Communication protocols govern data transmission between computer networks. These protocols, such as File Transfer Protocol (FTP) and Simple Mail Transfer Protocol (SMTP), determine how data is transferred between devices through a port, which is a unique connection endpoint for a specific service.
Because file transfer moves files over the internet, insecure file transfer ports create opportunities for hackers to send their own malicious payload or for other threat actors to intercept traffic. This article provides an overview of how file transfer protocols work, as well as common port exposures and how to mitigate those risks.
What is File Transfer?
File transfer moves data between different servers over open ports. Different protocols provide specifications about how the data transfer happens and which ports are in use on a web server. For example, the Server Message Block Protocol (SMB) uses a request-response approach between devices on the same network and typically uses ports [.rt-script]139[.rt-script] and [.rt-script]445[.rt-script], whereas the File Transfer Protocol (FTP) uses port [.rt-script]21[.rt-script] by default.
File transfer provides a mechanism through which organizations can move large files and large quantities of data between devices effectively. File transfer is especially useful when an organization needs to send files or share files in a variety of formats and sizes.
How FTP Works
File transfer, in its most basic form, is the method of moving data from one location to another, like selecting a book from a library shelf and taking it home to your counter where you will then use it. In computing, file transfer is governed by protocols that specify how data is transmitted. With the modern cloud environment, data forms are constantly evolving and standard protocols likewise shift to adapt to various needs. File transfer with cloud storage providers is a common use case for online files.
To describe file transfer, this section uses the File Transfer Protocol (FTP) as the example, though each application layer protocol differs in its exact specifications and use. FTP uses the Transmission Control Protocol (TCP) to facilitate connections with TCP/IP addresses. TCP connections route according to the internet protocol (IP) address specified.
You can use FTP to transfer files over the internet, whether you wish to send a file from your device to another or retrieve a file from a different device to yours. To accomplish this type of file transfer, you use an FTP client such as FileZilla, WinSCP, PuTTY, Cyberduck, or another application. FTP clients offer a graphical user interface for file transfer, though you can also use the [.rt-script]ftp[.rt-script] command from a terminal session.
The FTP client interface or use of the [.rt-script]ftp[.rt-script] command is on your computer (the client device). To create an FTP session, you use the client interface or command-line to establish communication with the remote server (or FTP server) on the specified port, which is port [.rt-script]21[.rt-script] for FTP. Once the connection is established, the client device sends a request for file transfer, including requests to send data (send files to the remote host) or to retrieve data (download files from the remote host). The FTP connection facilitates the transfer of files over the specified port number as determined by the network protocol.
You can use FTP in either active or passive mode. Active mode enables the client to listen for data connections on the specified port, whereas passive mode has the client initiate the data connection once the server has specified the required port. If you use a firewall, passive FTP enables the client device to initiate connections rather than listening for the server's connection response.
FTP is not the only protocol available for data transfer, and there are a variety of FTP software options available as desktop applications that will run the FTP service (including options for Windows, macOs, Linux, and other operating systems). Some web browsers include FTP clients.
Types of File Transfer Protocols
There are a variety of file transfer protocols, including variations of File Transfer Protocol (FTP) and other types of data transfer protocols. Each transfer protocol makes connections on a specific port configured to accept data:
- FTP, which stands for File Transfer Protocol, does plain text file transfer using port [.rt-script]20[.rt-script] as the data channel, with port [.rt-script]21[.rt-script] as the control connection.
- Anonymous FTP is an unencrypted option for anonymous file transfer. Anonymous FTP also runs on port [.rt-script]21[.rt-script].
- SFTP, which is often called Secure File Transfer Protocol or SSH File Transfer Protocol (Secure Shell FTP), provides encrypted data transfer over SSH port [.rt-script]22[.rt-script]. SFTP has been somewhat deprecated in favor of [.rt-script]rsync[.rt-script] and [.rt-script]scp[.rt-script].
- FTPS or FTP-SSL, which stands for FTP Secure or FTP over SSL/TLS, runs on port [.rt-script]990[.rt-script] by default.
- FTPES, which is FTP explicitly over SSL (Secure Sockets Layer), runs over an encrypted port [.rt-script]21[.rt-script]. It uses SSL/TLS (Transport Layer Security) for additional security.
Other types of data transfer protocols include the following:
- NBT is the NetBIOS over TCP/IP protocol that is typically in use for intranet on Microsoft Systems. NBT provides shared resource discovery rather than file transfer and uses ports [.rt-script]137[.rt-script], [.rt-script]138[.rt-script], and [.rt-script]139[.rt-script].
- NNTP, which stands for Network News Transfer Protocol, transfers news articles and primarily uses port [.rt-script]119[.rt-script], though it may also use ports [.rt-script]443[.rt-script] and [.rt-script]563[.rt-script].
- Rsync, which stands for remote sync, is a Linux-based bidirectional transfer protocol that can copy locally to or from a remote shell. It uses port [.rt-script]22[.rt-script] if connecting over SSH or port [.rt-script]873[.rt-script] when using the [.rt-script]rsync[.rt-script] daemon.
