Gyaan

FTP & SFTP

beginner ftp sftp ftps ssh file-transfer

FTP (File Transfer Protocol) is one of the oldest internet protocols — older than HTTP. SFTP is the modern, secure replacement that runs over SSH.

In simple language: FTP moves files but sends everything (including passwords) in plaintext. SFTP does the same job inside an encrypted SSH tunnel.

FTP Basics

  • Port 21 — control connection (commands).
  • Port 20 — data connection (file contents) in active mode.

FTP is unusual because it uses two TCP connections: one for commands, one for actual file data.

Active vs Passive Mode

This is the part FTP gets famous for being confusing.

Active mode:

  1. Client connects to server’s port 21 (control).
  2. Client tells server “send data to my port X.”
  3. Server initiates a new connection from its port 20 to the client’s port X.

Problem: most clients are behind NAT/firewalls that block incoming connections. The server can’t reach the client. Active mode breaks.

Passive mode (PASV):

  1. Client connects to server’s port 21.
  2. Client says “PASV — you tell me where to connect.”
  3. Server opens a random data port and replies with it.
  4. Client makes the data connection outbound.

Passive mode works through NAT because the client initiates both connections. This is the default in modern FTP clients.

ACTIVE                              PASSIVE
Client ──cmd──> Server:21           Client ──cmd──> Server:21
Client <──data── Server:20          Client ──data──> Server:randomPort
(server initiates → blocked by NAT) (client initiates → NAT-friendly)

Why FTP Is Insecure

Everything goes in plaintext on the wire:

  • Username and password.
  • File contents.
  • Directory listings.

Anyone sniffing the network sees it all. There’s no encryption, no integrity check. Don’t use plain FTP in 2026.

FTPS vs SFTP — Don’t Confuse Them

Both are “secure FTP,” but they’re completely different.

  • FTPS — old FTP wrapped in TLS. Same dual-connection mess, just encrypted. Two flavors: implicit (port 990) and explicit (port 21 with STARTTLS).
  • SFTP — a totally different protocol that runs as a subsystem of SSH on port 22. Single connection, encrypted by default, no active/passive nonsense.

If we have a choice, pick SFTP. Simpler, more reliable, and the SSH ecosystem (keys, agents, port forwarding) just works.

Using SFTP

If we already have SSH access to a server, we already have SFTP.

# Interactive session
sftp manish@server.example.com

# Inside the session:
sftp> ls
sftp> cd /var/www
sftp> put localfile.txt
sftp> get remotefile.txt
sftp> bye

# One-shot copy (uses SCP under the hood, similar idea)
scp local.txt manish@server.example.com:/tmp/
rsync -avz local-dir/ manish@server.example.com:/var/www/

# GUI clients: FileZilla, Cyberduck, Transmit — all speak SFTP

SFTP supports key-based auth, which means we can sync files without typing passwords.

When We’d Still See FTP

  • Legacy systems and old hosting providers.
  • Anonymous FTP for public software mirrors (e.g., older Linux distro mirrors).
  • Industrial equipment that hasn’t been updated since 2003.

For everything else, SFTP, HTTPS uploads, or object storage (S3) have replaced it.

Interview Tip

The trap question is “what’s the difference between FTPS and SFTP?” Be ready: FTPS = FTP + TLS, SFTP = file transfer over SSH. Different protocols, different ports (990/21 vs 22), different design.

References