apache or NGINX can do better (using Directory Listing over HTTPS with Basic-Authentication [<a href=\"https:\/\/dft.wiki\/?p=674#BasicAuthentication\">Link<\/a>]).<\/p>\n<p>Because the FTP protocol does not offer any encryption all the information is transferred in plain text, including the credentials (user and password) of the users. That is why FTPS and SFTP were created.<\/p>\n<ul>\n<li><strong>FTP<\/strong>\n<ul>\n<li><strong>Totaly unencrypted<\/strong> communication.<\/li>\n<\/ul>\n<\/li>\n<li><strong>FTPS<\/strong>\n<ul>\n<li>It uses SSL\/TLS (like HTTPS does) to <strong>wrap the FTP protocol with an encrypted layer<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<li><strong>SFTP<\/strong>\n<ul>\n<li>It is <strong>NOT FTP, it is actually SSH<\/strong> that after authenticate behaves (same commands) as if it was an FTP server.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<p><strong>FTP<\/strong><\/p>\n<p>It can allow anonymous connections (using username anonymous and anything as password). and that is the only recommended way to use this protocol directly exposed to the internet.<\/p>\n<p>To safely use FTP over the internet is needed a <strong>VPN<\/strong> to establish the encrypted tunnel that will allow the FTP communication to go through.<\/p>\n<hr \/>\n<p><strong>FTPS<\/strong><\/p>\n<p>Is used additional &#8220;modules&#8221; of the FTP server to establish a Secure Socket Layer (using SSL certificate) than switch the plain text communication over SSL encryption.<\/p>\n<p>See the following posts that demonstrate how to tweak the <strong>vsFTPd<\/strong> [<a href=\"https:\/\/dft.wiki\/?p=500\">Link<\/a>] and <strong>ProFTPd<\/strong> [<a href=\"https:\/\/dft.wiki\/?p=377\">Link<\/a>] configuration to achieve the FTPS.<\/p>\n<hr \/>\n<p><strong>SFTP<\/strong><\/p>\n<p>As mentioned, this is not FTP but SSH that behaves as if it was an FTP after the session is stated.<\/p>\n<ul>\n<li><strong>PROS<\/strong>\n<ul>\n<li>Alternatively to password, it can use or enforce (recommended) the usage of SSH-Keys for authentication.<\/li>\n<\/ul>\n<\/li>\n<li><strong>CONS<\/strong>\n<ul>\n<li>If misconfigured, It has the potential of exposing the server with a very powerful shell. Do a risk assessment prior to implement this solution.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Since it requires SSH, make sure OpenSSH-server is installed then edit its configuration.<\/p>\n<pre>sudo apt update &amp;&amp; sudo apt install openssh-server -y\r\nsudo nano \/etc\/ssh\/sshd_config<\/pre>\n<p>Append the following lines to the end of the file:<\/p>\n<pre>Match Group sftp\r\n \u00a0ForceCommand internal-sftp\r\n  ChrootDirectory \/sftp-root\r\n  PasswordAuthentication <strong>yes<\/strong>    # <span style=\"text-decoration: underline;\">Not recommended for production<\/span>. Change to <strong>no<\/strong> after testing.\r\n  X11Forwarding no\r\n  AllowTcpForwarding no<\/pre>\n<p><strong>Note:<\/strong> the appended configuration will check if the user trying to log in is a member of the group <strong>sftp<\/strong>, then it overrides the configuration the parameters. It enforces the <strong>internal-sftp<\/strong> &#8220;mode&#8221; for the session, change the root of the file system to a safe path (<strong>\/sftp-root<\/strong>), and disable unnecessary features. Alternatively it can be used <strong>\/home<\/strong> but I would recommend to <span style=\"text-decoration: underline;\">keep the sftp users away from the home directory of the system users<\/span>.<\/p>\n<p>It is not the scope of this post to harden the SSH server so keep in mind that many other tweaks might be necessary to protect your server, such as:<\/p>\n<ul>\n<li>Dot not allow empty\u00a0passwords (preferably no passwords at all) nor root login,<\/li>\n<li>Require SSH-Keys and a secondary factor such as <strong>OTP<\/strong> mobile app\u00a0[<a href=\"https:\/\/dft.wiki\/?p=2379\">Link<\/a>] or USB\/NFC <strong>Hardware Key<\/strong> [<a href=\"https:\/\/dft.wiki\/?p=2494\">Link<\/a>],<\/li>\n<li>Only allow certain users or groups or use restrictive rules to allow connections that Match an specific pattern,<\/li>\n<li>Ans always use <strong>Fail2Ban<\/strong> in combination with most of your publicly facing services [<a href=\"https:\/\/dft.wiki\/?p=401\">Link<\/a>].<\/li>\n<\/ul>\n<p>Create <strong>sftp<\/strong> group and the safe path for its users.<\/p>\n<pre>sudo addgroup sftp\r\nsudo mkdir \/sftp-root<\/pre>\n<p>Create the users as follows for each user:<\/p>\n<pre>sudo useradd -m <strong>userName<\/strong> -g sftp\r\nsudo mkdir \/sftp-root\/<strong>userName<\/strong>\r\nsudo chmod 700 \/sftp-root\/<strong>userName<\/strong><\/pre>\n<p><strong>Note:<\/strong> each user will have its own home directory automatically created <strong>\/home<\/strong> but when they log int they will only see what is in <strong>\/sftp-root<\/strong> and only will be allowed to access (read\/write) its own directory in it.<\/p>\n<pre>sftp <strong>userName<\/strong>@127.0.0.1<\/pre>\n<p>Add the Public keys for created user into the file <strong>\/home\/userName\/.ssh\/authorized_keys<\/strong>.<\/p>\n<p>See the post <strong>Setting Up SSH Keys<\/strong> [<a href=\"https:\/\/dft.wiki\/?p=423\">Link<\/a>] to find out how create the key pair.<\/p>\n<p>If everything was done correctly, it will not prompt for password anymore but will automatically authenticate with the SSH key. Time to change the <strong>PasswordAuthentication<\/strong> to <strong>no<\/strong>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>FTP (File Transfer Protocol) is a legacy protocol that should only be used for absolutely [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3115","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/3115","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3115"}],"version-history":[{"count":4,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/3115\/revisions"}],"predecessor-version":[{"id":5473,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/3115\/revisions\/5473"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}