Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Open port 21: File Transfer Protocol (FTP)

Author: Government Digital Service

Open port 21: File Transfer Protocol (FTP)

What this means

File Transfer Protocol (FTP) is a network protocol utilized to transmit files between computers over TCP connections.

Operating at the application layer of the OSI model, FTP facilitates smooth data transfers between the client and server widely used protocol for transferring files between computers. 

FTP uses the following ports:

  • port 21 (control connection)
  • port 20 (data connection – active mode)
  • dynamic port (data connection – passive mode)

Port 21 is used for the initial connection between the client and server, and for sending commands and receiving responses.

In active mode, the server uses port 20 to send data back to the client.

In passive mode, the client initiates the data connection, and the server responds using a randomly assigned high-numbered port, known as the dynamic port.

Why this is a problem

FTP is considered an insecure protocol as it transmits data and credentials in plain text. This makes it vulnerable to interception and exploitation.

There are a number of reasons why FTP is insecure, including:

  • lack of encryption: FTP does not encrypt data during transmission, leaving it exposed to eavesdropping and potential theft
  • cleartext transmission: usernames, passwords, and file data are sent in plain text, making them easily readable by anyone with access to the network
  • vulnerability to attacks: this lack of encryption makes FTP susceptible to attacks like packet sniffing, brute-force attacks, and man-in-the-middle attacks
  • anonymous access:  some FTP servers allow anonymous login, providing an entry point for attackers to upload or download files maliciously
  • data integrity risks: as FTP lacks built-in integrity checks, data transferred over an insecure connection could be altered during transit
  • misconfigured servers: misconfigured FTP servers with open ports can allow unauthorised users to browse, upload, or modify files

How to check if the problem is there

Check Open FTP Ports

Run the following command to check if FTP ports are open.

Windows (Command Prompt):

netstat -an | find ":21"

Linux/Mac (Terminal):

sudo netstat -tulnp | grep ":21"

Test for access

If an open port is found, try connecting to the FTP server using:

ftp <server-ip>

You will be prompted for credentials to access the filesystem of the service.

If anonymous access is allowed, you will be provided with direct access to the filesystem of the service.

How to fix this

Disable FTP

If FTP is unnecessary, carry out the following:

  • disable the FTP service running on the host
  • remove any inbound firewall or port forwarding rules for port 21

Use secure alternatives

Replace FTP with more secure options, such as:

  • SFTP (SSH File Transfer Protocol) – uses SSH encryption
  • FTPS (FTP Secure) – adds TLS encryption to FTP

Restrict access

Carry out the following actions:

  • configure firewall rules to block external access
  • enforce strong authentication
  • require strong passwords
  • use multi-factor authentication (MFA), if possible

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now