I'm going to merge a few replies here.

 

vsftpd is referred to as "very secure ftp daemon". This, unfortunately, means absolutely nothing in terms of the FTP protocol itself. It refers to its well-written code, its simple and legible and reliable configuration options, and the complete discard of the antique and very patched mess that was the legacy wu-ftpd.

 

vsftpd supports FTPS, which is FTP over SSL tunnels, but it is not enabled by default. So simply having the package says nothing about whether someone, or their clients, are using or only using FTPS. So LDAP based password access, especially if the LDAP is linked to Active Directory or other login services, is a real security risk in today's world of rootkitted laptops living inside "secure" networks, and external FTP traffic crossing public wires. This is why I asked whether the original poster was using it.

 

FTP also suffers, and has always suffered, from firewall and router confusion with the dual-port protocol for data and command signals.

 

There are numerous command line and some good graphical clients available for FTPS. curl, and lftp, support it quite well.

 

SFTP.... is another story. The protocol is entierly distinct, it does not know a symlink from a hole in its head, and there are no provisions for handling local timezone display differences between the server and the client's configuration. The results can be..... nightmarish if you expect it to act like FTP, and nightmarish if you're not aware of the flaws. And the overburdening of port 22 for SSH sessions, SCP sessions, and SFTP sessions makes the protocol very difficult to manage in a security sense: if you allow SFTP on the standard port through your firewalls, you're also allowing SSH. That...... can be awkward to protect against or manage.