FTP / FTPS (File Transfer Protocol) โ
Store backups on any FTP server with optional TLS encryption.
Overview โ
FTP is one of the most widely supported file transfer protocols. With FTPS (FTP over TLS), transfers are encrypted. Benefits:
- ๐ Universally supported by hosting providers
- ๐ Optional TLS encryption (FTPS)
- ๐ Simple file management
- โก No CLI dependencies required
Prefer FTPS
Plain FTP transfers data (including credentials) unencrypted. Always enable TLS when possible.
Configuration โ
| Field | Description | Default |
|---|---|---|
| Name | Friendly name | Required |
| Host | FTP server hostname or IP | Required |
| Port | FTP port | 21 |
| Username | FTP username | anonymous |
| Password | FTP password | Optional |
| Encryption | Enable TLS (FTPS) | Off |
| Path Prefix | Remote directory | Optional |
Encryption (TLS) โ
When TLS is enabled, DBackup uses Explicit FTPS (AUTH TLS):
- Connects on the standard FTP port (21)
- Upgrades the connection to TLS before sending credentials
- All data is encrypted from that point on
This is the modern, recommended way to secure FTP connections.
TIP
If your server uses port 990 with Implicit FTPS (TLS from the start), this is a legacy protocol. Most modern FTP servers support Explicit FTPS on port 21.
Server Setup โ
vsftpd (Linux) โ
bash
# Install
sudo apt install vsftpd
# Create backup user
sudo useradd -m -d /home/ftpbackup -s /usr/sbin/nologin ftpbackup
sudo passwd ftpbackup
sudo mkdir -p /home/ftpbackup/backups
sudo chown ftpbackup:ftpbackup /home/ftpbackup/backups
# Enable TLS in /etc/vsftpd.conf
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.key
sudo systemctl restart vsftpdProFTPD (Linux) โ
bash
# Install
sudo apt install proftpd proftpd-mod-tls
# Configure TLS in /etc/proftpd/tls.conf
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol TLSv1.2 TLSv1.3
TLSRSACertificateFile /etc/ssl/certs/proftpd.pem
TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
</IfModule>
sudo systemctl restart proftpdDocker (Quick Test) โ
yaml
services:
ftp:
image: fauria/vsftpd
environment:
- FTP_USER=backup
- FTP_PASS=secret
- PASV_ADDRESS=127.0.0.1
ports:
- "21:21"
- "21100-21110:21100-21110"
volumes:
- ./ftp-data:/home/vsftpdDirectory Structure โ
After backups, your FTP server will have:
/backups/
โโโ mysql-daily/
โ โโโ backup_2024-01-15T12-00-00.sql.gz
โ โโโ backup_2024-01-15T12-00-00.sql.gz.meta.json
โ โโโ ...
โโโ postgres-weekly/
โโโ ...Troubleshooting โ
Connection Refused โ
connect ECONNREFUSEDSolutions:
- Verify FTP server is running
- Check firewall allows port 21
- Verify hostname/IP is correct
TLS Handshake Failed โ
SSL routines:tls_validate_record_header:wrong versionSolutions:
- Verify the server actually supports TLS
- If using plain FTP, disable the TLS toggle
- Check server TLS configuration
Login Failed โ
Login authentication failedSolutions:
- Verify username and password
- Check user has FTP access on the server
- Verify user is not locked or disabled
Passive Mode Issues โ
Connection timed out (data channel)Solutions:
- Check firewall allows passive ports (typically 21100-21110)
- Verify
PASV_ADDRESSis set correctly on the server - If behind NAT, ensure passive port range is forwarded
Permission Denied โ
Permission deniedSolutions:
- Check user owns the backup directory
- Verify write permissions on the server
- Check FTP server chroot configuration
Performance โ
Optimize for Large Backups โ
- Enable compression in DBackup to reduce transfer size
- Use local network โ avoid transferring over the internet if possible
- Check passive mode โ misconfigured passive mode can cause slow transfers
Network Considerations โ
- FTP uses separate control/data channels
- Passive mode requires additional port range
- Consider using SFTP instead for simpler firewall setup
Security Best Practices โ
- Always enable TLS โ never use plain FTP for sensitive data
- Use strong passwords โ FTP lacks key-based auth
- Restrict user access โ chroot users to their home directory
- Firewall rules โ limit source IPs
- Disable anonymous access in production
- Use SFTP instead if SSH access is available (more secure)
Comparison with Other Destinations โ
| Feature | FTP/FTPS | SFTP | S3 | Local |
|---|---|---|---|---|
| Setup complexity | Easy | Medium | Easy | Easiest |
| Encryption | Optional (TLS) | Always (SSH) | Always (HTTPS) | N/A |
| Auth methods | Password only | Password, Key, Agent | Access Key | N/A |
| Firewall complexity | High (passive ports) | Low (single port) | Low (HTTPS) | N/A |
| Widely supported | โ | โ | โ | โ |