FTP (File Transfer Protocol) on port 21 is a legacy file-transfer protocol from the 1970s. It uses port 21 for control commands and a separate dynamic port for actual data transfer (active mode) or a server-chosen port (passive mode). FTP authentication and all data are sent in cleartext by default — usernames, passwords, file contents all observable to anyone on the network path.
In 2026, FTP should not exist as an internet-facing service. It has been comprehensively superseded by SFTP (SSH File Transfer Protocol, port 22) for authenticated transfers and HTTPS for public file downloads. The only remaining justifications for plain FTP are legacy compatibility with very old systems that cannot speak modern protocols — and those systems should be replaced or isolated, not accommodated indefinitely.
Beyond the cleartext credential problem, FTP has multiple historical attack vectors: FTP bounce attacks (using the PORT command to scan other systems through your FTP server), anonymous FTP misconfigurations (writeable anonymous shares used for malware staging), FTP protocol vulnerabilities in various server implementations, and credential brute force against weak passwords.
Five real-world scenarios involving port 21
External pentest — credential capture from FTP traffic
When FTP is in scope, the standard attack: capture a successful login using tcpdump or Wireshark on the network path. Even without that visibility, brute force against common credentials (anonymous/anonymous, ftp/ftp, admin/admin, ftpuser/ftpuser) frequently succeeds. Once authenticated, enumerate the file system for sensitive content — backup files, source code, configuration with hardcoded credentials.
Bug bounty — anonymous FTP misconfigurations
Anonymous FTP is sometimes intentional for public file distribution but often misconfigured to allow uploads as well as downloads. Writeable anonymous shares get abused for malware staging, illegal content storage, and as command-and-control drop points. Reporting writeable anonymous FTP is sometimes a valid bug-bounty finding for security-conscious targets.
Incident response — FTP servers used for data exfiltration
Attackers sometimes use legitimate FTP services as exfiltration channels — outbound FTP to attacker-controlled servers blends with normal-looking traffic. Network logs showing unusual FTP outbound to external IPs warrant investigation. Many environments do not even monitor FTP because they assume nobody uses it; this gap helps attackers.
Legacy system assessment — finding FTP on internal networks
Internal pentest reconnaissance frequently finds FTP on network appliances (printers, NAS devices, routers, UPS management cards). Many of these have default credentials and writeable file systems. Use as foothold for further lateral movement, or just exfiltrate configurations and credentials stored on the device.
Migration planning — replacing FTP with SFTP across environment
For environments still relying on FTP, migration to SFTP is the standard upgrade path. SFTP uses the same SSH server (port 22), supports the same operations (upload, download, directory listing), and is supported by every major FTP client (FileZilla, WinSCP, Cyberduck). The migration itself is mechanical; the hard part is identifying all the dependent systems and updating their configurations.
Common mistakes & edge cases
Running plain FTP in 2026 because "we always have"
Inertia is the most common reason FTP persists. There is no technical justification — SFTP does everything FTP does, with encryption, on a single port, with broad client support. Migration is straightforward. The work to do it is less than the work to defend "why did the breach include FTP credentials in plaintext".
Confusing FTP, FTPS, and SFTP
FTP = plain FTP, port 21, no encryption. FTPS = FTP with TLS encryption added (explicit on port 21 with STARTTLS, implicit on port 990). SFTP = SSH File Transfer Protocol, port 22, completely different protocol that just looks similar. SFTP is the modern recommendation.
Allowing anonymous FTP without restricting writes
If anonymous FTP is intentional, restrict it to read-only. Anonymous + writeable equals public anonymous file storage that gets abused within hours of being discovered by scanners.
Active mode FTP through firewalls without proper handling
FTP active mode requires the server to initiate a back-connection from port 20 to a client-chosen port — incompatible with most modern firewall/NAT setups. Many environments default to passive mode but legacy clients sometimes require active mode, leading to confusing connection failures.
Reusing system credentials for FTP accounts
FTP often integrates with system user accounts — meaning the same credentials grant SSH access, system login, and FTP access. Compromise of FTP credentials via cleartext capture immediately compromises the whole account. Use FTP-only accounts (chroot jailed) if FTP must exist; better yet, use SFTP with key-based auth.
No monitoring of FTP authentication failures
FTP brute force is highly automated — common credentials get tried constantly. Without monitoring failure patterns, the success when it inevitably happens goes undetected. Set up log monitoring for FTP failures and successful logins from unusual sources.
Frequently Asked Questions about port 21
File Transfer Protocol — a 1970s file-transfer protocol that became ubiquitous and never fully died. Inertia keeps it alive in legacy systems. There is no technical reason for new FTP deployments in 2026; SFTP and HTTPS cover all use cases with better security.
FTP = plain protocol, no encryption, port 21. FTPS = FTP wrapped in TLS, ports 21 (explicit) or 990 (implicit). SFTP = SSH File Transfer Protocol, runs over SSH on port 22, completely different protocol. SFTP is the modern standard.
Plain FTP cannot be made secure — credentials and data are in cleartext by protocol design. The path is replacement: SFTP for authenticated transfers, FTPS if you specifically need FTP semantics with TLS, HTTPS for public downloads.
Historical pattern where FTP servers allowed login as user "anonymous" with email-as-password (purely cosmetic) for public file distribution. Useful in the 1990s; superseded by HTTPS for modern public file distribution. Configure strictly as read-only if it must exist.
Port 21 for control commands. Port 20 for data transfer in active mode (server initiates back-connection). Server-chosen high ports for data in passive mode. The two-port nature of FTP makes firewall configuration awkward.
Historical attack abusing FTP's PORT command to make the FTP server connect to arbitrary IP/port combinations — effectively using the FTP server as a proxy for port scanning or attacks against other targets. Modern FTP servers block this, but legacy implementations may still be vulnerable.
Server side: ensure SSH is running (it usually is on Linux), no additional software needed — SFTP uses the SSH server. Client side: most FTP clients (FileZilla, WinSCP, Cyberduck) support SFTP — just change the connection protocol setting. Update any automation scripts to use SFTP commands. Disable FTP service when migration is complete.
Rarely. Modern CI/CD uses HTTPS-based artifact registries (npm, PyPI, Docker registries), object storage (S3, GCS), or git-based deployments. Plain FTP in 2026 CI/CD pipelines is a sign of legacy infrastructure that should be modernised.
Trivial FTP — different protocol, port 69 UDP, no authentication, used historically for firmware updates and PXE boot. Often misconfigured to allow access from anywhere on a network. Even more legacy than FTP and even harder to defend in 2026 production environments.
Network scan: nmap -p 21 192.168.0.0/16 identifies FTP-listening hosts. For comprehensive sweep including non-standard ports: nmap -p 21,990,2121 192.168.0.0/16. Audit results — every FTP-listening host should be evaluated for migration to SFTP or service disabling.