Skip to content
ProtocolPorts

What ports does FTP use? FTP, FTPS and SFTP ports explained

FTP uses port 21 for control and port 20 for data, with FTPS on 990. Learn active vs passive mode, why SFTP is really SSH on port 22, and what to use.

Published on 4 min read
portsftpfile-transfer

FTP looks simple until you realize it quietly uses two ports at once, runs in two different connection modes, and has two unrelated secure cousins whose names are almost identical. This guide untangles FTP, FTPS, and SFTP, explains the ports each one uses, and tells you which to pick. Every port links to its full ProtocolPorts entry, or you can browse all ports.

PortProtocol / ServiceEncrypted?Role
21FTP controlNoCommands, login, directory listing
20FTP dataNoFile transfer (active mode)
990FTPS (implicit)TLSFTP wrapped in TLS from the start
22SFTP / SSHTLS-gradeFile transfer inside SSH (not FTP)

FTP uses two ports, not one

Classic FTP splits its work across two separate channels:

  • The control connection on port 21 carries commands, your username and password, and directory listings. This connection stays open for the whole session.
  • The data connection carries the actual file bytes and the contents of directory listings. In active mode it originates from port 20.

Because the data channel is separate from the control channel, FTP behaves awkwardly through firewalls and NAT — which is where active and passive mode come in.

Active mode vs passive mode

The control connection is always opened by the client to port 21. The difference is who opens the data connection.

In active mode, the server opens the data connection back to the client from port 20. This breaks for most clients today, because their firewall or NAT router blocks the incoming connection from the server.

In passive mode, the client opens the data connection to the server on a high, dynamically negotiated port instead. The server announces which port to use over the control channel. Passive mode is what virtually all modern clients use, since the client initiates every connection and firewalls stay happy.

Why cleartext FTP leaks your credentials

Plain FTP on port 21 and port 20 has no encryption at all. Your username and password are sent in cleartext on the control connection, and every file crosses the network in the clear on the data connection. Anyone able to observe the traffic — on shared Wi-Fi, a compromised router, or an upstream link — can capture your login and read or tamper with the files.

That single fact is why plain FTP should be considered obsolete for anything sensitive.

FTPS: FTP wrapped in TLS

FTPS adds TLS encryption to classic FTP, and it comes in two styles:

  • Implicit FTPS assumes TLS from the very first byte and uses a dedicated port, port 990. The whole session is encrypted immediately.
  • Explicit FTPS starts as ordinary FTP on port 21, then issues an AUTH TLS command to upgrade the connection to encryption. It reuses the standard control port rather than a separate one.

FTPS keeps FTP's awkward dual-channel design, so it still needs careful firewall configuration for the data ports — but at least the credentials and files are protected.

SFTP is SSH, not FTP

Here is the part that trips everyone up: SFTP is not FTP with an S bolted on. SFTP is the SSH File Transfer Protocol, and it runs as a subsystem inside an ordinary SSH session on port 22 — the same port you use for remote shell access.

That means SFTP:

  • Uses a single connection on one port, so it sails through firewalls and NAT with no active/passive headaches.
  • Is encrypted and authenticated by SSH, with support for key-based authentication.
  • Shares nothing with the FTP protocol beyond the goal of moving files.

If someone says "use SFTP," check that you are connecting to port 22, not port 21 or port 990.

What to use instead of plain FTP

For almost every use case today, the answer is SFTP over port 22. It is a single encrypted connection, supports strong key authentication, and avoids FTP's firewall pain entirely. If you are tied to the FTP protocol for compatibility reasons, use FTPS — implicit on port 990 or explicit on port 21 — so that credentials and data are encrypted in transit. Reserve plain port 21 and port 20 for anonymous, public, non-sensitive downloads only.

Conclusion

FTP uses port 21 for control and port 20 for data, FTPS adds TLS on port 990, and SFTP is a different protocol entirely that rides on SSH port 22. When in doubt, reach for SFTP, never send credentials over cleartext FTP, and look up any unfamiliar port on ProtocolPorts.

Related articles

Common backdoor and trojan ports to investigate
Ports tied to trojans, backdoors and C2 — NetBus, Back Orifice, ingreslock, Meterpreter and abused legit services — and how to detect a compromise.
portssecuritymalware
Common TCP and UDP ports: a cheat sheet
A scannable reference of common TCP and UDP ports grouped by purpose — web, mail, file transfer, remote access, databases, and infrastructure.
portssecurityreference
How to check which ports are open (Windows, Linux, macOS)
Check open and listening ports on Windows, Linux, and macOS, map a PID to its process, and scan a remote host with Nmap. Commands you can copy-paste.
portsnetstattroubleshooting