Table of contents
- What is FTP port and why is it needed?
- What is an active and passive mode? How are they associated with ports
- How to establish FTP Active Mode
- How to establish FTP Passive Mode
- Solving problems with Firewall
- Why does FTP have 2 port numbers? Is it necessary to use 21 port?
- What are the common FTP vulnerabilities
- FTP Vulnerability Counteraction
- SFTP port. The difference from FTP port
- Key differences between FTP and SFTP
- FTP Port: Frequently Asked Questions
FTP setup is a simple process that has its own specific features. If you try to figure it out from the very beginning, then working with the FTP server over some time will become one pleasure for you. Through such servers, you can download music, movies, pictures, and other files, as well as handle a site with a host working through a data transfer protocol. But for this, you need to sort it well out, and in particular, you need to understand what is FTP port, what is it for and how to configure FTP port number. This is what will be discussed in the article. You will learn which is a standard port for FTP, how to change the default settings for the ports and unlock it in the firewall and router.
What is FTP port and why is it needed?
If you sort everything out, then everything is extremely simple. The computer operating system has a certain limited number of ports. They are needed so that programs can connect to them through the network. This is done so that applications do not conflict with each other during an attempt to connect to the network. A port is just a digit of the transport protocol. It can be compared with the track. If all programs run on the same “track”, then a traffic jam will quickly form on it. Therefore, for each application, a unique port must be allocated - that is, a number that is not yet occupied by other programs.
Developers of operating systems have long been using this method of distributing programs according to numbered protocols, and it has proven itself well. After all, there are more than six thousand ports, which is enough for any computer. FTP is the data transfer protocol, necessary for the customer and server to quickly exchange various files. Such a protocol is convenient for those people who do not care about the web-interface of the store, but who appreciate the download speed and the number of files that can be stored on the server.
There is no better way to exchange voluminous data than through the FTP protocol. And this protocol works through the TCP channel. And in order to connect to this channel, you need a specific port. That is, to open the server, the client must go to the FTP server port, and through it go to the host. This is the whole point of port for FTP.
What is an active and passive mode? How are they associated with ports
The fact is that there are two options for the development of a client-server interaction scenario. Depending on the method of establishing a connection for data transfer, active and passive FTP operation modes are distinguished. In the active mode, the server itself establishes a data transfer connection to the client, in passive, vice versa. Let's consider these modes in more detail.
The fact is that in the FTP protocol there are two types of connection:
- Control connection.
- Connection for data transfer.
The activity and passivity of the client appear only in the second type of connection. Whereas the first is necessary so that the server and client can communicate with each other. That is so that the server receives commands from the client because this connection is called the control. Such a connection works through a standard FTP port installed by default or in other words the default FTP port.
The main difference between the active and passive modes of the FTP protocol is which of the client-server bundles makes the connection for data transfer, that is, roughly speaking, who is connected to whom. The ports to which data is transmitted also differ. With the active mode of operation, the client makes a control connection to the server, but the server itself makes the connection for data transfer. In a passive mode of operation, the data connection, as well as the control connection to the server, is initiated only by the client. That is, in active mode, the server connects to the client for data transfer, and in passive mode, the client connects to the server.
How to establish FTP Active Mode
Both in the active and in the passive mode, the connection starts with sending a request by the client to the server. First, a control connection is established. To do this, a temporary port is created on the client with a number in the range from 1024 to 65535 for establishing a control connection, as well as a port for data transfer. In the active mode, everything happens in the following order:
- The client sends a request to the server port number 21 (default port for FTP) from the temporary port in the range 1024–65535.
- The server responds to a temporary client port.
- The client confirms the connection.
- The client sends an FTP PORT command that talks about using the active FTP mode, its IP address, and also the port number for establishing a data connection to which the server will connect.
- The command is confirmed by the server.
- The client instructs the server to work with FTP.
- The server creates a data connection. To do this, it sends a request from port 20 to the port specified by the client in the fourth paragraph.
- The client responds to the request.
- The server confirms the connection and allows the client to transfer data.
How to establish FTP Passive Mode
In passive mode, the procedure for establishing a data connection is slightly different. Actions occur as follows:
- The client sends a request to the server port number 21 (FTP default port) from the temporary port in the range 1024–65535.
- The server responds to a temporary client port.
- The client confirms the connection.
- The client sends a PASV command that talks about using passive FTP mode.
- The server confirms the work in passive mode, sends its IP address, as well as the port number for establishing a data connection to which the client will connect.
- From the port for data transfer, the client sends a request to establish a connection to the port issued by the server.
- The server confirms the connection.
- The client establishes a connection.
- The client instructs the server (from the control port to FTP port 21), after which data can be transmitted.
Solving problems with Firewall
In the active mode, the main problem occurs with the client. If the Firewall is configured to drop incoming connections not initiated internally, the server will not be able to establish a data connection. And since the FTP data port is dynamic, there are some difficulties with configuring the Firewall. It will be most correct to specify the range of used ports in the client and create an allowable Firewall rule for them.
In passive mode, the server may encounter such a problem. The solution is similar: we specify the passive FTP port range used in the server settings and create an allow rule for it.
Why does FTP have 2 port numbers? Is it necessary to use 21 port?
People who constantly deal with servers and create them have heard about the number 21. For them, it is significant, as many servers and protocols, not only FTP, use 21 port. However, by default, FTP uses two specified ports, namely 20 and 21. Port 21 is mostly used for management whereas port 20 is for data transfer. It leads to the fact that port 21 is of greatest importance, which is necessary for you to open the server and send commands to it and port 20 is needed mainly for active mode.
