FTP (File Transfer Protocol) – Concepts, Modes, and Security
1. What Is FTP?
FTP (File Transfer Protocol) is a standard application-layer protocol used to transfer files between a client and a server over a TCP/IP network. Defined in RFC 959, it is one of the oldest protocols still in common use and operates at OSI Layer 7 (Application Layer).
FTP enables users to upload files to a remote server, download files from it, list directory contents, rename, delete, and manage remote files — all from either a command-line client or a graphical tool like FileZilla. It underpins web hosting workflows, automated backup jobs, and large-scale file distribution.
FTP Client FTP Server
(FileZilla, ftp CLI, WinSCP) (vsftpd, ProFTPD, IIS FTP)
│ │
│── Control Connection (TCP 21) ────────│ ← Commands & responses
│ │
│── Data Connection (TCP 20 / random) ──│ ← Actual file data
│ │
Related pages: SSH Configuration | How DNS Works | DHCP Overview | Common Port Numbers | Applying ACLs | ACL Overview | Named ACLs | NAT Overview | SSH Configuration Lab
2. FTP's Dual-Connection Architecture
FTP is unique among common protocols because it uses two separate TCP connections simultaneously — a design that shapes every other aspect of how FTP works, including its firewall challenges.
| Connection | Port | Purpose | Lifetime |
|---|---|---|---|
| Control Connection | TCP 21 (always) | Carries all FTP commands (USER, PASS, LIST, RETR, STOR…) and server response codes. Never carries file data. | Stays open for the entire FTP session — from login to logout |
| Data Connection | TCP 20 (active) or random ephemeral port (passive) | Carries the actual file content, directory listings, and any other bulk data transfers | Opened on demand for each transfer, then closed immediately after |
This separation means you can issue commands on the control connection while a transfer is running on the data connection. It also means firewalls must handle two connections per FTP session — the source of most FTP firewall complexity.
3. Active Mode vs Passive Mode
The mode determines who initiates the data connection. This is the most important FTP concept for CCNA and for real-world deployments behind firewalls and NAT.
Active Mode
Client Server
│ │
│─── Control: TCP SYN → port 21 ──────────►│ Step 1: Client opens control connection
│◄── Control: SYN-ACK ────────────────────│
│ │
│─── PORT command (client IP + port N) ───►│ Step 2: Client tells server where to connect
│ │
│◄── Data: TCP SYN from server port 20 ───│ Step 3: SERVER initiates data connection
│ to client port N │ ← This is what firewalls block
In Active Mode, the server initiates the data connection back to the client on a port the client has advertised via the PORT command. The server always uses its own port 20 as the source.
Problem: Most client-side firewalls and NAT devices block unsolicited inbound TCP connections. From the firewall's perspective, an inbound SYN from the server on port 20 to a random client port looks like an uninitiated connection — and gets dropped.
Passive Mode
Client Server
│ │
│─── Control: TCP SYN → port 21 ──────────►│ Step 1: Client opens control connection
│◄── Control: SYN-ACK ────────────────────│
│ │
│─── PASV command ────────────────────────►│ Step 2: Client asks server for a data port
│◄── Server replies: "connect to port P" ──│
│ │
│─── Data: TCP SYN → server port P ───────►│ Step 3: CLIENT initiates data connection
│ │ ← All connections outbound from client ✓
In Passive Mode, the client initiates both connections. The server opens a random high port (P) and advertises it via the PASV response. The client then connects to that port.
Advantage: All TCP connections flow outbound from the client, which is exactly what NAT and stateful firewalls expect. This is why passive mode is the default in all modern FTP clients.
| Feature | Active Mode | Passive Mode |
|---|---|---|
| Who initiates data connection | Server (from port 20) | Client (to server's random port) |
| Client firewall compatibility | Poor — inbound SYN from server is often blocked | Excellent — all connections are outbound from client |
| Server firewall requirement | Allow outbound from port 20 | Allow inbound to the configured passive port range |
| NAT compatibility | Problematic without ALG (Application Layer Gateway) | Good — client's NAT handles outbound connections natively |
| Data port used | Server port 20 → client random port | Client random port → server random high port (1024–65535) |
| Recommended for | Server-to-server transfers where both ends are controlled | Almost all client deployments, especially behind NAT or firewall |
4. FTP Ports Reference
| Port | Protocol | Purpose | Mode |
|---|---|---|---|
| 21 | TCP | Control connection — all FTP commands and server responses | Active & Passive |
| 20 | TCP | Data connection — file transfers initiated by the server | Active only |
| Random (1024+) | TCP | Data connection — server advertises a high port; client connects | Passive only |
| 22 | TCP | SFTP (SSH File Transfer Protocol) — entirely separate protocol over SSH | N/A (SFTP) |
| 990 | TCP | FTPS implicit SSL/TLS control connection | N/A (FTPS) |
5. FTP Commands and Server Response Codes
FTP commands are plain-text strings sent by the client over the control connection. The server replies with a 3-digit numeric response code followed by a text message. Knowing the core commands and code ranges is an exam requirement.
