File Transfer Protocol (FTP)
File Transfer Protocol or FTP has been around since the 70s. It is the grandpa of internet file sharing. FTP is used to transfer files to and from an FTP server. Although there are many other ways to transfer files to and from a server nowadays, often FTP still gets used to update files on a website.
The original FTP is not encrypted and thus poses a high security risk. There is a secure version of FTP which I will look at later in the video. If you use standard FTP nothing is encrypted. Thus, if an attacker can position themselves between the user and the FTP server, they can intercept any data that travels between the two.
This includes usernames, passwords and any other data. Keep this in mind if you ever use it. If you can’t afford to lose the data, don’t use it. Don’t use passwords that you use for other accounts or on production systems.
Due to the security concerns, standard FTP does not get used so much nowadays. I would only use it on test networks or to host public data with anonymous usernames and passwords, if I was going to use it at all.
Before I look at the secure versions, I will first look at what ports standard FTP uses since you need to know them.
FTP Ports
FTP uses ports 20 and 21. For the exam, you will most likely only be required to know which ports are used with FTP. Port 21 is used as the control channel and is used to send commands. Port 20 is used to send data. For the exam, you are unlikely to be expected to remember which port is which. An exam question may list the port number and, to answer, you will need to know which port goes with each service.
Passive/Active Mode
I will have a look at passive and active modes. It is very doubtful you will get a question on this, but being aware of this can help in troubleshooting. To understand how it works, let’s first consider active mode.
In this example, a user’s computer is connecting to an FTP server. In order to do this, the user’s computer connects to the FTP server using port 21. When connections are made using the internet protocol, the device will have a pool of port numbers that are used to make connections. These will be higher than the normal port numbers, often referred to as dynamic or private ports. Since the user is creating the connection, it does not need to use a specific port, but it must connect to a specific port on the server, otherwise the server does not know what service it is trying to connect to.
If there is a firewall between the two, this will need to be configured to allow port 21 through. When a data transfer is set up between the user and the FTP server, the user will open a dynamic port for the data transfer. This port is generally chosen at random from a pool to increase security. The dynamic port chosen will be sent to the FTP server using the control channel. The server will then use port 20 to make a connection back to the dynamic port.
This worked well in the old days of FTP. However, when Network Address Translation or NAT started to be used, it caused problems. NAT is a method that allows a single IP address to be shared with multiple computers. It does this by changing the port numbers of the connection, which then caused problems with active mode.
To help address this problem, passive mode was added to FTP. Passive mode starts off the same as active mode. Once the connection is made, the user sends a command to the FTP server to change the connection to passive mode.
Once in passive mode, the ftp server opens a dynamic port and tells the user’s computer which port this is. The user’s computer then connects to the dynamic port on the FTP server. Since the connection starts from the user’s computer, it does not matter if NAT changes the source port.
The main takeaway from this is, passive mode works better with modern firewalls and NAT. If you are having problems with FTP transferring files, switch it to passive mode. The good news is that modern FTP software will switch modes automatically; so generally, you don’t need to worry about it.
Secure FTP (SFTP)
In the modern world, if you are going to use FTP, it will most likely be Secure FTP or SFTP. SFTP uses Secure Shell Protocol or SSH to encrypt the FTP traffic. So, the FTP protocol has not changed, but it is sent to the destination using a secure tunnel.
If you consider a user connecting to an FTP server, a secure SSH tunnel is created between the user and the FTP server. The control and data channels are sent through this tunnel. Thus, all the traffic is sent over port 22. Port 20 and port 21 are not used for SFTP. If you are using SFTP, you only need to worry about making sure your firewall allows port 22 through.
Since the tunnel is encrypted, an attacker won’t be able to copy any data traveling over the tunnel. Nowadays, standard FTP is rarely used. If you do use it on your network, keep in mind the security risk, as any usernames, passwords or data can be captured by an attacker. If you are going to use anything you want to keep secure, including usernames and passwords, use alternatives like Secure FTP.
In The Real World
In the real world, most of the time, FTP is used to upload files to a website, although this is starting to change. Your provider will have instructions on how to set it up. Sometimes, it is just a matter of enabling it, although some sites are more complicated, requiring a key file to be downloaded to your computer.
To make the process a little simpler, I would recommend using modern FTP software to make the connection for you. There is some good software out there. In this case I will be using the free software WinSCP.
I have already installed WinSCP on this computer. To connect to an FTP site, I will select the “New” tab. Software like this supports multiple ways to transfer files, so in the dropdown, you can see the other methods that it supports. I will select the option “FTP”.
The default port number is set to 21. It is possible for the FTP server to change the port from the default. When this is done, you just need to change the port number accordingly. I will next select the option “SFTP”. This will use Secure FTP, so the port will change to 22.
I have a local Secure FTP running on this computer, so I will enter in the loopback address to connect to it. I will next press login to connect to the server.
I have not connected to this FTP server before, so you will notice that I get a message saying the fingerprint could not be found. The fingerprint shown identifies the FTP server. SSH uses a public and private key to identify the server and create a secure tunnel. The fingerprint shown is a hash of the public key. The fingerprint won’t change unless the key pair changes.
Pause for 23 seconds
I will press login and enter a username. In this case anonymous access has been configured, so I will use the username anonymous. Once entered, I would normally need to enter a password. Since I am logging in anonymously, I don’t need to do so.
I will now be connected securely to the FTP server and will be able to transfer files to and from it.
End Screen
When using FTP, remember that standard FTP is as secure as a screen door on a submarine. For anything you care about, use a secure transfer method like SFTP. Until the next video from us, thanks for watching.
References
“The Official CompTIA A+ Core Study Guide (Exam 220-1101)” page 201
“Picture: Computer room” https://commons.wikimedia.org/wiki/File:UA6_computer_room.jpg
Credits
Trainer: Austin Mason http://ITFreeTraining.com
Voice Talent: HP Lewis http://hplewis.com
Additional voice Talent: Stuart Thomas Hall https://www.imdb.com/name/nm12181561/
Quality Assurance: Brett Batson http://www.pbb-proofreading.uk
