FTP port - how to forward and open access

Table of contents


FTP setup is a simple process that has its own specific features. If you try to figure it out from the very beginning, then working with the FTP server over some time will become one pleasure for you. Through such servers, you can download music, movies, pictures, and other files, as well as handle a site with a host working through a data transfer protocol. But for this, you need to sort it well out, and in particular, you need to understand what is FTP port, what is it for and how to configure FTP port number. This is what will be discussed in the article. You will learn which is a standard port for FTP, how to change the default settings for the ports and unlock it in the firewall and router.

FTP cover image

What is FTP port and why is it needed?

If you sort everything out, then everything is extremely simple. The computer operating system has a certain limited number of ports. They are needed so that programs can connect to them through the network. This is done so that applications do not conflict with each other during an attempt to connect to the network. A port is just a digit of the transport protocol. It can be compared with the track. If all programs run on the same “track”, then a traffic jam will quickly form on it. Therefore, for each application, a unique port must be allocated - that is, a number that is not yet occupied by other programs.

Developers of operating systems have long been using this method of distributing programs according to numbered protocols, and it has proven itself well. After all, there are more than six thousand ports, which is enough for any computer. FTP is the data transfer protocol, necessary for the customer and server to quickly exchange various files. Such a protocol is convenient for those people who do not care about the web-interface of the store, but who appreciate the download speed and the number of files that can be stored on the server. There is no better way to exchange voluminous data than through the FTP protocol. And this protocol works through the TCP channel. And in order to connect to this channel, you need a specific port. That is, to open the server, the client must go to the FTP server port, and through it go to the host. This is the whole point of port for FTP.


What is an active and passive mode? How are they associated with ports

The fact is that there are two options for the development of a client-server interaction scenario. Depending on the method of establishing a connection for data transfer, active and passive FTP operation modes are distinguished. In the active mode, the server itself establishes a data transfer connection to the client, in passive, vice versa. Let's consider these modes in more detail.

Active and Passive modes

The fact is that in the FTP protocol there are two types of connection:

  • Control connection.
  • Connection for data transfer.

The activity and passivity of the client appear only in the second type of connection. Whereas the first is necessary so that the server and client can communicate with each other. That is so that the server receives commands from the client because this connection is called the control. Such a connection works through a standard FTP port installed by default or in other words the default FTP port.

The main difference between the active and passive modes of the FTP protocol is which of the client-server bundles makes the connection for data transfer, that is, roughly speaking, who is connected to whom. The ports to which data is transmitted also differ. With the active mode of operation, the client makes a control connection to the server, but the server itself makes the connection for data transfer. In a passive mode of operation, the data connection, as well as the control connection to the server, is initiated only by the client. That is, in active mode, the server connects to the client for data transfer, and in passive mode, the client connects to the server.


How to establish FTP Active Mode

Both in the active and in the passive mode, the connection starts with sending a request by the client to the server. First, a control connection is established. To do this, a temporary port is created on the client with a number in the range from 1024 to 65535 for establishing a control connection, as well as a port for data transfer. In the active mode, everything happens in the following order:

  1. The client sends a request to the server port number 21 (default port for FTP) from the temporary port in the range 1024–65535.
  2. The server responds to a temporary client port.
  3. The client confirms the connection.
  4. The client sends an FTP PORT command that talks about using the active FTP mode, its IP address, and also the port number for establishing a data connection to which the server will connect.
  5. The command is confirmed by the server.
  6. The client instructs the server to work with FTP.
  7. The server creates a data connection. To do this, it sends a request from port 20 to the port specified by the client in the fourth paragraph.
  8. The client responds to the request.
  9. The server confirms the connection and allows the client to transfer data.

