SFTP vs FTP vs FTPS

Positioning each protocol so you can pick the right one per use case.

SFTP

  • Runs over SSH (port 22 by default)
  • Single channel for control + data
  • Supports password and SSH keys
  • Best for Internet-facing workloads

FTP

  • Control channel on port 21
  • Data on passive ports (configurable)
  • No encryption; use on trusted LAN/VPN

FTPS?

  • Explicit FTPS not built-in today
  • Use SFTP for encrypted transfers
  • FTPS can be fronted via a proxy if required
  • Front an FTP listener with an FTPS gateway if mandated
Protocol Decision
Security first  -> SFTP
Legacy only     -> FTP (LAN/VPN)
Regulated + TLS -> SFTP or FTPS proxy in front of FTP

Public Key Authentication

Generate Keys

  1. On client: ssh-keygen -t ed25519 -C "user@host"
  2. Keep private key safe; copy contents of id_ed25519.pub
  3. Use PuTTYgen for .ppk if preferred

Add to SLightSFTP

  1. Open Users panel ➜ Add or Edit user
  2. Enable Public Key authentication
  3. Paste public key text; save
  4. Optionally disable password for key-only

Connect

  • WinSCP/FileZilla: import private key and select it
  • OpenSSH: sftp -i id_ed25519 user@host
  • Audit: each login logs IP, username, method

Revoke instantly by removing the key entry and saving.

Firewall & Ports

SFTP

  • Allow port 22 (or your chosen port)
  • Prefer IP allowlists for Internet exposure

FTP

  • Allow control port 21
  • Allow passive range (configure narrow range)
  • Keep behind VPNs when possible
  • Document range for clients (example: 50000-50100)

Web GUI

  • Default port 3000
  • Use reverse proxy (IIS/NGINX) for TLS
  • Restrict to admin IPs

Quick FAQ

Where are keys stored?

In the local database alongside users; they never leave the server.

Can I use FTPS?

Not natively; prefer SFTP. If mandatory, front with an FTPS proxy and point it to the FTP listener.

Passive ports?

Set a narrow passive range in config and open only that range in the firewall. Example: reserve 50000-50100, then allow that range on the host firewall.

ASCII Passive Setup

FTP control (21)
Passive range (50000-50100) -> open on firewall
Client connects: 21 -> gets port -> data flows on assigned passive port