Networking / Beginners

FTP Security

Another part of Internet-based security that should be considered is FTP-based traffic. FTP is an application layer protocol within the TCP/IP protocol suite that allows transfer of data primarily via ports 20 and 21 and then rolls over past port 1023 to take available ports for needed communication. This being said, FTP is no different from Telnet where credentials and data are sent in cleartext so that, if captured via a passive attack such as sniffing, the information could be exploited to provide unauthorized access. Although FTP is an extremely popular protocol to use for transferring data, the fact that it transmits the authentication information in a cleartext format also makes it extremely insecure.This section explores FTP's weaknesses and looks at a FTP-based hack in progress with a sniffer.

Active and Passive FTP

When FTP is used, it may run in one of two modes: active or passive. Whether active or passive FTP is used depends on the client. It is initiated by a client, and then acted upon by the FTP server.An FTP server listens and responds through port 21 (the command port), and transmits data through port 20 (the data port). During the TCP handshake, unless a client requests to use a specific port, the machine's IP stack will temporarily designate a port that it will use during the session, which is called an ephemeral port.This is a port that has a number greater than 1023, and is used to transfer data during the session. Once the session is complete, the port is freed, and will generally be reused once other port numbers in a range have all been used.

When active FTP is used, the client will send a PORT command to the server saying to use the ephemeral port number + 1. For example, if the FTP client used port 1026, it would then listen on port 1027, and the server would use its port 20 to make a connection to that particular port on the client.This creates a problem when the client uses a firewall, because the firewall recognizes this as an external system attempting to make a connection and will usually block it.

With passive FTP, this issue isn't a problem because the client will open connections to both ports. After the TCP handshake, it will initiate one connection to port 21 but include a PASV (passive FTP) command. Because this instructs the server that passive FTP is used, the client doesn't then issue a PORT command that instructs the server to connect to a specific port. Instead, the server opens its own ephemeral port and sends the PORT command back to the client through port 21, which instructs the client which port to connect to.The client then uses its ephemeral port to connect to the ephemeral port of the server. Because the client has initiated both connections, the firewall on the client machine doesn't block the connection, and data can now be transferred between the two machines.


S/FTP is a secure method of using FTP. It is similar to Secure Shell (SSH) which is a solid replacement for Telnet. S/FTP applies the same concept: added encryption to remove the inherent weakness of FTP where everything is sent in cleartext. Basically, S/FTP is the FTP used over SSH. S/FTP establishes a tunnel between the FTP client and the server, and transmits data between them using encryption and authentication that is based on digital certificates. A S/FTP client is available for Windows, Macintosh OS X, and most UNIX platforms. A current version can be downloaded at

While FTP uses ports 20 and 21, S/FTP doesn't require these. Instead, it uses port 22, which is the same port as SSH. Since port 20 and port 21 aren't required, an administrator could actually block these ports and still provide the ability of allowing file transfers using S/FTP.

Another consideration when sharing data between partners is the transport mechanism.Today, many corporations integrate information collected by a third party into their internal applications or those they provide to their customers on the Internet. One well-known credit card company partners with application vendors and client corporations to provide data feeds for employee expense reporting. A transport method they support is batch data files sent over the Internet using S/FTP. S/FTP is equivalent to running regular, unencrypted FTP over SSH. Alternatively, regular FTP might be used over a point-to-point VPN.

NOTE: Secure Copy Protocol (SCP) is the secure equivalent of the Remote Copy Protocol (RCP), and uses SSH for providing secure file transfers between clients and servers. Because of this, a major difference between SCP and RCP is that files are encrypted during transfer. Also, S/FTP should not be confused with the Simple File Transfer Protocol (SFTP), which was a FTP that provided no security, and never gained any popularity. Simple File Transfer Protocol is often referred to as SFTP, which is why Secure FTP is named S/FTP to indicate it is two different protocols. Unlike S/FTP, which uses port 22, SFTP used port 115.
[Previous] [Contents] [Next]