Usually, I will try to push clients towards using SCP (via a client such as WinSCP), however inevitably there are clients who do not understand this new method of accessing their files securely online, and who for one reason or another insist on using FTP for their online file access. As they say – the customer is always right?
Anyway, there are currently 3 mainstream FTP servers available via the yum command on CentOS 6.x. PureFTPd, ProFTPd and vsftpd. So which FTP server is the best? I will summarize the servers below, or skip to the summary.
ProFTPd is a modular FTP server which has been around for a long time. The large control panels (cPanel, DirectAdmin) all support ProFTPd and have for years.
The most feature rich of the bunch is certainly ProFTPd. There are a ton of plugins available for it, and the creator of it modeled its configuration architecture much like Apache’s – it is also using the GPL for licensing.
Configuration of ProFTPd is fairly straight forward, and example configuration files abound at a quick search of Google.
ProFTPd is available on a wide variety of system architectures and operating systems.
Of the bunch, ProFTPd has the most CVE vulnerabilities listed. The high number is most likely an indicator of ProFTPd’s widespread use which makes it a target of hackers.
PureFTPd‘s mantra is ‘Security First.’ This is evident in the low number of CVE entries (see below).
Licensed under the BSD license, PureFTPd is also available on a wide-range of operating systems (but not Windows).
Configuration of PureFTPd is simple, with a no-configuration file option. Although not as widely used as ProFTPd, PureFTPd has many configuration examples listed online.
PureFTPd’s “Security First” mantra puts it at the lead in the security department with the fewest security vulnerabilities.
vsftpd is another GPL-licensed FTP server, which stands for “Very Security FTP daemon.” It is a lighweight FTP server built with security in mind.
Its lightweight nature allows it to scale very efficiently, and many large sites (ftp.redhat.com, ftp.debian.org, ftp.freebsd.org) currently utilize vsftpd as their FTP server of choice.
vsftpd has a lower number of vulnerabilities listed in CVE than ProFTPd but more than PureFTPd. This could be because, since its name implies it is a secure FTP service, or because it is so widely used on large sites – that it is under more scrutiny than the others.
Summary & FTP Server Recommendations
Considering the evaluations above, any server would work in a situation, however generally speaking:
- If you want a server with the most flexible configuration options and external modules: ProFTPd
- If you have just a few users and want a simple, secure FTP server: PureFTPd
- If you want to run a FTP server at scale with many users: vsftpd
Of course, everyone’s requirements are different so make sure you evaluate the options according to your own needs.
Disagree with my assessment? Let me know why!