Is an anonymous FTP user always a risk (even if this user doesn't have access to anything)?

Question

I found some FTP servers in a network that seem to allow login with an anonymous FTP user. I confirmed this with the ftp-anon NSE script in Nmap.

PORT     STATE SERVICE
21/tcp   open  ftp
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

But when I try to connect with an anonymous user using an FTP client like FileZilla, it seems that this FTP user does not have any rights.

Status: Connecting to X.X.X.X:21...
Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Status: Server does not support non-ASCII characters.
Status: Logged in
Status: Retrieving directory listing...
Command:    PWD
Response:   257 "/" is current directory
Command:    TYPE I
Response:   200 Command successful
Command:    PASV
Response:   227 Entering Passive Mode(X,X,X,X,004,001)
Command:    LIST
Error:  The data connection could not be established: EAI_NONAME - Neither nodename nor servname provided, or not known
Error:  Connection timed out after 20 seconds of inactivity
Error:  Failed to retrieve directory listing
Status: Disconnected from server

So am I right to assume that this FTP server does allow a connection with an anonymous user but that anonymous user doesn't have any rights? If so, would the right recommendation still be to disallow anonymous FTP users or won't that make any difference? Also, what are the risks of above scenario?

Answer 1

That connection does not mean you have no rights, it means there was a network problem setting up the FTP data connection. Here's a thread on FileZilla's forum about similar errors. Causes range from unresolvable hostnames to misbehaving proxies. But I strongly doubt that the reason for this error is anonymous user restrictions; that would be indicated by some sort of 4XX or 5XX error from the server telling you you don't have the rights to do something.