Articles

Harden Your FTP Server: Security Checklist (2026)

April 18, 2026 5 min read

FTP servers are often the forgotten backdoors into otherwise secure networks, and this checklist will help you lock yours down.

1. Use Secure Protocols: SFTP and FTPS

The Problem: Plain FTP transmits credentials and data in clear text, making it trivial to intercept.

The Fix:

  • SFTP (SSH File Transfer Protocol): This isn’t FTP over SSL/TLS; it’s a completely different protocol that runs over SSH.
    • Diagnosis: Check your sshd_config file (usually /etc/ssh/sshd_config). Look for Subsystem sftp.
    • Fix: Ensure Subsystem sftp /usr/lib/openssh/sftp-server (or similar path) is present and uncommented. If you need to restrict users to SFTP only, you can add ChrootDirectory %h and ForceCommand internal-sftp for specific users or groups.
    • Why it works: SFTP uses the robust encryption and authentication mechanisms of SSH, ensuring confidentiality and integrity of all data, including credentials.
  • FTPS (FTP over SSL/TLS): This is FTP with an SSL/TLS layer added.
    • Diagnosis: This depends on your FTP server software (e.g., vsftpd, proftpd, FileZilla Server). For vsftpd, check /etc/vsftpd.conf.
    • Fix (vsftpd example):
      ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
      Generate a certificate: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem
    • Why it works: FTPS encrypts the control and/or data channels using TLS, preventing eavesdropping and man-in-the-middle attacks.

2. Disable Anonymous Access

The Problem: Anonymous FTP allows anyone to log in without a username or password, often leading to unauthorized file uploads or access to sensitive information.

The Fix (vsftpd example):

  • Diagnosis: In /etc/vsftpd.conf, look for anonymous_enable.
  • Fix: Set anonymous_enable=NO.
  • Why it works: This directive explicitly disallows anonymous logins, forcing all users to authenticate with valid credentials.

3. Restrict User Access and Permissions

The Problem: Users logging in might have broader access than necessary, allowing them to traverse directories they shouldn’t or modify critical files.

The Fix:

  • Chrooting Users: Confine users to their home directories.
    • Diagnosis: For vsftpd, check chroot_local_user and chroot_list_enable in /etc/vsftpd.conf.
    • Fix (vsftpd example):
      chroot_local_user=YES
allow_writeable_chroot=YES # Only if home directories are writable, otherwise remove this line
      If you want to exclude specific users from chrooting, set chroot_local_user=NO and chroot_list_enable=YES with a chroot_list_file=/etc/vsftpd.chroot_list containing usernames.
    • Why it works: chroot effectively changes the root directory for a process, preventing users from navigating outside their designated home folder.
  • File Permissions: Ensure FTP user accounts have minimal necessary file system permissions.
    • Diagnosis: Use ls -l on FTP directories and id <ftp_username> to see group memberships.
    • Fix: Use chmod and chown to set restrictive permissions. For example, chmod 755 /home/ftpuser and chown ftpuser:ftpuser /home/ftpuser. Ensure no world-writable directories exist within the FTP root unless absolutely necessary.
    • Why it works: Standard Linux/Unix file permissions prevent unauthorized reading, writing, or execution of files and directories.

4. Limit Bandwidth and Connections

The Problem: A single user or a malicious actor could saturate your server’s bandwidth or exhaust connection resources, leading to a denial-of-service (DoS) attack.

The Fix:

  • Bandwidth Limiting:
    • Diagnosis: Check your FTP server’s configuration for bandwidth directives.
    • Fix (vsftpd example):
      local_max_rate=500000 # Limit to 500 KB/s per connection
anon_max_rate=100000 # Limit anonymous to 100 KB/s (if enabled)
    • Why it works: This caps the data transfer rate for individual connections, preventing one user from hogging all available bandwidth.
  • Connection Limiting:
    • Diagnosis: Look for connection limits in your FTP server config.
    • Fix (vsftpd example):
      max_clients=100 # Total concurrent clients
max_per_ip=5 # Max clients per IP address
    • Why it works: These settings prevent a single IP from overwhelming the server with too many connections and limit the total number of concurrent users.

5. Implement IP Address Restrictions

The Problem: You might only want specific IP addresses or networks to connect to your FTP server, blocking all others.

The Fix:

  • Diagnosis: Check your FTP server’s configuration or your firewall rules.
  • Fix (vsftpd example, using tcp_wrappers): Edit /etc/hosts.allow and /etc/hosts.deny.
    • In /etc/hosts.allow: vsftpd: 192.168.1.0/255.255.255.0 (Allow connections from your local network)
    • In /etc/hosts.deny: vsftpd: ALL (Deny all other connections)
    • Alternatively, using firewall (iptables):
      iptables -A INPUT -p tcp --dport 21 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j DROP
# Repeat for passive port ranges if needed
  • Why it works: Access control lists (ACLs) in hosts.allow/hosts.deny or firewall rules act as a gatekeeper, permitting or denying network traffic based on source IP addresses before it even reaches the FTP daemon.

6. Keep Software Updated

The Problem: FTP server software, like any other application, can have vulnerabilities discovered over time. Running outdated versions exposes you to known exploits.

The Fix:

  • Diagnosis: Check the installed version of your FTP server package (e.g., dpkg -l vsftpd on Debian/Ubuntu, rpm -qa proftpd on CentOS/RHEL). Compare this to the latest stable release on the project’s official website.
  • Fix: Use your system’s package manager to update the FTP server:
    • Debian/Ubuntu: sudo apt update && sudo apt upgrade vsftpd
    • CentOS/RHEL: sudo yum update vsftpd
    • If not in repositories, download and install the latest version from the vendor.
  • Why it works: Updates patch known security holes, preventing attackers from exploiting them to gain unauthorized access or control of your server.

7. Monitor Logs Regularly

The Problem: Attackers will probe your server for weaknesses. Without monitoring, you won’t know until it’s too late.

The Fix:

  • Diagnosis: Locate your FTP server’s log files (e.g., /var/log/vsftpd.log, /var/log/xferlog).
  • Fix: Configure log rotation (logrotate) to manage file sizes. Use tools like fail2ban to automatically block IPs that exhibit suspicious activity (e.g., multiple failed login attempts). Set up alerts for specific log entries (e.g., repeated authentication failures from a single IP).
    • Example fail2ban jail for vsftpd:
      [vsftpd]
enabled = true
port = ftp
filter = vsftpd
logpath = /var/log/vsftpd.log
maxretry = 3
bantime = 1h
  • Why it works: Active monitoring and automated response systems allow you to detect and mitigate potential threats in near real-time, rather than reactively after a breach.

The next error you’ll likely encounter after meticulously hardening your FTP server is a legitimate user complaining they can’t connect because they’re trying to use plain FTP and you’ve disabled it.

Want structured learning?

Take the full Ftp course →