The File Transfer Protocol (FTP) is one of the original internet protocols used for the transfer of large files. The modern internet has a number of tools to transfer files such as email attachments and various transfer websites, but those methods have their limitations. FTP, with added security such as that offered in SFTP and FTPS, is still one of the best tools for transferring files. But, to use it, you’ll have to set up an SFTP server.
A primer: FTP vs FTPS vs SFTP
These terms all vary by one letter, but that letter is important.
FTP File Transfer Protocol: The original protocol and its major limitation is that it sends logins and data unencrypted. Login information, as well as the file itself, are sent “in the clear” in plain text that an observer can see.
FTPS File Transfer Protocol Secure (also known as FTPES): This is secure FTP, where the S in this case represents Transport Layer Security (TLS) encryption. This is essentially a basic FTP server that knows how to negotiate an encrypted TLS tunnel to transfer data through.
SFTP Secure File Transfer Protocol: This is also secure FTP, but in this case the S represents Secure SHell (SSH). This isn’t really an FTP server at all. Rather, it is an SSH server that understands FTP commands. Login information and files are transferred encrypted via SSH. To make matters even more confusing, the original intention of the abbreviation SFTP was Simple File Transfer Protocol defined by RFC 913, but has been relegated to “Historic” status and no longer used.
SCP Secure Copy: This is not an FTP protocol, but it is widely used to securely transfer files, so it bears mentioning here. SCP is a very simple file copy from one machine to another using the SSH protocol. The FTP protocols have a wide range of file management abilities that SCP does not.
Confusingly, a GUI utility that implements the SSH File Transfer Protocol is termed an SFTP client although it can also be an SFTP server. The SFTP client designation signifies that this piece of software initiates connections. It is also called a server because it is usually part of the file server where backup configurations are stored.
SCP is just a copy function. SFTP is has its own environment. It allows you to move files on the remote system, change directory and even create directories on the remote host. Both SFTP and SCP use the same security procedures to enforce user authentication and protect transmissions with encryption over the connection. However, SFTP gives the user muh more access to functions to manipulate the operating system. You would be more likely to use SCP for straightforward file transfers.
As both systems require user authentication, there is a risk if you put either into a batch job, because you would have to supply a username and password in the call to the command. However, you could limit the potential that anyone discovering the user account on the remote system by creating a restricted access user account for that computer, which prevented anyone accessing that account from getting out into any other directory other than the account’s home directory. However, this strategy would negate many of the functions that provide SFTP with its advantages. A secure transfer to a remote host carries less risk if it is carried out with SCP, because there is no command language incorporated into that protocol. SFTP is more suitable for use by a systems administrator performing interactive manual tasks and transfer on a remote computer.
Here’s a list of the best SFTP and FTPS servers:
|1. SolarWinds SFTP (FREE DOWNLOAD)||Windows|
|2. Filezilla FTPS||Windows|
|3. IIS FTPS Server||Windows|
|4. Free FTP||Windows|
|5. Syncplify.me SFTP server||Windows|
|6. Rebex Tiny FTP Server||Windows|
|9. Cornerstone MFT server||Windows|
|10. Globalscape SFTP server||Windows|
|11. Titan FTP server||Windows|
|12. Syncplify.me Micro SFTP server||Windows|
|13. Xlight FTP server||Windows|
|14. Core Mini SFTP Server||Windows / Linux|
|19. VandDyke VShell||Windows / Linux|
Full featured free SFTP and FTPS servers:
Editor’s choice: SolarWinds is a complete suite of IT tools. Enterprise-level suites wouldn’t be complete without a secure FTP server, and SolarWinds includes a free powerful SFTP and SCP server as part of its offering.
The SolarWinds SFTP server download is a zip file that extracts into an MSI installer. Once the install is complete, setting it up is as simple as launching the program and specifying a few options such as allowed protocols and allowed transfer options.
There’s also a built-in SCP server which makes sense since both SFTP and SCP use SSH to accomplish their tasks. You can configure the SolarWinds SFTP server to also allow SCP by selecting “Both” protocols.
On the users tab, you can create user accounts and specify details such as which network interface to use.
MORE INFORMATION ON THE OFFICIAL SOLARWINDS SITE:
2. FileZilla FTPS
FileZilla is a well known FTP server and client suite. The server itself only runs on Windows, but since there are Filezilla clients for almost every conceivable operating system, it is a good choice. There’s no requirement to use the FileZilla client to connect to a FileZilla FTP server, but streamlining the products can help with support issues. Filezilla server supports FTPS, but not SFTP. The client supports both.
3. IIS FTPS Server
An often overlooked FTPS server is available right within Windows Server. If you’re already running Internet Information Services (IIS), you can add the FTP server role, then create TLS certificates, and have a full featured FTPS server running alongside your IIS server very quickly.