Core FTP Commands
| Command | Description | Example | Notes |
|---|---|---|---|
USER |
Identify the username for login | USER john |
Always the first command after connecting; sent in plaintext |
PASS |
Provide the account password | PASS secret123 |
Sent in cleartext — a major security concern with standard FTP |
LIST |
Request a directory listing from the server | LIST |
Opens a data connection to deliver the listing |
RETR |
Retrieve (download) a named file from the server | RETR report.pdf |
Server sends the file over the data connection |
STOR |
Store (upload) a file to the server | STOR data.csv |
Client sends the file over the data connection |
DELE |
Delete a named file on the server | DELE oldfile.txt |
Requires appropriate write permissions |
MKD |
Create a new directory on the server | MKD backups |
Equivalent of mkdir |
CWD |
Change the current working directory | CWD /var/www/html |
Equivalent of cd |
PASV |
Request passive mode — server returns IP and port for data connection | PASV |
Client must then connect to the advertised port |
PORT |
Specify client IP and port for active mode data connection | PORT 192,168,1,10,19,136 |
6 comma-separated octets: 4 for IP, 2 for port encoding |
QUIT |
Close the FTP session gracefully | QUIT |
Server sends 221 and closes the control connection |
Server Response Code Ranges
| Code Range | Meaning | Common Examples |
|---|---|---|
| 1xx | Positive Preliminary — action initiated, expect another reply | 125 Data connection already open; 150 File status OK, opening data connection |
| 2xx | Positive Completion — action successfully completed | 200 Command OK; 220 Service ready; 221 Goodbye; 226 Closing data connection |
| 3xx | Positive Intermediate — command accepted, further information needed | 331 Username OK, need password; 350 Requested file action pending |
| 4xx | Transient Negative — command not accepted, but may succeed if retried | 421 Service not available; 425 Can't open data connection; 450 File unavailable |
| 5xx | Permanent Negative — command not accepted, do not retry | 500 Syntax error; 530 Not logged in; 550 Permission denied / file not found |
6. Authentication — Anonymous vs Authenticated FTP
FTP supports two authentication models, each suited to different use cases. In both cases, credentials are transmitted in plaintext over standard FTP — a critical security limitation addressed in Section 7.
| Authentication Type | How It Works | Typical Use Case | Security Consideration |
|---|---|---|---|
| Anonymous FTP | Client logs in with USER anonymous and provides any
string (typically an email address) as the password |
Public file repositories, software mirrors, open data distribution | No real authentication — anyone can connect. Restrict anonymous users to read-only access on a dedicated directory. |
| Authenticated FTP | Client provides a real username and password that the server validates against its user database | Web hosting control panels, private file sharing, automated backup scripts | Credentials sent in cleartext — visible to any packet capture on the path. Use FTPS or SFTP for any sensitive deployment. |
7. Security Limitations of Standard FTP
Standard FTP was designed in 1971, long before network security was a concern. It has three fundamental security weaknesses that make it inappropriate for transferring sensitive data over untrusted networks.
| Weakness | What It Means | Risk |
|---|---|---|
| Cleartext Credentials | The USER and PASS commands are sent as plain ASCII text over the control connection | Any attacker with network access (e.g., on the same LAN, or via a man-in-the-middle position) can capture usernames and passwords with a basic packet capture tool like Wireshark |
| Cleartext Data | File content is transferred without encryption over the data connection | Confidential files — config files, code, databases, personal data — can be intercepted and read in transit |
| No Integrity Verification | FTP has no built-in mechanism to detect whether a file was tampered with during transfer | A file could be silently modified in transit (e.g., malware injection) and the client would have no way to detect it |
Rule of thumb: Never use standard FTP across the internet or any untrusted network. Restrict it to isolated lab environments or trusted internal networks where confidentiality is not a concern.
