I am about to put an FTP solution in place and I've been doing some research. I know there are a lot of solutions out there, but here is my criteria:


SECURE - This is critical. I plan to do an FTP over SSL (FTPS) implementation. This server will reside in a DMZ.

Well-documented - I'm fairly new at this. I've been using Linux on the desktop for a few years now and I have a little experience managing an Ubuntu server, but I need somewhere to turn if I get stuck.

Good community support - goes hand-in-hand with the previous point about documentation.

Not too hard for end-users who will be connecting to the server - I need to be able to walk semi-savvy users through the process of connecting to my FTP server using common clients such as Core FTP, Filezilla, CuteFTP, etc.

I've narrowed it down to ProFtpd and VsFtpd. Can anyone make any recommendations as to one over the other? Are there any key features that differentiate them? One thing that I heard about VsFtpd that I like is that there is a Webmin plugin available for managing the server. I have Webmin set up on another Ubuntu server and I use it for general admin, Apache, and MySQL. It would be nice to centralize on that platform if possible. I'd really appreciate any advice.

I'd really like to get moving on this. Does anyone have any feedback? I'm hoping the community can help point me in the right direction.

You've already done all research. What do you expect? That we toss a coin for you? :D

I personally would not bother with FTP at all and stick to OpenSSH instead. The entire exercise with setting up a FTP server and enabling SSL certificates so you'd get "FTPS" seems highly redundant to me, when instead you could simply stick to SSH and use SFTP which already provides this functionality right out of the box.

I've got to agree with scorp123 on this one. SFTP meets all the things you have listed, plus it has numerous clients available for virtually every platform. FTP with security is a hacked abomination of an already pretty old and broken protocol. See http://en.wikipedia.org/wiki/FTPS for more details, especially the section about "Firewall incompatibilities". If your goal is to provide a secure way for users to connect, using SFTP is a great way to go, and it will allow you to use PAM for authentication, so you can use MySQL, LDAP, or whatever else you want for auth.

If that's not to your liking, you can try using WebDAV with Apache2. If you're trying to setup FTP for web developers, then this is a great alternative, as it allows them to directly edit the files they can then view through their hosted sites. Here's a link to help with that: http://www.howtoforge.com/how-to-set-up-webdav-with-apache2-on-ubuntu-8.10.

I guess to be fair though, if the only thing you want to compare are ProFtpd and VsFtpd, then its really a matter of personal preference. They both use standards, both have decent records as far as security is concerned, both have been around for a while, and they both have a ton of documentation and features. Try them both and let us know which one you choose and why.

There's a webmin module for proftpd that comes built-in to webmin. I believe the vsftpd module is third-party.

I've always used proftpd or pure-ftpd, and been happy with both.

You've already done all research. What do you expect? That we toss a coin for you? :D

Actually, I was hoping maybe you'd just volunteer to come install it for me. ;) :biggrin:

@scorp123 and giggins,

My goal is to enable users to move one large file (~100MB) a day. They'll be expecting to use an FTP client. Will SFTP work for that? I found these instructions:

http://blog.markvdb.be/2009/01/sftp-on-ubuntu-and-debian-in-9-easy.html

Does that look right? After it is set up do you just control user access by creating local users on the Ubuntu server?

Once I get the files on the Ubuntu server they have to be read by an application on a Windows machine. I'm guessing I'll have to set up Samba for that. Will that open up more security vulnerabilities?

Sorry for the string of questions, but I'm new to Linux server administration. I don't want to fall back to MS Server just because that's what I know. I'm trying to use this as an opportunity to pick up some new skills.

There's a webmin module for proftpd that comes built-in to webmin. I believe the vsftpd module is third-party.

Didn't know that. Thanks.

