Ports

Port 21: FTP control

Classic FTP command channel. The data flow is separate and often uses other ports.

Where you will see it: You will see this in scans, firewall rules, vulnerability reports, and service configs. Treat open ports as exposure points and verify the service is expected, hardened, and restricted.

What it is

TCP port 21 is the classic FTP control port. A port is a transport layer number used together with an IP address and a protocol such as TCP or UDP to direct traffic to the correct service on a host.

A server process binds a socket to a port and listens, while a client typically chooses an ephemeral source port for outbound connections. The combination of source and destination IP addresses, source and destination ports, and the transport protocol uniquely identifies a flow so the operating system can keep many conversations separate.

Firewalls, NAT, and scanners talk about ports because the destination port is the stable rendezvous point that exposes a service to the network. An FTP server listens on port 21 for the control session where the client logs in and sends commands like list, change directory, and request a file transfer.

The control connection is not where file data normally travels. When a transfer starts, FTP creates a second TCP connection for the actual data, either server initiated in active mode or client initiated to a server chosen port in passive mode.

That two channel design is the practical reason port 21 often shows up together with other ports in firewall rules. From a security standpoint, an exposed FTP control port usually means credentials and file transfer behavior are reachable from the network, and that is an attractive target for brute force and misconfiguration.

How it works in broad strokes

  1. Client opens a TCP connection to port 21 and exchanges commands and replies.
  2. For each transfer, FTP creates a separate data connection (active mode uses server port 20, passive mode uses a server chosen high port).
  3. The server enforces permissions and filesystem actions, then closes the data connection after each transfer.

Concrete example

You run a vulnerability scan and see port 21 open. A quick check in a packet capture shows USER and PASS in cleartext, which is a clear signal to migrate the workflow to SFTP or to enforce TLS.

Why it matters

Port 21 exposure is a common finding in scans. It matters because classic FTP sends credentials and data in cleartext unless it is wrapped in TLS, and because the separate data channel can punch holes through firewalls if misconfigured.

Security angle

  • Prefer SFTP or HTTPS. If you must use FTP, use explicit FTPS with strong TLS and disable plaintext logins.
  • Restrict by IP and require strong credentials and auditing.
  • Harden the server and disable anonymous access unless you truly need it.

Common pitfalls

  • Leaving plain FTP reachable from untrusted networks.
  • Forgetting passive mode requires a predictable port range to be allowed through firewalls.
  • Assuming strong authentication. Many FTP servers are configured with weak or shared accounts.