Port reference
Port 21 (TCP) – FTP Control
FTP command and authentication channel for browsing and transferring files.
Quick facts
- Transport
- tcp
- Category
- Well-known
- TLS
- Cleartext
- Risk level
- Critical
Actively exploited and high-impact — keep it off the public internet.
Use a secure alternative
This is a legacy or cleartext protocol. Prefer the encrypted equivalent:
Default state
Open on FTP servers and many NAS, routers, and legacy appliances; frequently exposed to the internet.
Common attacks
- Cleartext credential capture via sniffing
- Anonymous FTP access and writable upload directories
- Credential brute force and password spraying
- FTP bounce abuse via the PORT command
Hardening
- Replace FTP with SFTP (port 22) or enforce FTPS (explicit FTPS on 21 or implicit on 990)
- Disable anonymous login unless a read-only public mirror is intended
- Enforce TLS for both control and data channels; reject cleartext logins
- Add rate limiting / fail2ban and restrict by source IP
nmap snippet
nmap -p21 --script ftp-anon,ftp-bounce,ftp-syst,banner <target>Replace <target> with the host or range you're authorized to scan.
How to check if this port is open
ss -tulpn | grep :21
nmap -p 21 <target>netstat -ano | findstr :21
Test-NetConnection <host> -Port 21lsof -i :21
nmap -p 21 <target>How to block this port
sudo ufw deny 21/tcpsudo firewall-cmd --permanent --remove-port=21/tcp
sudo firewall-cmd --reloadsudo iptables -A INPUT -p tcp --dport 21 -j DROPNew-NetFirewallRule -DisplayName "Block 21" -Direction Inbound -Protocol TCP -LocalPort 21 -Action BlockWhat runs on port 21?
Port 21 is the FTP control channel — the connection that carries FTP
commands, server replies, and the login exchange. A client connects here to
authenticate and issue commands like LIST, RETR, and STOR, while the actual
file bytes flow over a separate data connection (port 20 in active mode, or a
negotiated high port in passive mode). It is one of the oldest internet protocols
and still common on NAS devices, routers, and legacy file servers.
Why it matters for security
FTP authentication on port 21 is cleartext by default: usernames and passwords cross the wire unencrypted and are trivially captured by anyone on the path. Many deployments also enable anonymous access, and a writable anonymous directory can let attackers upload tools or exfiltrate data. The protocol's age means buggy servers — including a famously backdoored vsftpd 2.3.4 build (CVE-2011-2523) — have shipped over the years.
How it's attacked
Attackers sniff the cleartext login to harvest credentials, or run brute-force / password spraying against discovered FTP servers. They probe for anonymous access and world-writable upload directories. The FTP bounce technique abuses the PORT command to relay connections through the server, and known server vulnerabilities (such as the vsftpd 2.3.4 backdoor) yield direct remote shells on unpatched hosts.
Hardening checklist
Prefer SFTP (over SSH, port 22), or if FTP is required, enforce FTPS and reject cleartext logins so credentials and commands are encrypted. Disable anonymous login unless you intend a read-only public mirror, and never combine anonymous access with writable directories. Add rate limiting / fail2ban, restrict by source IP, and keep the FTP daemon patched. The nmap snippet above checks for anonymous access, bounce support, and the server banner on systems you are authorized to test.
Related ports
Frequently asked questions
- Is port 21 secure?
- No. Plain FTP on port 21 sends usernames and passwords in cleartext. Use SFTP or enforce FTPS so credentials and commands are encrypted.
- What is anonymous FTP on port 21?
- Many FTP servers allow login as 'anonymous' with no real password. If misconfigured with writable directories it lets attackers read or plant files, so disable it unless a public read-only mirror is intended.