SFTP (SSH File Transfer Protocol) and FTPS (FTP over SSL/TLS) are often confused, but they operate fundamentally differently. SFTP runs over SSH and typically uses port 22 by default, while FTPS has two distinct modes:
- Explicit FTPS: Negotiates security after initial connection (port 21)
- Implicit FTPS: Establishes SSL immediately (port 990)
The confusion between port 22 (SFTP) and port 990 (Implicit FTPS) stems from historical implementations. Some administrators mistakenly refer to SFTP as "FTP over SSH" and assume it should use FTP-like ports. However:
# Correct protocol-port mapping:
SFTP → SSH (port 22)
FTPS → Explicit (port 21) or Implicit (port 990)
Here's how the connection establishment differs at the protocol level:
// SFTP connection flow (port 22)
1. SSH handshake
2. Authentication
3. SFTP subsystem activation
// Implicit FTPS connection flow (port 990)
1. Immediate SSL/TLS negotiation
2. FTP protocol exchange
3. Authentication
The FileZilla behavior you observed is expected. The server enforces strict protocol-port mapping:
<FileZillaServer>
<Listeners>
<Listener protocol="ftps" port="990" />
<!-- Changing this breaks implicit FTPS -->
</Listeners>
</FileZillaServer>
While both protocols encrypt data, their security models differ:
| Protocol | Encryption Layer | Certificate Requirements |
|---|---|---|
| SFTP | SSH (transport layer) | Server key |
| FTPS | SSL/TLS (application layer) | X.509 certificates |
For Python implementations using Paramiko (SFTP) and ftplib (FTPS):
# SFTP example (port 22)
import paramiko
transport = paramiko.Transport(('host', 22))
transport.connect(username='user', password='pass')
sftp = paramiko.SFTPClient.from_transport(transport)
# FTPS example (port 990)
from ftplib import FTP_TLS
ftps = FTP_TLS()
ftps.connect('host', 990)
ftps.login('user', 'pass')
ftps.prot_p() # Enable secure data connection
When configuring network rules:
# Allow SFTP (SSH)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow Implicit FTPS
iptables -A INPUT -p tcp --dport 990 -j ACCEPT
# Remember passive mode ports for FTPS!
iptables -A INPUT -p tcp --dport 50000:51000 -j ACCEPT
Use these commands to test connectivity:
# Test SFTP port
openssl s_client -connect host:22 -starttls ssh
# Test FTPS port
openssl s_client -connect host:990 -showcerts
When dealing with secure file transfers, developers often encounter confusion between SFTP (SSH File Transfer Protocol) and FTPS (FTP Secure). While both provide encryption, they are fundamentally different protocols with distinct port assignments:
- SFTP: Runs over SSH (port 22 by default), using a single connection for both commands and data
- FTPS (implicit): Uses port 990 by default, establishing SSL/TLS before any FTP commands
- FTPS (explicit): Starts on port 21, then upgrades to SSL/TLS via STARTTLS command
The port difference (22 vs. 990) stems from their underlying technologies:
// SFTP connection example using paramiko (Python)
import paramiko
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect('hostname', port=22, username='user', password='pass')
sftp = ssh.open_sftp()// FTPS implicit example using ftplib (Python)
from ftplib import FTP_TLS
ftps = FTP_TLS()
ftps.connect('hostname', 990)
ftps.login('user', 'pass')
ftps.prot_p() # Switch to secure data connectionThe port assignments reflect historical and technical factors:
- SFTP piggybacks on SSH infrastructure (hence port 22)
- Implicit FTPS needed a dedicated port (990) to distinguish it from explicit FTPS
- IANA assigned these ports to avoid conflicts with other services
FileZilla Server enforces port 990 for implicit FTPS due to:
- Protocol specification compliance (RFC 4217)
- Security best practices (immediate encryption)
- Client expectation consistency
Attempting to change this port breaks the implicit FTPS handshake sequence in FileZilla's implementation.
When choosing between these protocols:
| Factor | SFTP (Port 22) | FTPS Implicit (Port 990) |
|---|---|---|
| Firewall Friendliness | Single port | Multiple ports (990 + data) |
| Certificate Management | SSH keys | X.509 certificates |
| Protocol Overhead | Lower | Higher (SSL/TLS per connection) |
Common troubleshooting steps for port-related problems:
# Test SFTP port accessibility
telnet hostname 22
# Verify FTPS port response
openssl s_client -connect hostname:990 -starttls ftpRemember that many enterprise firewalls specifically allow port 22 but block port 990, making SFTP often more reliable in restricted environments.