8. Secure Alternatives — FTPS and SFTP
Two secure replacements for FTP are in widespread use. They are often confused because of similar names, but they are fundamentally different protocols.
| Feature | Standard FTP | FTPS | SFTP |
|---|---|---|---|
| Full Name | File Transfer Protocol | FTP Secure (FTP over SSL/TLS) | SSH File Transfer Protocol |
| Underlying Security | None | SSL/TLS (same as HTTPS) | SSH (Secure Shell) |
| Default Port | 21 (control), 20 (data) | 21 explicit / 990 implicit (control) | 22 (single port for everything) |
| Number of Connections | 2 (control + data) | 2 (control + data, both encrypted) | 1 (single multiplexed SSH channel) |
| Same Commands as FTP? | Yes (it is FTP) | Yes — FTPS wraps FTP in TLS, same command set | No — completely different protocol with its own command set |
| Firewall Friendliness | Challenging (dual connections) | Challenging (dual connections, encrypted so inspection is harder) | Excellent — single port 22, all traffic in one SSH tunnel |
| Certificate Required | No | Yes (TLS certificate on the server) | No (SSH key pair or password; key-based auth is preferred) |
| When to Use | Only in isolated/lab environments | When FTP infrastructure already exists and TLS must be added | New deployments — preferred modern choice for secure file transfer |
Standard FTP: Client ──[cleartext USER/PASS]──► Server ✗ Insecure
FTPS: Client ──[TLS handshake]──────────► Server
──[encrypted commands]──────►
──[encrypted file data]─────► ✓ Secure
SFTP: Client ──[SSH handshake port 22]──► Server
──[all data in SSH tunnel]──► ✓ Secure (preferred)
9. Firewall and NAT Considerations
FTP's dual-connection design creates unique challenges for firewalls and NAT devices that more modern single-port protocols (like SFTP) do not have.
| Scenario | Challenge | Solution |
|---|---|---|
| Active FTP behind client firewall | Firewall drops the inbound SYN from server port 20 to the client's random port — the data connection never establishes | Switch to passive mode so the client initiates all connections outbound |
| Active FTP behind client NAT | The IP address embedded in the PORT command is the client's private IP — the server tries to connect to an unreachable private address | Passive mode (client never embeds its IP in commands), or enable FTP ALG (Application Layer Gateway) on the NAT device |
| Passive FTP — server-side firewall | Server's firewall must allow inbound connections to a range of high ports (the passive port range) | Configure the server's passive port range (e.g., 49152–65535) and open exactly that range in the server-side firewall |
| FTPS through deep packet inspection firewall | FTP ALG cannot inspect encrypted FTPS traffic to rewrite embedded IP addresses, potentially breaking passive FTPS | Ensure the firewall supports FTPS inspection, or use SFTP which avoids embedded addresses entirely |
Best practice: Always prefer passive mode for client deployments. Define and document the server's passive port range, and open only that range — not all high ports — on the server-side firewall.
10. Configuring FTP — Server and Client
Server Setup (Linux — vsftpd example)
# Install vsftpd
sudo apt install vsftpd
# Key vsftpd.conf settings
anonymous_enable=NO # Disable anonymous access
local_enable=YES # Allow local Linux accounts to log in
write_enable=YES # Allow uploads
pasv_enable=YES # Enable passive mode
pasv_min_port=49152 # Passive port range start
pasv_max_port=65535 # Passive port range end
pasv_address=203.0.113.10 # Server's public IP (important behind NAT)
ssl_enable=YES # Enable FTPS (TLS)
sudo systemctl restart vsftpd
Server Setup — Firewall Rules
Allow TCP inbound to port 21 (control connection)
Allow TCP inbound to port 20 (active mode data — if using active)
Allow TCP inbound 49152–65535 (passive mode data range)
Block everything else
Client Setup
- Use an FTP client: FileZilla (GUI), WinSCP (GUI, Windows), or the ftp / lftp command-line tools.
- Enter: server address (hostname or IP), port (default 21), username, and password.
- Select Passive (PASV) mode as the default — switch to Active only if specifically required by the server.
- For FTPS: choose "Require explicit FTP over TLS" in FileZilla's Site Manager. For SFTP: use protocol "SFTP – SSH File Transfer Protocol" (port 22).
