by Bryon D Beilman
I once worked for a consulting company that was growing very quickly and also prided itself in it's very technical interviews. One of the members jokingly talked about someone's resume with FTP on their resume, and how FTP was so simple that there was nothing to discuss. I thought of this recently as I was trying to give a client information about how their firewall was not letting them use FTP through because it was using ACTIVE instead of PASV FTP. On top of that , setting up FTP servers can be done in many ways (some secure, and some, not so secure) and so perhaps this fundamental file transfer protocol (FTP) service could use a little more explanation.
What is FTP?
FTP is the acronym for File Transfer Protocol, and is strictly a TCP service. It is a fast method to transfer data between two servers because the protocol is efficient and is often used to transfer large files, esp over a WAN. Despite your temptation to send a 1 GB file over email, utilizing FTP is a better mechanism, because it is designed to do just that.
What about Ports?
FTP utilizes two ports , a 'command' port and a 'data' port. Typically, these are port 21 for the command port and port 20 for the data port. Depending on how it is implemented, however, the data port may not be on port 20. During an FTP session the client sends a command packet on the command port indicating a second port that is to be used when the data is exchanged. The FTP server then sends data from it's own port 20 to the port designated by the client. The challenge with this arrangement is that the client is telling the server that it should connect to the client via a particular port. This session is initiated by the server back to the client. If the client is inside a firewall, this random port coming into the network will most likely be blocked and the FTP session will appear not to work.
In order to solve this potential firewall issue, a different method of FTP was developed, called passive mode (referred to as PASV, which is the command used by the client to tell the server it should use passive mode). In this mode, the client connects to port 21, and then issues a PASV command. The server replies with another port (typically an unprivileged port greater and 1024 that is should connect to for data transfer. Now the firewall rules that allow FTP to work are required to be in place with the server network. The client will need to connect to the server on ports 21 and some port above 1024. Some FTP servers allow you to specify which port will be dished out, which makes it easier to control. Many modern firewalls that inspect contents of the packets, allow this to work by opening connection based rules. If you want FTP to come in to your server and you configure your firewall to allow this, it may see port 21, inspect the packet, know that the client will then be coming in at port N, and let that in for that connection.
Security?
The other interesting twist on FTP , is setting up servers that use chrooted environments. Chroot is the concept of changing the root of where everything starts so that if someone were to break into the FTP account, they would never be able to get to the operating system, and instead would be in the self contained FTP environment. A command such as cd / , would get you to the base of the FTP area and never to the OS that hosts it. FTP has been the base for many insecurities in the past, so this was one way to help increase the security of this unencrypted protocol. Other things I will not get into , but only mention are using FTP over SSH (SFTP) or FTP over SSL (FTPS) which were created to encrypt the traffic, including username and passwords that are normally sent in the clear.
So, FTP, as simple as it sounds has more to it than you might imagine. I have helped our clients with issues where FTP works on Linux, but not in windows to some specific FTP server and it has typically been the difference of whether the client used PASV or not.