Usually (as far as I know), FTP uses port 21.
Since this port is used for FTP so often, is it safer to use another port? My guess is that if someone with malicious intentions tries to break FTP accounts, they will try port 21.
Asked
Active
Viewed 2.3k times
28
-
25When you multiply zero by any number the result will be zero. – techraf Aug 18 '16 at 14:02
-
11Is this a metaphor I'm missing? – Kevin Aug 18 '16 at 14:13
-
34Kevin - techraf is pointing out that using FTP is always going to be unsafe :-) – Rory Alsop Aug 18 '16 at 14:20
-
35Strictly, switching *any* service to a non-default port is always going to be safer in the sense that it will drastically reduce the likelihood of the application being targeted by automated attack tools - especially if the system is Internet-accessible. It won't make the service completely invisible, and it certainly won't be *immune* to attacks, but it does make it so there's going to be a *lot* fewer attackers targeting it. With that out of the way... ***FTP is bad! Stop that!*** – Iszi Aug 18 '16 at 17:02
-
1@Iszi: I think "drastically reduce" is overstating the case. Automated tools are perfectly capable of scanning for open ports, or if they're sniffing your traffic they could capture unencrypted logins over any port rather than only over port 21. In a way it would be weird for an automated tool to target only port 21. There may exist tools that foolishly attack only port 21, though, or the user could configure it to do that. So it'll reduce the likelihood of attack according to what the likelihood is that your attackers use only those tools. – Steve Jessop Aug 18 '16 at 17:47
-
2@SteveJessop For an Internet-accessible system, at least, "drastically reduce" is really *understating* the case. [Daniel Miessler](https://danielmiessler.com/blog/security-and-obscurity-does-changing-your-ssh-port-lower-your-risk/) (and, I'm sure several others) once did a test where it was shown an SSH server on a non-standard port was only being hit about 5 times in the same span of time that a default SSH service was getting hit over 10,000 times! – Iszi Aug 18 '16 at 17:57
-
4@Iszi: well OK, but if your only threat model is random strangers trying to guess the password then FTP theoretically is almost equivalent to SSH, and in practice might even be safer. This seems like an insufficient threat model ;-) – Steve Jessop Aug 18 '16 at 18:12
-
1@SteveJessop The threat model here doesn't *assume* that all attackers are stupid. But it does recognize that the vast majority of real-world attacks are being done stupidly, and there's an *easy* way to avoid being targeted by them. Another analogy (I've posted a few on this subject recently, it seems): If I'm going into a firefight with forewarning, you can be certain I'll wear a bulletproof vest. But if there's an easy way I can reduce the number of guns pointed at me, from 10,000 down to just 5, you can be damn sure I'll be doing that thing too. – Iszi Aug 18 '16 at 18:17
-
Bear in mind, this isn't just about password guessing. FTP services (just like any other) may have remotely-exploitable vulnerabilities that don't require authentication. Shortly after the details of these are released, you can expect that there's going to be a lot of botnets knocking at your door to exploit them. While you should be making sure your applications are always patched, you can't always be sure that you'll be ahead of the attackers on this or that a patch will even be available to you soon enough. – Iszi Aug 18 '16 at 18:21
-
Take the botnets out of the equation by changing the port you run on, and you've got that much more breathing room for whenever you need it. – Iszi Aug 18 '16 at 18:21
-
As the idea looks OK, there's no proof that this could ever help with something. It really adds more firewall issues. – Aria Aug 18 '16 at 18:26
-
@Iszi: I would bet that there are far more vulnerabilities in any apache+mod_php server that can be in a ftp server, because the ftp protocol is stupidly simple. FTP had bad reputation only because it is hard to configure over proxies and credentials are passed in clear text. – Serge Ballesta Aug 19 '16 at 06:36
-
To quote Kerckhoff's second principle, "It should not require secrecy, and it should not be a problem if it falls into enemy hands". While the original principle applied to cryptosystems, I think it applies equally well to security in general. – Doktor J Aug 20 '16 at 20:17
9 Answers
63
It is not safe to use ftp over any port. Those who have a malicious intent to get in your network or system will not scan your system for port 21 but for all ports, and will figure the other port in virtually no time.
You are better with sftp as your file transfer tool.
