How safe are FTP servers?

I plan on setting up a FTP server on my Linode and I've read that this practice is disouraged due to security concerns. How bad is it?

I plan on serving up files through http, no real logins or anything. I assume there is a way to configure sftp for the transfer or that most modern ftp servers come configured with this by default.

I know that some things such as running a telnet daemon are inheritently dangerous but I still see sites use FTP through a web interface.

5 Replies

FTP sends all data, including credentials over cleartext. It's a bad idea to use it. I could enumerate the reasons why here, but instead, I'll refer to you to the always enlightening

FTPS (FTP over SSL) is better, but if you're going to the trouble of setting that up, don't bother. Just use sftp, the server for which is already provided by your distro's ssh daemon. From the client's perspective, SFTP works in a nearly identical fashion to FTP, but it can take advantage of strong authentication (you do have password auth turned off, don't you?), as well as encryption all data including credentials.

If you're serving files to the public via HTTP (without requiring a user/pass), then running an anonymous FTP server to serve those very same files via FTP is no less safe. SFTP is preferred over FTP in cases where users need to provide login credentials.

I have password auth turned off, as well as root login, but like dcraig said I will be serving files to the public without requiring a user name/password but I was planning on doing it over https.

I've seen other sites do this and I was not required to login. If SFTP requires users to provide login credentials it sounds like my only option might be to go with FTPS.

SFTP/FTPS has nothing to do with HTTPS. They're two different things, entirely.

Why do you think you need any form of FTP?

Yeah, after thinking it over I decided that this is probably a bad idea. I don't know what I was thinking, probably that somehow FTP would be the backend and the data would be transported using http or https.


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct