Port reference
Port 20 (TCP) – FTP Data
FTP active-mode data channel that carries file contents and directory listings.
Quick facts
- Transport
- tcp
- Category
- Well-known
- TLS
- Cleartext
- Risk level
- High
Frequently targeted — restrict exposure and harden it.
Use a secure alternative
This is a legacy or cleartext protocol. Prefer the encrypted equivalent:
Default state
Opened on demand by an FTP server when a client requests active-mode transfers, alongside the control channel on port 21.
Common attacks
- Cleartext capture of transferred files and directory listings
- FTP bounce attacks abusing the PORT command
- Man-in-the-middle tampering with downloaded data
- Firewall evasion through dynamically negotiated data ports
Hardening
- Replace plain FTP with SFTP (port 22) or FTPS (control 990)
- Prefer passive mode and pin a constrained passive port range
- Disable the FTP bounce / PORT-to-third-party behavior (default in modern daemons)
- Terminate FTP at a TLS-aware proxy and restrict source IPs
nmap snippet
nmap -p20,21 --script ftp-anon,ftp-bounce,banner <target>Replace <target> with the host or range you're authorized to scan.
How to check if this port is open
ss -tulpn | grep :20
nmap -p 20 <target>netstat -ano | findstr :20
Test-NetConnection <host> -Port 20lsof -i :20
nmap -p 20 <target>How to block this port
sudo ufw deny 20/tcpsudo firewall-cmd --permanent --remove-port=20/tcp
sudo firewall-cmd --reloadsudo iptables -A INPUT -p tcp --dport 20 -j DROPNew-NetFirewallRule -DisplayName "Block 20" -Direction Inbound -Protocol TCP -LocalPort 20 -Action BlockWhat runs on port 20?
Port 20 is the FTP active-mode data channel. In classic File Transfer Protocol, commands and replies travel over the control channel on port 21, while the actual file contents and directory listings move over a separate data connection. In active mode the server opens that connection from port 20 back to a client port it was told to use via the PORT command. Passive mode flips this, with the client connecting to a server-chosen high port instead.
Why it matters for security
Plain FTP is cleartext. Everything carried on port 20 — file contents, filenames, directory listings — crosses the network unencrypted, and the credentials exchanged on port 21 are equally exposed. Anyone able to sniff the path (shared Wi-Fi, a compromised switch, an upstream tap) can read or capture the data. The split control/data design also complicates firewalling and has historically enabled abuse.
How it's attacked
The simplest attack is passive sniffing of the unencrypted data stream. The classic FTP bounce attack abuses the PORT command to make the server open data connections to a third-party host, turning it into a port scanner or relay. Man-in-the-middle attackers can also tamper with downloaded files. Because data ports are negotiated dynamically, loose firewall rules to accommodate FTP can widen exposure.
Hardening checklist
The real fix is to stop using plain FTP: move to SFTP (over SSH, port 22) or FTPS (FTP over TLS, control on port 990). If FTP must remain, prefer passive mode with a pinned, narrow passive port range, ensure the daemon rejects bounce / third-party PORT targets, and place the service behind a TLS-aware proxy with source-IP restrictions. The nmap snippet above checks for anonymous access and bounce susceptibility on systems you are authorized to test.
Related ports
Frequently asked questions
- What is port 20 used for?
- Port 20 is the FTP active-mode data channel. The server connects from port 20 back to the client to transfer file contents and directory listings, while commands flow over port 21.
- Is port 20 encrypted?
- No. Plain FTP data on port 20 is cleartext. Use SFTP or FTPS to encrypt transfers; otherwise files and any credentials in transit are exposed.