Stemming from FreeSSH, FreeFTP is a full-featured SFTP server for Windows. It supports all flavours of FTP including SFTP and FTPS. As the name suggest, it is free and supports the creation of arbitrary users which makes it ideal for a quick SFTP setup on a Windows network.
During installation, you can chose to run FreeSFTP as-needed, or you can install it as a system service. The latter means it will run all the time and be available for your SFTP users.
Ensure that you download the latest version (greater than 1.0.11). A vulnerability was discovered in version 1.0.11 which has been patched in 1.0.12 and the current version is 1.0.13.
5. Syncplify.me SFTP server
Syncplify is an extensible SFTP servers which can run custom scripts. If you find that you have to jump through hoops to fit your SFTP server into your unique workflow, Syncplify may be the tool you’re looking for.
The free/evaluation edition has all the features of the Ultimate edition, but it only accepts a single connection and is not licensed for use in Production.
6. Rebex Tiny FTP Server
The Rebex Tiny SFTP server is free for all uses, including commercial use. It runs on WIndows XP up to Windows 7, and also supports Windows Server 2002, 2008, and 2012 editions. It is limited to a single user, but comes packed with features. It requires no setup, and contains full logging capabilities as well as support for public/private key logins instead of passwords.
It’s also worth mentioning that Rebex provides full .NET libraries to allow developers to include SFTP code in their own apps. The libraries are not free, but worth a look if you’re a .NET developer with a project like that on hand.
Update, August 26, 2018: This tool is no longer available. The ALTools website provides a suite of products for systems administrators and regular computer users. ALTFTP is an FTP server that support SFTP and runs on a wide variety of older and newer hardware, even as far back as the Pentium 150. It is a Windows only FTP server, supported from Windows 98 onwards to to Windows 7. Presumably, it will run on Windows 10 as well, but that is not specifically listed.
There is just a single download for ALTFTP that bundles the client and server application together, and it comes with a 60-day free trial.
CrushFTP is Windows-based FTP server that leverages compression, hence the name “Crush”. It compresses the files being transferred and streams the compressed data across the network, greatly reducing transfer time for many types of files.
CrushFTP also has some security measures built in. It can protect from brute-force login attacks by automatically banning attacking IPs, and the robust user management includes virtual file systems and permissions inheritance. The CrushFTP server has a 30-day trial and the client is always free.
9. Cornerstone MFT server
Cornerstone MFT(Managed File Transfer) is an SFTP server that addresses enteprise requirements. MFT is an umbrella term that indicates a higher level of control and audit than normal ad-hoc FTP client/server relationships normally provide. The advent of MFT was to address the need for transparent logins, higher security during transfer, and more visibility into file transfer progress and success or failures.
Cornerstone offers PGP-encrypted file storage. Data can be encrypted on the fly so there is never a point where unencrypted data is waiting on the disk to be encrypted. In addition, Cornerstone provides perimeter protection mechanisms such as two-factor authentication.
You can give Cornerstong MFT a try with its 30-day trial version to see if it fits your needs.
10. Globalscape SFTP server
Globalscape has coined the phrase “Enhanced File Transfer” (EFT) to refer to their “Managed File Transfer” (MFT) product.
Globalscape’s EFT server can be deployed in a high-availability (HA) configuration including load balance and cluster configurations. In addition, Globalscape offers both on-premise and cloud products, so you can select the best EFT solution for your situation.
There is a 30-day free trial for Enterprise and SMB. While there is a free trial for the Cloud version as well, it’s not clear how long the trial period is.
11. Titan FTP server
Titan FTP Server supports regular FTP, as well as FTPS and SFTP. It is HIPAA compliant, which makes it ideal for use in hospitals and government agencies across the globe. It runs on Windows Server 2008 and Windows Server 2012.
In addition to simply providing file transfer services, Titan FTP server bundles some security measures which can defend against brute-force attempts, and full auditing capabilities so system administrators know what is happening on their servers.
Account management can be tied into Windows NT/SAM authentication in the Enterprise Version, and fine-grained account management such as automatic account expiry is included.
Titan offers a 20-day trial of its FTP server.
Standalone free SFTP and FTPS servers (no installation required)
12. Syncplify.me Micro SFTP server
In addition to the free/evaluation edition, Syncplify also offers a Micro SFTP server for Windows. It is a completely contained portable SFTP server that can be run from a USB stick. Unlike the free/evaluation edition of the full Syncplify SFTP server, the Micro server edition is completely free to use in any situation including production and commercial uses.
13. Xlight FTP server
Xlight FTP server comes in a variety of versions, including a portable standalone version that requires no installation. With 32-bit and 64-bit editions, it will run on Windows 2000, XP, Vista, 7, 10, 2003 Server, 2008 Server and 2012 Server. It even has localization files which will allow your secure FTP server to display text in a variety of different languages, or you can write your own language file if the language you need is not already available.
