Skip to main content

File Transfer Protocol

aliases:

  • FTP
  • SFTP
  • TFTP

Application protocol used to transfer files between network hosts over ports 20 and 21.

FTP is mostly used in remote file access applications, and has several variants. While some HTTPS web services and web applications can offer direct file downloads to end users, FTP is often used for the administrative upload/download of files to and from servers. In this use case, it's important to secure FTP.

FTP's data transfer mechanisms operate in two main modes, active and passive move.

Active Mode

An FTP client will connect to Transmission-Control-Protocol port 21 on an FTP server, and opens a chosen dynamic client port number $n$. Port 21 is used for transfer commands and status information, but not for transferring the actual data. In active mode, the client will send a PORT command to port 21 to the FTP server, usually $n + 1$. The data transfer will begin between port $n +1$ and port 20 of the server.

Passive mode

The client opens a data port, again $n +1$, and sends the PASV command to the server's control port. Then, the server opens a random high port number and sends it to the client using the PORT command. The client then initiates the connection between the two ports.

  • [i] Not all firewalls like Active FTP, since there's no way of predicting what port the client will choose to use for the data transfer. However, not all FTP servers and clients even support passive mode. Ensure that the firewalls, clients, and servers are all compatible with one mode of FTP.

Trivial FTP (TFTP)

A connectionless protocol that runs over69/udp (nice). TFTP doesn't provide guaranteed delivery offered by FTP, and is only suitable for small file transfers. It only supports reading and writing files, not directory browsing, file deletion, or any other features of FTP. TFTP is literally a last resort for legacy network appliances for configuration files. TFTP also doesn't have any security features or mechanisms. Be careful when using this.

Secure FTP (SFTP)

We love security. We love privacy. We love integrity. Therefore, SFTP encrypts the authentication and data transfer processes using SSH over 22/tcp Ordinary FTP commands can be sent without the risk of eavesdropping. However, SFTP requires compatible SSH servers and compatible client software (e.g. WinSCP).

You can also use SSL/TLS, using explicit or implicit mode.

  • Explicit Mode (FTPES) - Upgrade an insecure connection on 21/tcp to a secure one using the AUTH TLS command. File transfers can also be encrypted using the PROT command.
  • Implicit Mode (FTPS) - Negotiate an SSL/TLS mode before any FTP commands are used over 990/tcp.
Back to top