Port Authority Edition – Internet Vulnerability Profiling
by Steve Gibson,  Gibson Research Corporation.





Goto Port 20
Probe Port 21
Enter Port: 0-65535
Goto Port 22



Port Authority Database

Port 21

Name: 
ftp

Purpose: 
File Transfer Protocol (Control Channel)

Description: 
File Transfer Protocol (FTP) is one of the oldest Internet protocols. FTP servers open their machine's port 21 and listen for incoming client connections. FTP clients connect to port 21 of remote FTP servers to initiate file transfer operations.

Since there's much more to FTP protocol than this, see the discussion below for the details.

Related Ports: 
20




Background and Additional Information:

An important word about FTP security and privacy

It has been said that any "open FTP server" will be found and quickly scrutinized by Internet hackers within a very short time of its appearance on the Internet. Hackers love open FTP servers that will anonymously accept files which are then available to others without any oversight by the FTP server's administration. Such "file drop boxes" quickly become loaded with illicit software and other potentially troublesome files, and are used as anonymous file exchange points. Not only can such unattended use be a huge consumer of your network's bandwidth, but you might find yourself explaining your apparent "hosting" of illegal, copyrighted, or otherwise distasteful files to governing authorities.

If you must run an FTP server for anonymous file acceptance, be sure to create a separate "incoming" directory for the receipt of submitted files. Make certain that that the contents of that incoming directory are not available for outgoing download without the explicit movement of the file into an outgoing directory.

If our analysis has shown that your FTP service port is open, you will definitely want to take some action (if this is not what you intend). As you can see from the list of known FTP-port Trojans at the end of this page, some nasty malware might be responsible for surreptitiously opening this port on your system. Or, if you are deliberately operating an FTP server, you will want to be certain that you are willing to accept the management responsibility that comes with offering such a public server to the Internet. It's not for everyone.

About the FTP protocol

FTP protocol uses two connections in parallel — one for command and control, and a second channel for data transport. Unless another port is specified, FTP servers listen for clients to connect on their port 21. The use of non-default FTP server ports is more common than for other protocols due to the historic trouble with malicious hackers searching for FTP servers on port 21. You may hear a computer savvy user say "I have an FTP server running on port 60" (or anything else). This might be done to avoid a port collision with another FTP server already running on the default port. But it is more likely being done to keep the real FTP server away from a highly targeted and often searched for port.

After initiating the connection, the client instructs the server whether it desires to establish an "active" or "passive" FTP session. This determines the direction of the secondary "FTP data" connection:

Active FTP

Active FTP is the traditional default which is generally used by full FTP client programs. Active FTP uses a "reverse data channel" that can cause problems when operating behind some older firewalls and NAT routers, though modern products have generally become "FTP aware". By comparison, passive FTP (see next section) is primarily used by web browsers and can be more firewall and NAT router friendly.

As we saw above, FTP sessions are initiated by an FTP client's connection to port 21 of any FTP server. This establishes the "forward" command and control channel. An active FTP client next opens a listening port on its machine, informs the remote FTP server of this port number, and requests the remote FTP server to connect from its port 20 back to the client on the port it has specified. This establishes the "reverse data channel" for transporting data.

Since many firewalls and NAT routers automatically block incoming connections to their protected client machines, the need to establish this second "reverse data channel" can cause trouble. Although passive FTP was created to overcome these problems, most modern firewalls and NAT routers have become "FTP aware". They monitor the outgoing control channel, interpret the client's request to the remote server, and open an incoming port back through the router to the client machine. Active FTP clients can thereby operate behind FTP aware firewalls and NAT routers without trouble.

Passive FTP

Passive FTP protocol was created to overcome the firewall and router problems associated with active FTP's need to establish a reverse data channel back from the server to the client. Passive FTP operates just like active FTP except that both the initial control channel (to the server's default port 21) and the data channel (to the server's default port 20) are initiated by the client and received and accepted by the server. Passive FTP is generally used by web browsers and can sometimes be requested as an optional mode from full FTP clients. Because passive FTP does not use a "reverse data channel" approach, it is often more friendly to firewalls and NAT routers, though most modern NAT routers are now "FTP aware".

The FTP RFC (the complete specification)

The specification of every nuance and detail of the FTP protocol, as written by the people who invented it, may be found here:

  http://www.ietf.org/rfc/rfc959.txt

  http://www.faqs.org/rfcs/rfc959.html

Trojan Sightings: Back Construction, Blade Runner, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, Fore, FreddyK, Invisible FTP, Juggernaut 42, Larva, MotIv FTP, Net Administrator, Ramen, RTB 666, Senna Spy FTP server, The Flu, Traitor 21, WebEx, WinCrash

The entire contents of this page is copyright © 2008 by Gibson Research Corporation.


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page