14. Core Mini SFTP Server
Core Mini FTP server is a free SFTP server that requires no installation routine. You can simply download it, specify a username and password, the directory to be used for FTP transfers, and you’re up and running. Keep in mind that the SFTP server will run as your user so there’s no protection against SFTP users mangling your files. Be sure to specify a harmless or empty directory for FTP use.
Best Free SFTP and FTPS servers for Linux
- VandDyke VShell
Since SFTP runs on SSH, most Linux systems just come with SFTP ready to go. FTPS is a different story and requires a dedicated FTP server that supports TLS, but when SFTP is so easy to set up on a Linux host, it’s hard to come up with good reasons to run FTPS.
On a standard Linux system most valid users will be able to use any SFTP client to connect to the server and transfer files to and from their home directory. However, allowing remote user access is usually considered a security risk so many system administrators will disallow this access. The most most common ways to do this is to disallow users’ shell access, or block the SFTP port (22, same as SSH) to specified IP addresses.
Assuming those restrictions are not in place, any SFTP client that can connect to port 22 on an SFTP server should work well.
$ sftp email@example.com firstname.lastname@example.org's password: Connected to 220.127.116.11. sftp> pwd Remote working directory: /home/test-sftp sftp>
The downside to the ease in which SFTP is so easily setup on most Linux distributions is that also means SSH is just ready to go. That implies a level of trust in your users which may not be commensurate with reality. If you have untrusted or unknown SFTP users, you may want to impose restrictions on what they can do on the system. There are many ways to achieve this, such as only allowing the SFTP engine to run which disallows regular SSH logins, or you can use an app such as MySecureShell to do the heavy lifting.
MySecureShell supports access control lists, which are the heart of granular control over user access. It is included in many distribution repositories so you can just use your package manager to install it:
$ sudo apt-get install mysecureshell [sudo] password for jdw: Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: mysecureshell
After installation, some basic modifications may need to be done to the app’s configuration file in /etc/ssh/sftp_config and then you’ll be up and running.
Vsftp is a free FTP server for Unix-like systems, including Linux. It is known for being very fast, stable, and consuming few systems resources. The extensive feature list includes support for virtual users (non-system users), the ability to listen on any interface, per-user configuration and rate limiting or throttling to avoid dos-type attacks or usage.
Many of the best-known Linux distributions run vsftp as their FTP server, which speaks volumes to its security and stability. Part of that pedigree may stem from the fact that the app’s maintainer, Chris Evans, has a history of discovering security vulnerabilities himself.
Vsftp is in most Linux distributions and can be installed via your package manager.
$ sudo apt-get install vsftpd Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: vsftpd
As with most Linux tools, a quick run through the /etc/vsftp.conf file is necessary to set some basic configuration options, and then your vsftp server is ready to go.
17. ProFTPd configured to use SFTP
ProFTP was built from the ground up out of a need to displace wu-ftp as a widely-used FTP server. Wu-ftp had become unwieldy due to years of modifications made necessary by insecurities in the app and eventually it became more productive to just build a new FTP client from scratch.
ProFTP is inspired somewhat after the Apache webserver. You can mostly see this in the format of the configuration files, and in the fact that it uses modules to load needed functionality. In this case, you’ll want to use ProFTP with the mod_sftp module loaded in order to attain SFTP functionality.
The ProFTP website provides a few example configurations to get you started on the right track.
FTP remains a very important part of the internet toolset despite the fact that it inherently lacks security. Much like the HTTP protocol has had TLS bolted onto it for security to form what we now call HTTPS, FTP has had both TLS and SSH merged into it in order to provide encryption and security. There are few other tools that so easily allow arbitrarily large file transfers. Many organizations will continue to use SFTP or FTPS for a long time to come.
PureFTPD is an open source SFTP server that works on virtually all versions of Unix-like operating systems including Linux, BSD, Solaris and more. It is maintained as an open source project aimed specifically at providing a standards-compliant FTP server. The interface messages have been translated into a variety of languages, so if you’re working with an international user-base, PureFTP may be for you.
There are no limitations with PureFTP; all features are available from the start. Among its more useful features is the ability to throttle connections in order to preserve bandwidth, run it in a virtual file system (“chroot” in *nix parlance), set upload/download limits and more.
Best Free SFTP and FTPS servers for Windows and Linux
19. VandDyke VShell
VanDyke Software VSHell is an enterprise-level SFTP and SCP server for Windows and Unix. It supports SFTP, SCP, and FTPS, and includes very granular user access control.
The Windows version boasts an easy-to-use graphical installer and it can use various user authentication methods such as LDAP and public/private key pairs.
The Unix version supports virtual directories as well as fine-grained file permissions. File permissions can be set per user, or on the virtual directories themselves.
VShell comes with a 30-day trial.