How to establish FTP Passive Mode

In passive mode, the procedure for establishing a data connection is slightly different. Actions occur as follows:

  1. The client sends a request to the server port number 21 (FTP default port) from the temporary port in the range 1024–65535.
  2. The server responds to a temporary client port.
  3. The client confirms the connection.
  4. The client sends a PASV command that talks about using passive FTP mode.
  5. The server confirms the work in passive mode, sends its IP address, as well as the port number for establishing a data connection to which the client will connect.
  6. From the port for data transfer, the client sends a request to establish a connection to the port issued by the server.
  7. The server confirms the connection.
  8. The client establishes a connection.
  9. The client instructs the server (from the control port to FTP port 21), after which data can be transmitted.

Solving problems with Firewall

In the active mode, the main problem occurs with the client. If the Firewall is configured to drop incoming connections not initiated internally, the server will not be able to establish a data connection. And since the FTP data port is dynamic, there are some difficulties with configuring the Firewall. It will be most correct to specify the range of used ports in the client and create an allowable Firewall rule for them.

In passive mode, the server may encounter such a problem. The solution is similar: we specify the passive FTP port range used in the server settings and create an allow rule for it.


Is it necessary to use 21 port for FTP

People who constantly deal with servers and create them have heard about the number 21. For them, it is significant, as many servers and protocols, not only FTP, use 21 ports by default. And this is bad if you start to analyze the situation. After all, the data transfer protocol is not at all protected from interception. At any time, experienced hackers can attack your server and intercept the password and login of the client. Then they will infiltrate the server and steal important data from there, or they will hide malicious programs and viruses in directories.

In order to somehow increase the security level of using the FTP protocol, it is recommended to change the standard FTP port in the settings, this is needed for connection. It is not difficult to do this, but each server has this option configured in its own way. The only nuance is that when connecting, the client will need to specify a new FTP data port number instead of the number 21. This is the essence of protection - hackers will not know the port on which to intercept data, therefore they will not be able to steal it.


What are the common FTP vulnerabilities

The most significant drawback of the protocol is the transfer of all information, as well as usernames and passwords, in an open form. This makes it impossible to use this protocol to transfer confidential information without using third-party software and hardware. If the attacker has access to the communication channel through which this data is being passed, encryption must be used or secure FTP port number. This is a typical case of the passive impact of an attack - the server’s state does not change, the security policy is not violated, but there is access to the necessary information. The protocol does not define actions that counteract the selection of passwords. After an incorrect password, the client is given the opportunity to re-enter it, but the connection is not disconnected. There are also no restrictions on the number of repetitions. As a result, an attack aimed at guessing passwords can last as long as you like, and the absence of delays in server responses increases efficiency.

The following vulnerabilities are associated with the passive mode of the protocol and the possibility of participation in the connection of the third node. When using the passive data transfer mode, in which the server tells the client which FTP server port to connect to in order to start the transfer, it is possible to establish a connection from another computer. If the real client has already selected the file necessary for downloading and has the necessary access, then theft on his behalf is possible. An attacker, knowing the peculiarities of the choice of FTP port numbers by the FTP server for organizing passive mode, increases the likelihood of an attack success. To do this, you must try to establish connections with the ports, and if everything is successful, the file will be stolen. In the same way, you can write a file to the server on behalf of the registered user by establishing a connection with the FTP server port waiting for the file to start.


FTP Vulnerability Counteraction

Vulnerabilities of the protocol occurs mainly due to its features and the lack of ways to protect the transmitted information. To increase security, you must use third-party tools, as well as carefully consider the interaction of network nodes via the FTP protocol. The problem of transferring all information in an open form is solved either by using encryption tools, where possible, or by protecting communication channels from unauthorized access. For example, Commander One, the app is an excellent file manager for Maс with the support for FTP/SFTP connections and cloud storages.with this app you will not bother anymore whether FTP port secure is or not and simply relay on the encryption feature of the app, as it uses AES with a 256-bit key length. Besides that, the app supports a wide range of advanced features that are necessary when handling files, try this app to benefit from its functionality. Other problems can be solved by filtering.