My goal is to enable users to move one large file (~100MB) a day. They'll be expecting to use an FTP client. Use WinSCP ... it has a easy to use interface and it can use SCP (secure-copy) and SFTP (both "scp" and "sftp" are SSH sub-protocols).

http://winscp.net/


If you want a command-line client for Windows (so you could use it in batch jobs), you could use "Putty". It has SCP and SFTP clients (e.g. "pscp.exe"):

http://www.chiark.greenend.org.uk/~sgtatham/putty/

My goal is to enable users to move one large file (~100MB) a day. They'll be expecting to use an FTP client. Will SFTP work for that? I found these instructions:


I am using VsFtpd, and did not faced any problem. Also it transfers the data at good enough speed. Mostly I am downloading from my Debian server, But a very few times I have uploaded.
With cuteFTP client it gives me access to create/modify my files as logged in user home folder.

If you plan to chroot your users, then its easier to setup a FTP server, than to chroot an instance of the SSH server. ProFTPD and VSFTPD have both an inbuilt feature to chroot your logins.

I have both servers in productive use, both are very stable and secure servers. I prefer ProFTPD, because of its SQL- and LDAP-Features. But on a few RHEL-instances I have VSFTPD running and no problem with it until now

=> It's your choice, think about your needs (SQL, LDAP, ...) and you don't be spoilt for choice :-)

If you plan to chroot your users, then its easier to setup a FTP server, than to chroot an instance of the SSH server. Not true. Just see the link he posted above. You can use mechanisms such as "scponly" so that users could use SCP and SFTP but not login via a shell. And limiting such users to certain directories can easily be achieved via user and file permissions. Or file ACL's if you're like me prefer to use that feature :D

I guess to be fair though, if the only thing you want to compare are ProFtpd and VsFtpd, then its really a matter of personal preference. They both use standards, both have decent records as far as security is concerned, both have been around for a while, and they both have a ton of documentation and features. Try them both and let us know which one you choose and why.

I had to move quickly on this, so I did decide to go with FTPS. SSH sounds really interesting and extremely well-suited to many remote-access solutions, but I already had a basic understanding of FTPS and I'm only concerned with file transfer, so I went that route. I will definitely give SSH a shot in the future when I have more time to research it.

The main reason I chose FTPS is that I wanted to do local user management and authentication on the FTP server so the LDAP integration wouldn't be that useful to me since the FTP server lives in my DMZ and can't communicate from the DMZ to my internal network. The internal network can, however, talk to the FTP server in the DMZ. I specifically chose ProFTP because it has some great user/server security controls and its setup and administration in Ubuntu are really well documented. I was able to get the server up and running quickly. The part that took a little more time was securing it with the SSL certificate. I worked on that issue alone for a full day then stopped, took a deep breath, and did some more research. I found this posting (http://forums.proftpd.org/smf/index.php?action=printpage;topic=3957.0) which solved my problem. The issue I was having was that the module mod_tls.c wasn't loading so the TLS functionality wasn't enabled. All I had to do was add:
LoadModule mod_tls.cto the top of my proftpd.conf file and it worked right away. This step was not mentioned in any of the tutorials I read, even those specifically talking about enabling SSL/TLS in ProFTPd. I was surprised because I didn't build it from source, it came out of the Ubuntu repository, so I would think this is a common issue. Once that was in place, everything worked like a charm.

Thanks to all of you for your input to this thread. You have really raised my curiosity about SSH, so I'm going to start looking into that and experimenting with it a bit.

I had to move quickly on this, so I did decide to go with FTPS. That's like saying: "I am in a hurry, so I'll pick the 60 years old VW Beetle over the brand-new Ferrari Formula-1 car ...."

No insult intended. But let's face it: How many hours did you spend to get FTPS working??? Getting SSH (and therefore SFTP too!) up and running is just a matter of a few minutes. :D

I've setup up both, and I'd say both take about the same amount of time...vsftpd has been easy to get running for FTPS and chroot in the past or me. But I agree, SFTP is the best way to go in nearly every way.

That's like saying: "I am in a hurry, so I'll pick the 60 years old VW Beetle over the brand-new Ferrari Formula-1 car ...."