11. Common Use Cases
| Use Case | How FTP Is Used | Recommended Protocol |
|---|---|---|
| Web hosting management | Developers upload HTML, CSS, and assets to web servers | FTPS or SFTP |
| Automated backup jobs | Scripts use FTP to push database dumps or log archives to a remote storage server nightly | SFTP with key-based authentication |
| Public file distribution | Software mirrors, open datasets, and public archives served via anonymous FTP | Anonymous FTP (read-only, isolated directory) |
| Large file transfer between departments | Bulk data exchange between internal systems where email attachments are impractical | FTPS on internal network; SFTP if crossing untrusted segments |
| Network device configuration management | Routers and switches use FTP/TFTP to save and restore config files and IOS images | TFTP for internal lab; SFTP for production environments |
12. Troubleshooting FTP Issues
| Symptom | Possible Cause | Troubleshooting Steps |
|---|---|---|
| Connection refused on port 21 | FTP service not running, firewall blocking port 21, wrong IP | Verify service is running (systemctl status vsftpd);
confirm firewall allows TCP 21 inbound; check the server address |
| Login rejected (530 Not Logged In) | Wrong credentials, account disabled, anonymous login disabled | Verify username/password; check /etc/vsftpd/user_list;
confirm the account is not locked |
| Directory listing hangs or times out | Data connection failing — typically a mode or firewall issue | Switch from active to passive mode (or vice versa); check that the passive port range is open in the server's firewall |
| 550 Permission Denied on upload | Write permission not granted for the directory or user | Check directory ownership and permissions
(ls -la /path/to/dir); verify write_enable=YES
in vsftpd.conf |
| Active mode works but passive fails | Server's passive port range not open in firewall, or
pasv_address not set correctly (server behind NAT) |
Confirm passive port range in vsftpd.conf; open that
range in the firewall; set pasv_address to the server's
public IP if behind NAT |
| Passive mode works but active fails | Client-side firewall or NAT blocking the inbound data connection from the server | This is expected behind NAT. Use passive mode. If active is required, enable FTP ALG on the client-side NAT/firewall device. |
13. Example Scenario — End-to-End FTP Session
John manages a website and needs to upload updated HTML files to his hosting
server at ftp.mywebsite.com. His office uses NAT, so incoming
connections from the server would be blocked by the router.
Step 1: John opens FileZilla and connects to ftp.mywebsite.com
→ FileZilla opens control connection: TCP SYN to 203.0.113.50:21
← Server: 220 Service ready
Step 2: Authentication
→ Client: USER john
← Server: 331 Password required
→ Client: PASS ●●●●●●●● (sent in plaintext — use FTPS in production!)
← Server: 230 Login successful
Step 3: FileZilla requests passive mode for directory listing
→ Client: PASV
← Server: 227 Entering Passive Mode (203,0,113,50,195,80)
Decoded: IP = 203.0.113.50, Port = (195×256)+80 = 50000
→ Client opens data connection: TCP SYN to 203.0.113.50:50000
Step 4: Directory listing
→ Client: LIST
← Server sends listing over data connection
← Server: 226 Directory send OK (data connection closed)
Step 5: Upload file
→ Client: PASV (new data connection for each transfer)
← Server: 227 Entering Passive Mode (203,0,113,50,195,81) → port 50001
→ Client opens data connection to port 50001
→ Client: STOR index.html
→ Client sends file content over data connection
← Server: 226 Transfer complete
Step 6: Logout
→ Client: QUIT
← Server: 221 Goodbye
14. Exam Tips & Key Points
- FTP uses TCP port 21 for the control connection (always) and TCP port 20 for the data connection in active mode only.
- In active mode, the server initiates the data connection back to the client — this is what firewalls and NAT devices block.
- In passive mode, the client initiates all connections — preferred behind NAT and firewalls. Modern FTP clients default to passive.
- Standard FTP sends everything — including username and password — in cleartext. It provides no encryption or integrity checking.
- FTPS wraps FTP in SSL/TLS (same FTP commands, encrypted); SFTP is a completely different protocol running over SSH on port 22.
- Know the key FTP commands:
USER,PASS,LIST,RETR(download),STOR(upload),PASV,PORT,QUIT. - Server response code ranges: 2xx = success, 3xx = needs more info, 4xx = temporary failure, 5xx = permanent failure. Common codes: 220 (ready), 230 (logged in), 331 (need password), 550 (permission denied).
- If directory listings hang or data transfers fail, suspect a firewall/NAT mode mismatch — try switching between active and passive.
15. Summary
| Aspect | FTP Behaviour / Detail |
|---|---|
| OSI Layer | Layer 7 — Application Layer |
| Transport Protocol | TCP (reliable, connection-oriented) |
| Control Port | TCP 21 (always, both modes) |
| Data Port | TCP 20 (active) / random high port (passive) |
| Active Mode Data Initiator | Server — problematic behind client firewalls and NAT |
| Passive Mode Data Initiator | Client — preferred; all connections are outbound from the client |
| Encryption | None (standard FTP); TLS (FTPS); SSH (SFTP) |
| Secure Replacement | SFTP (port 22, SSH) for new deployments; FTPS where FTP is already in use |
| Key Commands | USER, PASS, LIST, RETR, STOR, PASV, PORT, QUIT |
| Anonymous FTP | Login with USER anonymous — no password; restrict to read-only |