Commander One connections

To protect passwords from busting, you must configure the FTP server so that connections are closed after a number of password attempts. It is also necessary to provide a pause before responding to each incorrect password, which will significantly slow down their enumeration.

To prevent file theft during passive mode, filtering by IP address is required. While using this filtering, it becomes impossible to exchange between two servers initiated by the client, since the server, which is switched to active mode, will have an address different from the client’s address, and packets from it will be filtered. From the point of view of modern security, the correct solution is to use one of the encrypted FTP implementations (FTPS, SFTP) or use FTP through VPN.


SFTP port. The difference from FTP port

SFTP is a standard for transferring information on the Internet, which is designed to move and copy files using a connection of increased reliability and security SSH (Secure Shell). This type of connection can provide access and secure transmission, which is encrypted with both login and password, as well as the contents of the transmission, thereby protecting passwords and confidential information from open transmission on the network. Unlike FTP, the SFTP protocol, despite its similar functions, uses a different data transfer protocol, and therefore standard clients cannot communicate with SFTP servers.

While TCP port 22 is the general correct answer and is considered the default SFTP port number, it depends on how SSH is configured to use a SFTP standard port rather than an alternative port.

Since SFTP acts as an SSH subsystem, it runs on any port that listens for the SSH daemon and is configured by the administrator. SFTP typically uses SFTP port number 22, but can be configured to work on almost any port. SFTP is just one of the protocols that can be launched via SSH (others include a virtual terminal). In fact, SFTP is independent and can work even without using SSH.


Key differences between FTP and SFTP

  • FTP does not provide any secure channel for transferring files between hosts, while SFTP provides a secure channel for transferring files between hosts on a network.
  • FTP is short for File Transfer Protocol, while SFTP is short for Secure File Transfer Protocol.
  • FTP is a service provided by TCP/IP. However, SFTP is part of the SSH protocol, which represents information for remote login.
  • FTP establishes a connection using a control connection on TCP port 21. On the other hand, SFTP transfers the file over a secure connection established via SSH between the client and the server.
  • FTP transfers the password and data in text format, while SFTP encrypts the data before sending it to another host.

FTP Port: Frequently Asked Questions

FTP is File Transfer Protocol. The main purpose of FTP is to send, copy, transfer, files on the Internet (from a remote computer to a local computer and vice versa). In addition, using FTP, you can work with your files directly on a remote computer (rename, delete, create directories, etc.).
The default FTP port number is 21/20.
It is possible to use a browser, for this purpose it is necessary to type in the address bar of the browser ftp: // your_login: your_password @ domain_name of your site. However, keep in mind that the browser is not FTP enabled. Technically, it can do this, but many of the necessary functions are missing in it.
SFTP (SSH File Transfer Protocol) - A network protocol that provides the transfer and operation of files over a secure connection over SSH.
SFTP typically uses SFTP port number 22, but can be configured to work on almost any port.
The main difference from FTP access is that all data, including login and password, are transmitted encrypted, which ensures the security of your work and protects against virus attacks.
In active mode, the client establishes a control connection to port 21 of the server and sends a special PORT command, in which it indicates its address and port for data transfer. Having received this command, the server establishes a connection from port 20 to the client port specified in the command.
The disadvantage of this method is the following? to work in active mode, the client requires a specified IP address. Also, certain difficulties will arise when finding a client behind a firewall or NAT.
To establish a connection in passive mode, the client sends the PASV command to the server. In response, the server transmits the address and port to which a data connection should be established. Having received this information, the client establishes a connection to the server and begins data transfer. As you can see, in passive mode, all connections are initiated by the client and therefore there are no requirements for it; it can be located behind the NAT and the firewall, and also may not have a specified IP address.
Therefore, nowadays, the main mode of FTP is passive.

Commander One

This dual panel file manager for Mac is fully compatible with MacOS 10.10 and later. Requires 37.41MB free space, latest version 2.4.2(3218) Released 23rd Mar, 2020

4.5 rank based on 90+ users, Reviews (15)
Editor's Choice