I. FTP port and PASV Modes
FTP uses two TCP ports. First, it creates a command port (control port) and then generates a data port. Many textbooks in China talk about FTP using port 21 and Port 20. This should be the reason why teaching is too slow. In fact, there are two types of FTP: Active Mode and passive mode. FTP works in active mode and uses TCP 21 and 20, while working in passive mode will work on over 1024 random ports. For the most authoritative FTP reference, see RFC 959. If you are interested, read. Currently, the mainstream FTP server modes support both port and PASV. However, it is necessary to understand the port and PASV modes of the FTP server in order to facilitate security management firewall management and ACL settings.
1.1 FTP port mode (active mode)
The active FTP method is as follows: the client connects to the command port (TCP port 21) of the FTP server from an arbitrary non-privileged port n (n> 1024 ). Then the client starts listening to port n + 1 and sends the FTP command "port n + 1" to the FTP server. Finally, the server connects to the data port (n + 1) specified by the client from its own data port (20), so that the client can establish a data transmission channel with the FTP server. The FTP port mode workflow is shown in:
For the firewall before the FTP server, you must allow the following communication to support active FTP:
1. client port> port 1024 to port 21 of the FTP server (inbound: connection s initialized by the client <-C)
2. Port 21 of the FTP server to the client> port 1024 (out: the server responds to the control port S-> C of the client)
3. Port 20 of the FTP server to the client> port 1024 (Out: The data port S-> C for the server to initialize data connection to the client)
4. Client> port 1024 to Port 20 of the FTP server (inbound: The data port s from the client to send an ACK response to the server <-C)
If the IP address of the server is 192.168.10.1, The in ACL Policy is created on gigabitethernet 8500/10 of H3C 2/1, and the FTP active mode is prohibited:
Rule permit TCP source 192.168.10.1 0 source-port EQ 21 destination-port GT 1024
Rule permit TCP source 192.168.10.1 0 source-port EQ 20 destination-port GT 1024
Rele deny ip
1.2 ftp pasv mode (passive mode)
In Passive FTP, both command connection and data connection are performed by the client. When an FTP connection is enabled, the client opens two arbitrary non-privileged local ports (n> 1024 and n + 1 ). The first port connects to port 21 of the server, but unlike the active FTP, the client does not submit the PORT command and allows the server to connect to its data port back and forth. Instead, it submits the PASV command. The result is that the server opens any non-privileged port (P> 1024) and sends the port p command to the client. Then the client initiates a connection from the local port n + 1 to the port P on the server to transmit data. The ftp pasv mode workflow is shown in:
For the server-side firewall, the following communication must be allowed to support Passive FTP:
1. Client> port 1024 to port 21 of the server (inbound: connection s initialized by the client <-C)
2. Port 21 of the server to the client> port 1024 (out: the server responds to the connection s-> C from the control port of the client)
3. Client> port 1024 is greater than port 1024 to the server (inbound: the client initializes data to connect to any port specified by the server S <-C)
4. Port number greater than 1024 of the server to port number greater than 1024 of the remote server (out: the server sends ack response and data to the client's data port S-> C)
If the IP address of the server is 192.168.10.1, The in ACL Policy is created on gigabitethernet 8500/10 of H3C 2/1, and the FTP active mode is prohibited:
Rule permit TCP source 192.168.10.1 0 source-port EQ 21 destination-port GT 1024
Rule permit TCP source 192.168.10.1 0 source-port GT 1024 destination-port GT 1024
Rele deny ip
Ii. FTP port and PASV Modes
The main difference between FTP port and PASV mode is that the data port connection mode is different. In FTP port mode, you only need to enable ports 21 and 20 of the server, the ftp pasv must enable all TCP ports and port 21 of the server greater than 1024. From the perspective of network security, it seems that the FTP port mode is safer, but the ftp pasv mode is less secure. Why does the RFC need to create an ftp pasv mode based on the FTP port? In fact, the main purpose of the rfc ftp pasv mode is to ensure data transmission security, because the ftp port uses a fixed port 20 for data transmission, as a hacker, attackers can use sniffer and other sniffer tools to Capture FTP data. As a result, data transmission in FTP port mode is easy to be stolen by hackers, therefore, setting up an FTP server using PASV is the most secure and optimal solution.
If you are an experienced Network Administrator, you will find that using the ftp pasv method poses a great risk to network security, that is, ftp pasv must enable TCP over 1024 ports on the server, this is very detrimental to server security protection. I suggest two methods to improve port opening in FTP PASV mode. The first method is to use a weak hole scanning tool, such as xscan, to find the port opened on the server and then use the ACL to deny the port, another method is to enable the ftp pasv port using the stateful detection firewall.
In ftp pasv mode, it is better to use the status detection firewall than ACL. To use the status detection firewall, you only need to enable port 21 of FTP, the status detection firewall detects that the client port is connected to the port 21 of the FTP server. Once the client uses the port 21 of the FTP server, the session is allowed to use the port greater than 1024 of the FTP server, in other ways, you cannot directly access the FTP server over port 1024. By using the status detection firewall, you can ensure that the FTP server is only open to the FTP session over port 1024. Currently, status detection is supported for iptable, ISA Server 2000/2004/2006, and mainstream hardware firewalls.
From: http://leowzy.iteye.com/blog/1279265
Comparison of FTP port and PASV Modes