On the other hand, you have the option of adding some security to your ftp transfers and ports if you run it over a VPN tunnel instead.
yetdot
- 706
- 5
- 7
-
1
-
25
-
When using SCP, one has to specify the path of the target directory or file to download it on the client side. That is what I am aware of, but I'll also contradict myself on it. I've seen tools like winscp function exactly the same way when they are used over an sftp connection and an SCP connection. I am not sure how that happens. In both cases, the transmission is encrypted and is secure than clear text ftp. – yetdot Aug 19 '16 at 12:03
-
15This answer could benefit from an explanation of *why* it's not safe to use FTP over any port. – TylerH Aug 19 '16 at 14:09
-
@TylerH there are less than 65535 ports available to set a service on. Scanning all ports on a given host is a trivial endeavour. I believe most users in this SE have that as a given. – Mindwin Aug 19 '16 at 19:51
-
1@Mindwin Your comment doesn't address my question, whose point was specifically why **FTP** is not safe to use, *not* whether there is a particular/recommended safe port. The fact that the answer mentions port scanning as an attack vector obviates any comments about that. – TylerH Aug 19 '16 at 20:39
-
1@TylerH because its not encrypted? surely you could gather that from suggestion of 2 encrypted services (VPN and SFTP) – TheHidden Aug 19 '16 at 21:15
-
4@silverpenguin I personally already know why FTP is not safe or secure. The point of my comment is for the benefit of those who might not know why when they read the answer. – TylerH Aug 20 '16 at 03:14
-
4You're conveniently not mentioning the fact that most attackers simply want to get in any network, not yours in particular. It's like a bike chain, if someone wants *your* bike they'll be coming with chain cutters, but most thieves just want *any* bike... – N.I. Aug 20 '16 at 18:45
-
@NajibIdrissi Well its a good thing nobody here is in the business of securing bikes, eh? We're talking about software. Just use scp (SFTP). – Navin Aug 22 '16 at 04:00
-
2@Navin You completely missed my point and are apparently unaware of what an analogy is. – N.I. Aug 22 '16 at 06:37
-
There is FTPS protocol also, which is FTP but secured. FTP != rsync or scp or SFTP. It's about proper server and configuration to have a secure FTP. – akostadinov Aug 22 '16 at 09:42
36
The reason FTP is generally considered insecure is because it is not encrypted, which means that if someone is sniffing traffic anywhere in the network path, then everything traversing it can be read. This includes the username, password, all the data being transferred, and which port is being used.
Using a non standard port will not increase security, but it might cut down on the number of bots that attempt to connect to it, which annoyingly fill up your network logs.
TTT
- 9,122
- 4
- 19
- 31
-
6"...annoyingly fill up your network logs" *and* have a chance to actually get through. If the odds of breaking through your security barrier are 10,000 to 1, you don't want to put yourself somewhere that will be seeing 30,000 attacks every week. – Iszi Aug 18 '16 at 17:20
-
The OPs concern seems to be brute-force though, non-standard ports to keep log noise down is almost the only justification. There is [FTPS](https://en.wikipedia.org/wiki/FTPS) for encryption (not recommended). Encryption aside, a substantial weakness is its use of dynamic ports (talk to a greybeard about pasv/active distinction) something that can be leveraged with weak packet filters/ACLs. An [`nmap --source-port=20`](https://nmap.org/book/man-bypass-firewalls-ids.html#idm140159078066048) is a common trick (active FTP uses port 20). FTP on a non-standard port can break fragile NAT too. – mr.spuratic Aug 18 '16 at 18:05
-
2@Iszi - Agreed. I like to (half) jokingly say: As a rule of thumb, if you are using unencrypted FTP on the public internet, then you should assume the credentials are posted on social media. Making that assumption should help you dictate the next course of action. – TTT Aug 18 '16 at 21:00
-
@Iszi - those bot attacks are dumb, though. They try the same combinations of username and password over and over again. If you've survived them for the first month, you'll likely survive them indefinitely. – Jules Aug 19 '16 at 10:12
12
If your FTP server is always kept up to date, then usually that means there are not going to be any known exploits against that application. On the other hand, if the server is out of date then you risk robots that scan for well-known vulnerabilities that otherwise would have been fixed.
If the FTP server is poorly configured, for example having a default username/password, or a weak password on a neglected (or privileged) account, then a brute force attack may easily be able to get through.
