Different FTP Connection Modes

Amongst the many shortened terms that you might come across concerning your website and its security, there is File Transfer Protocol, which is shortened to FTP. FTP is the process by which files can be transferred between users and to specific locations, such as a website.

One simple example might be a pdf file, whereby the person who has created it might wish to send it to an associate via FTP, or they could upload it to their website to make it a free download. As such they would FTP the pdf file from their computer to a folder that exists on their website’s hosting server and once it is there a download link would automatically be created which people can click to download the pdf to their computer or device.

You should be aware that FTP can be implemented using different modes, depending on the security protocols that are being used. To help you better understand what these FTP modes are, here are some of the details.

Active And Passive FTP

For FTP to occur, a user will usually log in to a server, although there are some exceptions referred to as anonymous FTP where the server does not require a login. For those servers that do require it, once a user is logged in they can upload files, download files, delete files, rename files, move files, or copy files.

Regardless of what the user is using FTP for, the connection they have made to the server will have been created using one of the two different data transfer modes with which FTP operates. The modes are called passive and active, and they have peculiarities specific to each of them.

Active Mode

This is the older of the two modes and was introduced at a time when server hacking was not the security concern that it is today. There are two stages to active mode.

First, the user connects from a random port on their computer to FTP Port 21 on the server. and in doing so it identifies to the server what port is being used on the user’s computer. This is called the Port command and the connection is the command channel.

The second stage is a connection from Port 20 on the server to a second random port on the user’s computer. This is called the data channel. With the connections made, data can now travel back and forth between the user’s computer device or the server.

Passive Mode

In passive mode, the first connection to Port 21 from a random port on the user side still occurs but the command sent is not the Port command, but is instead the PASV (passive) command. This is a request to the server to make a port available for data to be transferred. The server will respond, and so the second stage is a connection between a random on the user’s device and a random port on the server.

Active Mode v Passive Mode

If we were to draw a diagram of what we have described you see the user’s device on the left and the server on the right. With active mode, arrows indicating the flow of commands would be in both directions showing that it is the server that initiates the data connection.

With passive mode the arrows for both the command and the data would both be pointing from the user to the server, indicating that rather than the server initiating the data connection, it is the user. The security implications are that with active mode, some connections will be prevented due to the user’s firewall or other security.

By contrast, in passive mode, it is the user that initiates both the command and the data connections, not the server. This means that even if they are behind a firewall, they should still be able to make the FTP connections they wish to, whilst being protected from attack, thanks to their firewall. Hopefully, you are starting to realise that passive mode will, in most cases, be the preferable option as there are going to be fewer failed connections and security is maintained.