Ports

Port 989: FTPS data

Implicit FTPS data channel. Less common than explicit FTPS on 21 with negotiated TLS.

Where you will see it: You will see this in scans, firewall rules, vulnerability reports, and service configs. Treat open ports as exposure points and verify the service is expected, hardened, and restricted.

What it is

TCP port 989 is associated with the data channel for implicit FTPS in some deployments. A port is a transport layer number used together with an IP address and a protocol such as TCP or UDP to direct traffic to the correct service on a host. A server process binds a socket to a port and listens, while a client typically chooses an ephemeral source port for outbound connections.

The combination of source and destination IP addresses, source and destination ports, and the transport protocol uniquely identifies a flow so the operating system can keep many conversations separate. Firewalls, NAT, and scanners talk about ports because the destination port is the stable rendezvous point that exposes a service to the network.

FTPS is FTP with TLS, but FTP keeps its classic two connection design: one channel for control commands and another for data. In older implicit FTPS setups, the control channel used port 990 and the data channel used port 989, with TLS expected immediately on those ports.

Many modern environments prefer explicit FTPS on port 21 where TLS is negotiated, or SFTP on port 22, because it simplifies firewalling and reduces the number of moving parts. The real world implication is that even when encryption is present, FTP style data connections can still require extra ports and careful NAT handling, so seeing 989 open should trigger a check that the transfer method is still necessary and properly restricted.

How it works in broad strokes

  1. Client and server establish a TLS protected control and data relationship according to the FTPS mode used.
  2. Data transfers occur over a dedicated connection that may use port 989 in implicit setups.
  3. Firewalls must still allow the negotiated data flows, often across dynamic ranges.

Concrete example

A partner insists on implicit FTPS. Your firewall team has to allow a predictable set of ports and confirm that the data channel really negotiates as expected, otherwise transfers fail intermittently.

Why it matters

This port matters because FTPS still inherits FTP's separate data channel behavior. Even when encrypted, it can be painful with firewalls and NAT. When you see 989 open, validate whether the service is required and whether a simpler transfer method would reduce attack surface.

Security angle

  • Prefer SFTP or HTTPS based transfers for simplicity and fewer firewall surprises.
  • If FTPS is required, document and restrict the port ranges and enforce strong TLS.
  • Monitor for brute force and unusual transfer patterns.

Common pitfalls

  • Assuming FTPS is a single port service and forgetting the extra data connection.
  • Misconfigured TLS that allows old versions or weak ciphers.
  • Leaving legacy implicit FTPS open when modern clients use explicit FTPS or SFTP.