No insult intended. But let's face it: How many hours did you spend to get FTPS working??? Getting SSH (and therefore SFTP too!) up and running is just a matter of a few minutes. :D

Isn't FTP actually supposed to be faster at moving files? If I don't need any of the remote access capabilities offered by SSH, then what are its benefits over FTPS? I'm not trying to argue the point; I'm trying to learn more about SSH. Now that I have a solution in place, I can take a little time to understand it better.

Isn't FTP actually supposed to be faster at moving files? This is only valid for pure unencrypted FTP. As the protocol isn't encrypted it has far less overhead than an encrypted connection such as SSH/SCP/SFTP. So yes, unencrypted FTP could be noticeably faster.

But between FTPS and SFTP/SCP I'd doubt you see a lot of a difference. Both use some form of SSL to encrypt their traffic, hence there should be similar overhead.

If I don't need any of the remote access capabilities offered by SSH, then what are its benefits over FTPS? SSH and its sub-protocols are pretty much compliant to any networking standard (IETF, RFC and what not) that you can find and especially firewalls --no matter what brand-- should not have any troubles whatsoever with SSH and its sub-protocols, whether you just wish to transfer files via SCP or SFTP, administrate systems remotely via SSH, mount a server's remote filesystems via SSHFS or use SSH's extensive tunnelling capabilities --- it should all just work. With any firewall. Period. SSH server software such as OpenSSH is constantly being improved and I am not aware of any serious security issue that would currently exist for the current incarnation of the SSH protocol.

FTPS however is a dirty dirty hack: you put a complicated SSL layer over an already complicated and outdated and highly insecure two-way protocol that already without that hack had plenty of troubles of its own. It may work or it may not work with your firewall, with your business partner's firewall, with their client software .... In other words --and this has already been pointed out to you-- FTPS is prone to having troubles. Good luck troubleshooting that if it ever misbehaves.


Stuff you might want to read:

http://en.wikipedia.org/wiki/SSHFS
http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html

Amusing your 100~ meg file is a single file, and slowly changes over time using a protocol which supports delta uploading such as RSync, Unison or any of the recent version control systems would be substantially faster than re-uploading the entire file every time.

If you are ever stuck inside a network, which only has ports 80 and 443 available, with 80 proxied and filtered you will see just how bad FTP is, tunnelling SSH, and thus sftp over port 443 is relativity easy, but as FTP runs on multiple ports, it is not easy to tunnel. Though in the above situation the best option is WebDAV or Subversion over WebDAV, the latter is faster as it does delta transfers.

Well, thanks to all of you. I've learned a lot.

Amusing your 100~ meg file is a single file, and slowly changes over time using a protocol which supports delta uploading such as RSync, Unison or any of the recent version control systems would be substantially faster than re-uploading the entire file every time. Fully agree to that. Let's take "rsync" for example: it "just works" with SSH. In my example I will assume that the SSH server is listening on port 2222 (instead of the standard port 22).

So instead of using SCP every time to copy a 100 MB file in full ...
scp -P 2222 -r /path/to/local/file user@server:/path/to/remote/location ... one could simply use rsync to transfer just the deltas:
rsync -e "ssh -p 2222" -a -v /path/to/local/file user@server:/path/to/remote/location


(... I hope I got the syntax right :D ... )

The only reason I wanted to set up a FTP server was to share a folder with some users without letting them see the whole filesystem.

Some people here suggested setting permissions on the filesystem, but I really doubt it is a good idea to alter the default permissions.

Other have mentioned chroot. But from what I saw in a few guides:

http://www.howtoforge.com/chrooted_ssh_howto_debian_p2

it seems that it involves creating scripts, and users, and putting . in their home address.

A lot of hassle when I actually want to share a directory such as "/home/share" without them being able to go higher than that.

If you guys no any simple and clean solution for chroot and SSH, then I would say that FTP is obsolete, but until then... I am still looking for the FTP server that does this easily.