Ports

Port 20: FTP data

Legacy FTP data channel in active mode. Often blocked on modern networks.

Where you will see it: You will see this in scans, firewall rules, vulnerability reports, and service configs. Treat open ports as exposure points and verify the service is expected, hardened, and restricted.

What it is

TCP port 20 is traditionally the FTP data port in active mode. A port is a transport layer number used together with an IP address and a protocol such as TCP or UDP to direct traffic to the correct service on a host. A server process binds a socket to a port and listens, while a client typically chooses an ephemeral source port for outbound connections.

The combination of source and destination IP addresses, source and destination ports, and the transport protocol uniquely identifies a flow so the operating system can keep many conversations separate. Firewalls, NAT, and scanners talk about ports because the destination port is the stable rendezvous point that exposes a service to the network.

FTP is unusual because it uses two separate TCP connections: a control session on port 21 for commands and replies, and a separate data connection for directory listings and file contents. In active mode the client tells the server which client port to connect back to, and the server initiates the data connection from its local port 20 to that client port.

In passive mode the server instead chooses a high port and the client connects to it, which is why FTP is famous for being tricky with firewalls and NAT. So when you see port 20, think active mode transfers and the broader fact that FTP opens extra connections beyond the initial login channel.

How it works in broad strokes

  1. Client connects to the server control service on port 21 and negotiates an active transfer (PORT or EPRT).
  2. Server opens a new TCP connection from its port 20 to a client specified address and port.
  3. The data connection carries the file or listing, then closes, while the control connection stays up.

Concrete example

A legacy build server still pulls artifacts from an FTP host. The control session is on 21, but the file itself arrives on a separate connection created by the server, which is why the firewall needs an explicit rule for the active data flow.

Why it matters

When you see port 20 open, it usually means legacy FTP is in play, or a firewall rule is overly permissive. It matters because FTP was designed before encryption was the default, and the two channel design often creates firewall and NAT surprises.

Security angle

  • Prefer SFTP or HTTPS based transfers for the internet. If FTP must exist, restrict it to internal networks.
  • Disable active mode unless you have a strong reason and an explicit firewall policy for it.
  • Monitor for anonymous access and unexpected uploads and downloads.

Common pitfalls

  • Assuming port 20 always carries data. Many FTP deployments use passive mode where data uses a server chosen high port instead.
  • NAT and firewalls dropping the server initiated connection in active mode.
  • Treating FTP as one port service and forgetting the extra data flow.