So now you know the two most common attacks, to answer your question specifically, yes, a non-default port number will reduce the likelihood of such an attack, especially in regards to those robots which are scanning the internet for vulnerabilities.
This is often considered Security Through Obscurity and is frowned upon due to its limited effect, but you cannot deny that it does improve your security to some degree, especially against robot vulnerability scanners. Probably not so much against a targeted attack.
Suggestions:
- Changing the Default Port is a simple thing you can do if you are not confident about the security as-is.
The best thing to do with an FTP service is to limit the IP addresses that can access it. This prevents vulnerability scanning. For example, it is likely that there are only certain buildings in the world that you would use to access the FTP server. You do not need to allow access from any other IP address.
It is highly recommended that you stop using FTP and switch to SFTP (SSH) to protect your credentials from getting out. FTP is unencrypted, and, while that is not applicable to your question, it is very risky to use an unencrypted connection for anything except on-site LAN access.
Also consider using a VPN, which gives you secure remote LAN access.
700 Software
- 13,807
- 3
- 52
- 82
-
Thanks for your response. I thought FTP and SSH are two different things. I use FTP for easily browsing and modifying files with FileZilla or Atom.io and use SSH with PuTTY to access the command line of my server remotely. Can I use SSH to browse and edit the files on my server by a graphical interface, like FileZilla or CoreFTP? – Kevin Aug 18 '16 at 14:24
-
4*"Can I use SSH to browse and edit the files on my server by a graphical interface"* Absolutely! This is called SFTP. (SSH FTP) CoreFTP supports SFTP. There are many other options available to you, both free and commercial. – 700 Software Aug 18 '16 at 14:27
-
7@Kevin You can use SFTP on pretty much any machine that has SSH enabled with no additional configuration. Filezilla also supports SFTP; just enter sftp:// in the server IP box, or enter port 22 in the port box and it'll automatically switch to SFTP. There is no need to configure a separate SFTP service; it'll work over SSH. – tlng05 Aug 18 '16 at 15:53
-
5"...if you are not confident about the security as-is..." then you should be looking to fix whatever's wrong with the security - not relying on changing the port number. Using an alternate port is indeed an effective obscurity layer to add, but the underlying security mechanisms should still be made solid enough that you're not reliant upon the obscurity. – Iszi Aug 18 '16 at 17:18
4
Yes, though only in a very minor way.
With any risk assessment there is the factor of cost vs. provided security.
When you move FTP to a non-standard port, you will reduce the incoming attempts at low hanging fruit. In other words, the script kiddies trying a dictionary list on only port 21 won't be considered attackers any more. In this way it is safer.
The cost however is that all firewalls (including some outside your control) may need to be adjusted. Clients will need settings changed and users will have to follow a non-standard procedure. These are small things, but your gain is small.
On these merits alone, absent all others, it's a close call (on the is it worth it question).
That said, there are much better ways to achieve better security. An IP address white list is cheap and easy. It provides more security than port changing. VPN access for FTP is another "easy" path if you already have VPNs setup.
Using those or other methods to secure FTP is generally "cheaper" and more secure than just switching ports.
BIG SUPER IMPORTANT NOTE
While FTP has its uses it should not be considered secure. Use SFTP instead.
Peter Mortensen
- 877
- 5
- 10
coteyr
- 1,506
- 8
- 12
2
Short story: changing port is not the way to go to secure a file transfert service.
Now for a more in depth explaination. If you have no reason to have an FTP server on a machine, the safest is to have none whatever the port. And an FTP server is seldom necessary except for a public file service. It is among the oldest protocols in the TCP/IP world and is only aimed at exchanging files. If you control both ends of the connection, said differently if all the users that will use it are known to the system with a user name and password, then you should use sftp which is a special use case of ssh. As it is build on top of ssh, all exchanges are fully encrypted, and it provides out of the box a highly secure public key authentication system. Of course, some browsers will no longer be usable (Filezilla will, thanks to @dave_thompson_085 for noticing it), but using a real password with a normal FTP server over an Internet connection is hem... poor security practice because it is passed unencrypted. In short do not do that! Anyway you can find sftp GUI clients.
