Evaluating FTP Servers: ProFTPd vs PureFTPd vs vsftpd

ftp


Usually, I will try to push clients towards using SCP (via a client such as WinSCP), however inevitably there are clients who do not understand this new method of accessing their files securely online, and who for one reason or another insist on using FTP for their online file access. As they say – the customer is always right?

Anyway, there are currently 3 mainstream FTP servers available via the yum command on CentOS 6.x. PureFTPd, ProFTPd and vsftpd. So which FTP server is the best? I will summarize the servers below, or skip to the summary.

ProFTPd

ProFTPd is a modular FTP server which has been around for a long time. The large control panels (cPanel, DirectAdmin) all support ProFTPd and have for years.

The most feature rich of the bunch is certainly ProFTPd. There are a ton of plugins available for it, and the creator of it modeled its configuration architecture much like Apache’s – it is also using the GPL for licensing.

Configuration of ProFTPd is fairly straight forward, and example configuration files abound at a quick search of Google.

ProFTPd is available on a wide variety of system architectures and operating systems.

ProFTPd Security

Of the bunch, ProFTPd has the most CVE vulnerabilities listed. The high number is most likely an indicator of ProFTPd’s widespread use which makes it a target of hackers.

ProFTPd CVE Entries: 40
Shodan ProFTPd entries: 127

PureFTPd

PureFTPd‘s mantra is ‘Security First.’ This is evident in the low number of CVE entries (see below).

Licensed under the BSD license, PureFTPd is also available on a wide-range of operating systems (but not Windows).

Configuration of PureFTPd is simple, with a no-configuration file option. Although not as widely used as ProFTPd, PureFTPd has many configuration examples listed online.

PureFTPd Security

PureFTPd’s “Security First” mantra puts it at the lead in the security department with the fewest security vulnerabilities.

PureFTPd CVE Entries: 4
Shodan Pure-FTPd Entries: 12

vsftpd

vsftpd is another GPL-licensed FTP server, which stands for “Very Security FTP daemon.” It is a lighweight FTP server built with security in mind.

Its lightweight nature allows it to scale very efficiently, and many large sites (ftp.redhat.com, ftp.debian.org, ftp.freebsd.org) currently utilize vsftpd as their FTP server of choice.

vsftpd Security

vsftpd has a lower number of vulnerabilities listed in CVE than ProFTPd but more than PureFTPd. This could be because, since its name implies it is a secure FTP service, or because it is so widely used on large sites – that it is under more scrutiny than the others.

vsftpd CVE Entries: 12
Shodan vsftpd entries: 41

Summary & FTP Server Recommendations

#

Considering the evaluations above, any server would work in a situation, however generally speaking:

  • If you want a server with the most flexible configuration options and external modules: ProFTPd
  • If you have just a few users and want a simple, secure FTP server: PureFTPd
  • If you want to run a FTP server at scale with many users: vsftpd

Of course, everyone’s requirements are different so make sure you evaluate the options according to your own needs.

Disagree with my assessment? Let me know why!

  • Troll

    And now do your homework and read those CVEs you assigned to vsftpd. There are kernel bugs, buggy patches applied by RH, bugs in some third party software (as webmin module or pam-mysql). Count only bugs in vsftpd, not all bugs with string “vsftpd” in description.

  • Howdy! Tell you what – you are right – the CVE title search was down when I wrote this so I used the keyword search to perform the queries. Now that it is back up, I’ve added the product/title search and changed the numbers to reflect those queries. I’ve also performed a similar search on Shodan and listed the number of vulnerabilities for each FTP server. 

    I’m not saying that any one is more secure than the other, but there needs to be some sort of quantifiable measure to compare them.

    Thanks for responding!

  • Lovetide ??

    it seems CentOS 6.3 contains only vsftpd package, proftpd and pure-ftpd are available from repoforge repository.

  • Harry Kashouli

    Hi there,

    I am confused by your summary of vsftpd: “If you want to run a FTP server at scale with many users: vsftpd”. If anything, I disagree because I am trying exactly that with it, and hit nothing but issue after issue.

    An example: if I want to allow everyone that can log on to the server to use ftp, by default they can navigate to any folder on the machine. If I try to fix this via chroot/jail, vsftpd jails them only within their home folder (which makes zero sense when wanting multiple users to use the same shares). If I try to use local_root, the server refuses to start on three distributions.

    I then discovered that I could bind mount the desired share in their folder, but that assumes their folder already exists; I have my server in an AD environment and home folders are created upon first ssh or samba share login, so this solution is impossibly hard.

    I will try the other two and see if they can do what I want. I find that vsftp is best only if you want each user to have their own personal share, or if you enjoy exposing your entire root folder to anyone that can log in via ftp.

  • I’m surprised that it would expose the entire root folder to logged in users. 

    Did you use chroot_local_user=YES?

  • John Westerdale

    Do any allow separate logging for each permitted user?  Sounds like ProFTP, but its of great interest when setting up a company Intranet for a few but distinct FTP clients. Some are chatty as heck, and others are once a month.
    Thanks for the informative comparison.

  • mpoplin

    thanks, this article helped me out when i needed to add a dedicated ftp service for a client (sftp would not suffice—the customer is always right).

  • NM

    great article.. right when I needed it. :)

    which one do you think would be the best if I want it integrated with LDAP. Upto 150 Windows active directory users.?? 

  • Anhad

    And I wasted 2 hours finding that out :X