FTP
File Transfer Protocol
A TCP-based protocol for transferring files between a client and server, using separate control and data connections — but transmitting everything in plaintext unless a secure variant is used.
FTP is one of the oldest internet protocols, dating to 1971. It separates the connection into two channels: a control connection (port 21) for commands like login, list directory, and get/put, and a data connection for actual file content. This dual-channel design was novel at the time but causes complications with modern firewalls and NAT that were not factors in FTP's original design.
Control channel vs data channel
The control channel (port 21) carries all commands and responses as plaintext ASCII — LOGIN, LIST, RETR, STOR — throughout the entire session. The data channel carries only file content and directory listings; it is opened and closed for each transfer. In active mode the data channel originates from the server on port 20. In passive mode the server picks an ephemeral high port and the client connects to it. Because credentials travel on the control channel in plaintext, any network observer can capture the username and password from a single packet capture.
Active vs passive mode — and why passive is needed behind NAT
In active mode (PORT), the client tells the server its IP address and a port number; the server then initiates a new TCP connection back to the client on that port. This breaks behind NAT: the client's real IP is private (192.168.x.x), the server cannot reach it, and stateful firewalls block unsolicited inbound connections. In passive mode (PASV), the client asks the server to open a listening port and tell the client where to connect. The client then initiates the data connection, making it look like any outbound TCP connection — compatible with NAT and firewalls. Passive mode has been the de facto standard since the mid-1990s and virtually every modern FTP client defaults to it.
FTP, SFTP, FTPS, and SCP compared
| Protocol | Encryption | Port | Relationship to FTP | Notes |
|---|---|---|---|---|
| FTP | None (plaintext) | 21 / 20 | Original | Never use over internet |
| FTPS (explicit) | TLS (STARTTLS) | 21 | FTP + TLS upgrade | Same dual-channel complexity |
| FTPS (implicit) | TLS (always on) | 990 | FTP + TLS from start | Less common than explicit |
| SFTP | SSH | 22 | Unrelated protocol | Single port, preferred choice |
| SCP | SSH | 22 | Unrelated protocol | Simple copy, no directory browse |
Common FTP clients and server software
The most widely used desktop FTP clients are FileZilla (free, cross-platform, supports FTP/FTPS/SFTP) and WinSCP (Windows, also supports SFTP and SCP with a two-panel interface). Both default to passive mode. On the server side, vsftpd (Very Secure FTP Daemon) is the standard choice on Linux for pure FTP/FTPS; ProFTPD offers more configuration flexibility for complex hosting environments. Both can be configured to require FTPS and reject plaintext logins.
When FTP is still used
Plain FTP persists in specific niches despite its age:
- Legacy web hosting: many shared hosting control panels still offer FTP alongside SFTP for compatibility with older site management tools
- Network device firmware uploads: routers, switches, and industrial controllers often ship with a built-in FTP client for firmware updates from a local FTP server, where network isolation makes plaintext acceptable
- Automated batch transfers on isolated internal networks where encryption is handled at the network layer (VPN or dedicated fiber)
Testing FTP from the command line
The built-in ftp command is available on Linux, macOS, and Windows. Connect with ftp hostname, enter credentials at the prompt, and use get filename or put filename to transfer files. For scripting or SFTP testing, curl supports FTP and SFTP directly: curl ftp://server/file.txt --user user:pass downloads a file, and curl sftp://server/file.txt --user user:pass -k does the same over SFTP. The -k flag skips host key verification — useful for quick tests but not for production scripts.
Frequently Asked Questions
Is FTP secure?
Plain FTP transmits credentials and file contents in cleartext — any network interceptor can read them. Never use plain FTP over the internet or public Wi-Fi. Use SFTP or FTPS for encrypted transfers.
What is the difference between FTP, SFTP, and FTPS?
FTP is plaintext. FTPS adds TLS encryption to FTP. SFTP is a completely separate protocol that runs over SSH — it shares the name but is unrelated to FTP. SFTP is generally preferred because it uses a single port (22) and SSH infrastructure most servers already have.
What ports does FTP use?
Port 21 for the control channel; port 20 for data in active mode, or a negotiated high port in passive mode. Passive mode is standard today because it works through firewalls and NAT without extra configuration.