FTP is still heavily used for public file servers. You can find solid implementations that have been heavily tested (meaning that implementation flaws are unlikely) and come with nice features like the ability to restart an interrupted transfer without loosing what has already been downloaded. All major Linux and BSD distributions can be found on FTP servers, because of that. But I no longer have an FTP server on my own machines for decades...
And just for the possible security increase of using a non standard port, forget your illusions: a port scan could soon reveal it, not speaking of a simple promiscuous packet scanner anywhere on the network. What is even worse, beginner admins could be tempted by installing a quickly configured FTP server on a non standard port for their own use saying that nobody will find it there so I won't spend time on securing it. The actual result is that:
- a simple port scan can reveal it
- as traffic is unencrypted any machine on the way using promicuous mode scanner will see the user and password without any alert => just imagine what can happen if the credentials give admin privileges...
And changing a well known port is likely to forbid users behind a corporate proxy to access your server.
IMPORTANT NOTE
This part is not directly related to the question itself, but on the common affirmation: FTP is unsafe, do not use it, which is not correct.
FTP was used as a secure protocol with secure authentication before ssh. It is true that is is now seldom used that way, but one time password is a way to mitigate the risk of stolen credentials. Of course anybody on a network can see the password, but as soon as it has been used it is immediately revoked. I intensively used that in the 80', and I would still be confident in OPIE or OTPW for secure connection over unsecured lines. Even if I must agree that I now use sftp and ssh instead of telnet + ftp + OPIE :-)
What I want to say is that FTP is not insecure per se and it can be securely used. Simply trivial use of FTP is generally unsafe.
Serge Ballesta
- 25,636
- 4
- 42
- 84
-
1Security researchers have run comparison tests that show Internet-facing services running on default ports are targeted by many more attacks - several orders of magnitude more - than services running on alternate ports. So, while it doesn't render the service impenetrable or invisible, it does mean there's a whole lot less people who will be messing with it. – Iszi Aug 18 '16 at 17:12
-
1Let's say you're going to build a home for your family somewhere. You've got the funds to build literally whatever you want, wherever you want. You've settled on the "what" - exactly how the home will look, what security features will be in place, etc. Wherever you put it, the house will be exactly as "secure" (in terms of penetrability) as it would be anywhere else. Now, for the where. You've looked all over the world and found there's one place that has a crime rate tens of thousands of times higher than any other place. Are you even going to remotely consider putting your house there? – Iszi Aug 18 '16 at 17:15
-
1@Iszi What I say is that if you can run a FTP server on a non standard port, you'd better not run it at all. – Serge Ballesta Aug 18 '16 at 17:29
-
Oh, I don't disagree that FTP is bad. But saying there's little to no benefit to running it on a non-standard port - if you must run it - is patently false. – Iszi Aug 18 '16 at 17:55
-
1@Iszi IMHO, the only acceptable use case for a FTP server is a public one. And then you **must** use port 21. – Serge Ballesta Aug 18 '16 at 17:58
-
1Why MUST? Is there some international law I'm unaware of? Just because a service is public doesn't mean you must assume the intended audience will only use the default port. Educate your audience on how to configure their clients for a non-standard port, and be done. Sure, this means your obscurity layer is exposed to the public. But the obscurity layer isn't designed to defend against an attacker that's actually going to bother researching your system before running scripts against it - it's defending against the multitudes of botnets that are just blind-firing on the defaults. – Iszi Aug 18 '16 at 18:02
-
1Filezilla supports sftp, and has since 2006 according to the changelog. – dave_thompson_085 Aug 19 '16 at 19:10
-
2
It depends on the threat model
In case of traffic sniffering changing the port doesn't make any difference. It barely helps against a human hacker, trying to analyze the system's vulnerabilities.
It will help against automatic mechanisms (botnets, worms), since they tends to assume standard ports.
enkryptor
- 313
- 1
- 10
2
Your question is really two questions. One is about the security of using FTP and the other is about the benefits of changing the default port for a network protocol.
Some people will argue that changing the default port is an example of security through obscurity. However, this is only true if this is the only security control you put in place. Changing the default port can be a legitimate security control, but only if it is also combined with other security controls. It is true that it is not a particularly strong control and anyone with a moderate level of knowledge will likely find the new port your protocol is listening on. However, it is an additional layer of protection, even if only a vary thin one and security is all about layers of protection. It may not stop an experienced person trying to crack into your system, but it may well stop many automated or simple script based attacks.
