FTP Passive Port Range Standard?

firewall ftp nat filezilla
12,040

FTP Protocol Standards

In terms of unauthenticated access being allowed to connect to your FTP server via an open data channel port on the listening FTP server as per the RFC 959:

  • server-PI

The server protocol interpreter "listens" on Port L for a connection from a user-PI and establishes a control communication connection. It receives standard FTP commands from the user-PI, sends replies, and governs the server-DTP.

Source

This means the listening FTP server is expected to follow the standard FTP server protocol so if your FTP server requires authentication then it'll only allow a connection on an opened passive port that it chose to use for the data channel connection after user-PI authentication is established.

  • control connection

The communication path between the USER-PI and SERVER-PI for the exchange of commands and replies. This connection follows the Telnet Protocol.

PI

The protocol interpreter. The user and server sides of the protocol have distinct roles implemented in a user-PI and a server-PI.

Source

FTP Security

Using plain FTP for communication and data exchange is insecure since anything that can read the packets can see your data so consider using SSH FTP or FTP SSL to add encryption at this level.

Furthermore as per RFC 959:

  • The protocol requires that the control connections be open while data

transfer is in progress. It is the responsibility of the user to request the closing of the control connections when finished using the FTP service, while it is the server who takes the action. The server may abort data transfer if the control connections are closed without command.

Source

So be sure the FTP server is configured with a short timeout period and this should help get disconnected user sessions and data channel ports closed quicker.

Port Security

Consider using a high port range such as 40000-45000 and have your firewall network appliance rules configured to only allow that traffic to go to the FTP server and to put all the packets through a packet scanner for intrusion detection, etc. to thwart common attack patterns and such.

Don't use common ports if possible and look over the List of TCP and UDP port numbers.

Ensure that the FTP server is locked down even further for the ports you allow to be accessible from the Internet with OS level firewall rules, disable unnecessary services, and ensure you do not use ports in the passive range that you use for other services that are listening on this server.

FileZilla FTP Server Security

Read the Harden FileZilla FTP Server post and take advantage of these security features.

Share:
12,040
Cade
Author by

Cade

Nerd Ninja

Updated on September 18, 2022

Comments

  • Cade
    Cade almost 2 years

    So I know how to set all this up and there are numerous other posts with instructions. However I have a more specific question:

    Is there a STANDARD port range to be used for listening for passive FTP server? For example obviously I do not want to do 22-1000 or something. Other than just using a knowledge of what else is running on my machine, how do I determine which ports to use? I have seen on here a suggested range of 5000-5010 for example.

    Also bonus question. Is there a recommended NUMBER of ports to open? Filezilla simply offers the entire range from 0 - 65535 with no guidance (Or none I have found) suggesting what range or how many ports to use.

    • Cade
      Cade over 6 years
      The concern I have is if Filezilla doesn't lock these ports, then if some other program begins listening on those ports, I will be opening a security concern.
    • Cade
      Cade over 6 years
      My concern (Probably a ridiculous one since I manage the server) is that for example if I open didn't know any better and opened ports 3000-4000, then for example I just opened RDP to the world since Filezilla isn't constantly listening on those ports and will not report a problem until it has 3889 more connections outbound. -- Anyway you should post as an answer so I can give you credit.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Understand FTP; Active/Passive with Firewalls and NAT
FTP - 500 I won't open a connection to xx.xx.xx.xx
Filezilla won't connect
FileZilla - "The data connection could not be established: ECONNREFUSED - Connection refused by server" when retrieving directory listing
Is an FTP error (503 Bad sequence of commands) the result of a client issue or a server issue
How can I CHMOD files/directories on Windows Azure?
FTP file into docker container on remote server
pause transfer on filezilla and continue later (will shutdown my pc)
ubuntu iptables NAT & Router & Port Forwarding
FTP Connection established...Connection timed out problem with all my sites and FTP programs?