21 - port is used to control data transfer. The client establishes (actively) a control connection to server port 21 (it opens the connection passively) to send FTP commands to the server and receive FTP responses from it. A control connection exists all the time while the client is communicating with the server. 21 port is the server port.
On the 20th port (server), in fact, data is transferred under the "supervision" of the control connection on port 21 (server). This 20-port is required for a connection that exists only at the data transfer. This distinguishes the specified connection from that on port 21, which exists all the time when the customer works with the server. 20 port is the server port.
Let’s return to port 21 and the ubiquity of its use. If you start to analyze the situation it is not shiny. After all, the data transfer protocol is not at all protected from interception. At any time, experienced hackers can attack your server and intercept the password and login of the client. Then they will infiltrate the server and steal important data from there, or they will hide malicious programs and viruses in directories.
In order to somehow increase the security level of using the FTP protocol, it is recommended to change the standard FTP port in the settings, this is needed for connection. It is not difficult to do this, but each server has this option configured in its own way. The only nuance is that when connecting, the client will need to specify a new FTP data port number instead of the number 21. This is the essence of protection - hackers will not know the port on which to intercept data, therefore they will not be able to steal it.
What are the common FTP vulnerabilities
The most significant drawback of the protocol is the transfer of all information, as well as usernames and passwords, in an open form. This makes it impossible to use this protocol to transfer confidential information without using third-party software and hardware. If the attacker has access to the communication channel through which this data is being passed, encryption must be used or secure FTP port number. This is a typical case of the passive impact of an attack - the server’s state does not change, the security policy is not violated, but there is access to the necessary information.
The protocol does not define actions that counteract the selection of passwords. After an incorrect password, the client is given the opportunity to re-enter it, but the connection is not disconnected. There are also no restrictions on the number of repetitions. As a result, an attack aimed at guessing passwords can last as long as you like, and the absence of delays in server responses increases efficiency.
The following vulnerabilities are associated with the passive mode of the protocol and the possibility of participation in the connection of the third node. When using the passive data transfer mode, in which the server tells the client which FTP server port to connect to in order to start the transfer, it is possible to establish a connection from another computer.
If the real client has already selected the file necessary for downloading and has the necessary access, then theft on his behalf is possible. An attacker, knowing the peculiarities of the choice of FTP port numbers by the FTP server for organizing passive mode, increases the likelihood of an attack success. To do this, you must try to establish connections with the ports, and if everything is successful, the file will be stolen. In the same way, you can write a file to the server on behalf of the registered user by establishing a connection with the FTP server port waiting for the file to start.
FTP Vulnerability Counteraction
Vulnerabilities of the protocol occurs mainly due to its features and the lack of ways to protect the transmitted information. To increase security, you must use third-party tools, as well as carefully consider the interaction of network nodes via the FTP protocol. The problem of transferring all information in an open form is solved either by using encryption tools, where possible, or by protecting communication channels from unauthorized access. For example, Commander One, the app is a popular alternative to Cyberduck FTP client with the support for FTP/SFTP connections and cloud storages.
With this app you will not bother anymore whether FTP port secure is or not and simply relay on the encryption feature of the app, as it uses AES with a 256-bit key length. Besides that, the app supports a wide range of advanced features that are necessary when handling files, try this app to benefit from its functionality. Other problems can be solved by filtering.
To protect passwords from busting, you must configure the FTP server so that connections are closed after a number of password attempts. It is also necessary to provide a pause before responding to each incorrect password, which will significantly slow down their enumeration.
To prevent file theft during passive mode, filtering by IP address is required. While using this filtering, it becomes impossible to exchange between two servers initiated by the client, since the server, which is switched to active mode, will have an address different from the client’s address, and packets from it will be filtered. From the point of view of modern security, the correct solution is to use one of the encrypted FTP implementations (FTPS, SFTP) or use FTP through VPN.
SFTP port. The difference from FTP port
SFTP is a standard for transferring information on the Internet, which is designed to move and copy files using a connection of increased reliability and security SSH (Secure Shell). This type of connection can provide access and secure transmission, which is encrypted with both login and password, as well as the contents of the transmission, thereby protecting passwords and confidential information from open transmission on the network. Unlike FTP, the SFTP protocol, despite its similar functions, uses a different data transfer protocol, and therefore standard clients cannot communicate with SFTP servers.
While TCP port 22 is the general correct answer and is considered the default SFTP port number, it depends on how SSH is configured to use a SFTP standard port rather than an alternative port.
Since SFTP acts as an SSH subsystem, it runs on any port that listens for the SSH daemon and is configured by the administrator. SFTP typically uses SFTP port number 22, but can be configured to work on almost any port. SFTP is just one of the protocols that can be launched via SSH (others include a virtual terminal). In fact, SFTP is independent and can work even without using SSH.
Key differences between FTP and SFTP
- FTP does not provide any secure channel for transferring files between hosts, while SFTP provides a secure channel for transferring files between hosts on a network.
- FTP is short for File Transfer Protocol, while SFTP is short for Secure File Transfer Protocol.
- FTP is a service provided by TCP/IP. However, SFTP is part of the SSH protocol, which represents information for remote login.
- FTP establishes a connection using a control connection on TCP port 21. On the other hand, SFTP transfers the file over a secure connection established via SSH between the client and the server.
- FTP transfers the password and data in text format, while SFTP encrypts the data before sending it to another host.