The downside with such approaches is that it does have an impact on usability. Any legitimate user of the service will now need to know the new port and will likely have to use additional command line or configuration settings to use your service. In some situations, this may be OK, but in others, it will just be inconvenient or confusing. It really depends on your situation and what you're trying to protect against.
For example, I will often move my SSH service from port 22 to a different port. While this has only a minimal impact on security, it has the benefit of avoiding the large number of automated scripts I see which attempt very simplistic attempts to access my system, reduces 'noise' in my logs and possibly has a minimal impact on services (in one location I was working in, I was seeing an average of 30k attempts to login on port 22 a day). As I was the only user with legitimate reasons to use SSH to connect to this system, changing the default port had minimal inconvenience and once I moved to the different port, I would only see a couple of attempts a week. However, this was with SSH, which is designed to be secure by default. FTP is a vary different story.
In the case of FTP, if you do nothing else other than move the default port, then it is security through obscurity and will have vary little impact on overall security - it will decrease usability and do nothing to address the fundamental weaknesses in FTP. The basic security of your system will not be improved by any significant amount as it is trivial to do a port scan and identify the new port on which the FTP service is listening.
As pointed out by some of the other posts and comments, the real problem here is that FTP is simply an insecure protocol. There are a number of functionally equivalent alternatives. Therefore, if you're concerned about security, the best course of action is simply not to use FTP. There are versions of FTP and ways to configure FTP which can make it more secure, but to a large extent, these are "after the fact" additions/extensions to the protocol and likely to still not be as secure as a protocol which had security built into it from the start. So the real answer if security is a concern is to just not use old protocols like FTP and Telnet. Use things like SCP or even SFTP and SSH or even HTTPS.
Toby Speight
- 1,214
- 9
- 17
Tim X
- 3,242
- 13
- 13
2
Setting aside the question of whether it'll reduce automatic scanning (yes), and whether you can expect any security from FTP in either case (no), setting up FTP on a non-standard port can even hurt the security of your overall setup.
If you're running an FTP server on a non-standard port on the same host as an HTTP server, one can use the FTP server to perform XSS on the HTTP server on some browsers. Archive link
IIRC this works by POSTing the HTML+JS data using HTTP to the FTP server, which the browser allows because the FTP server is on a non-standard port, and so the browser doesn't know it's FTP and sees no reason to disallow this. The FTP server then responds with error messages that contain the invalid data that was posted. The response doesn't contain HTTP headers, but this just causes the browser to assume it's a HTTP/0.9 response. So, the server just gave you a response that contains the payload you sent it. At least older versions of IE ignored the port wrt. the Same-Origin-Policy, so you've got XSS on your hands, without doing anything wrong on the HTTP side of things.
I'm not sure how much of this has been mitigated (dropping HTTP/0.9 support, interpreting all HTTP/0.9 responses as text/plain, fixing the port thing on IE, etc. etc.) in modern browsers, but it definitely shows that it can have unintended consequences elsewhere. (And still has, at least if a user is using an older IE)
As for which is the lesser evil, automatic scans or XSS for [at least] some older browsers: Dude, just ditch the whole FTP thing already :)
Aleksi Torhamo
- 121
- 3
1
I think something that other answers have failed to make clear is that in the vast majority of cases on the internet, hacking traffic comes from bots which scan known ports for known services (like FTP port 21) and only act if the scan returns something useful (like an FTP server). Unless your server is likely to be the target of human hackers, you probably shouldn't worry.
Is FTP generally secure? No.
Should you use it in a publically accessible manner? No.
If you use it on port 21 on a public IP will a bot steal your data? Potentially.
If you use it on a non-standard port on a public IP will a hacker steal your data or compromise your data? Probably not.
js441
- 119
- 1
-
"If you use it on a non-standard port on a public IP will a hacker steal your data or compromise your data?" Yes, almost certainly. FTP is unencrypted and it doesn't take long to scan all ports to see which one FTP is listening on. – Navin Aug 22 '16 at 04:06
-
@Navin My point was a full port scan on a random IP is not something that happens very often, unless the IP is a high profile target. Similar for internet packet sniffing. – js441 Aug 22 '16 at 07:42