- SCP, which stands for Secure Copy Protocol, is based on SSH and uses SSH security measures to communicate between a local host and a remote host or between two remote hosts. It uses port [.rt-script]22[.rt-script], which is the default port for SSH.
- SMB, the Server Message Block protocol, provides file and printer sharing between networked computers on ports [.rt-script]139[.rt-script] and [.rt-script]445[.rt-script].
- SMTP, which stands for Simple Mail Transfer Protocol, is an email transmission protocol that typically runs on port [.rt-script]587[.rt-script] or [.rt-script]465[.rt-script], with port [.rt-script]587[.rt-script] offering encryption. SMTP originally ran on port [.rt-script]25[.rt-script] and some installations still use this port.
Each of these protocols varies in its exact functionality. Depending on the type of protocol and which port is in use, you may need to apply additional security measures to protect your communication channels.
File Transfer Port Exposure Risks
Because each of these file transfer protocols operates over a port, securing those ports is an important protection task. A recommended practice is to close unnecessary ports and limit transfer over internal networks or a VPN to prevent public traffic interception. Communication protocols provide the mechanism for data transfer, but you as the end-user need to determine what precautions to implement for secure file transfer.
You can use a continuous monitoring tool like UpGuard BreachSight to automate your cybersecurity risk monitoring. BreachSight automation identifies vulnerabilities in your external attack surface and other risks impacting your domains. UpGuard scans for the default ports used by file transfer protocols, and we notify users if their ports are publicly accessible:
- 'FTP' port open
- 'FTP (Anonymous)' port open
- 'netbios' port open
- 'Network News' port open
- 'RSYNCD' port open
- 'Samba' port open
- 'SMTP' port open
If you receive the 'FTP' port open or 'FTP (Anonymous)' port open findings, then you know that the port is exposed to the public internet. In most circumstances, port [.rt-script]21[.rt-script] is exposed, though we also identify other ports in use with FTP. Because most FTP installations are on the default port, file transfer with FTP is easy to discover and intercept as plain-text data. Update from FTP to an encrypted method (SFTP, FTSP, or FTPES) to protect data in transit, and switch to file transfer over intranet or with a VPN for additional security.
Because NetBIOS is a legacy system with known weaknesses, maintaining its usage can result in attacks on your system. The 'netbios' port open finding identifies whether NetBIOS ports ([.rt-script]137[.rt-script], [.rt-script]138[.rt-script], and [.rt-script]139[.rt-script]) are publicly accessible. If your organization still uses NetBIOS to support applications, traffic should be limited to internal networks and VPNs, with any public traffic closed.
The 'Network News' port open finding identifies that you have an exposed port through which NNTP distributes and retrieves new articles. To prevent unauthorized access to sensitive data or the possibility that an attacker could distribute malware through that open port, close the NNTP port by blocking traffic on port [.rt-script]119[.rt-script] unless it is required for your organization.
Like FTP, use of [.rt-script]rsync[.rt-script] for data transfer should be limited to internal networks and VPNs. The 'RSYNCD' port open finding informs you that port [.rt-script]873[.rt-script] is publicly accessible, which means that the plain text or clear text data transferred with rsync could be intercepted by an attacker. Because [.rt-script]rsync[.rt-script] does not provide encryption or require user authentication, any file sharing should be limited to VPNs and internal networks. You can set additional restrictions to require SSH connections, limit access to specified IP addresses, and enable user authentication.
Samba is the open-source implementation of SMB and can function as a replacement for ActiveDirectory on Linux systems. SMB uses port [.rt-script]445[.rt-script] by default, and the 'Samba' port open finding notifies you that port [.rt-script]445[.rt-script] is exposed. SMB does not provide traffic encryption, so any use should be limited to internal networks and VPNs.
If you receive the 'SMTP' port open finding, you will be notified which exposed port is running the SMTP service. SMTP does not provide encryption or require authentication, which makes an SMTP server a target for data exfiltration attacks. Configuring your SMTP server to require authentication with encryption can protect your domain from use as a spam server that could lead your domain being added to a denylist for email.
With continuous monitoring from UpGuard BreachSight, you don't need to assess your exposed ports manually. BreachSight will scan your assets to identify exposed ports and notify you of the finding.
UpGuard Helps You Identify Port Exposures
Current UpGuard users can log in and access their Risk Profile in BreachSight to assess whether any of the file transfer findings referenced in this article are impacting your organization's assets. You can also review other potential exposures, including database ports, WordPress plugins, and LDAP ports.
If you're not a current UpGuard user and you want to review your public-facing assets for these findings and more, sign up for a trial.
How to Mitigate Exposure Risks due to File Transfer
Any port that is open to the public internet can be an attack vector that a malicious attacker might use to interrupt business operations. To prevent data interception and exfiltration, you can implement the following security measures that limit your port exposure in connection to file transfer needs:
- Close all ports that do not need to be open for business purposes.
- Update all software regularly and ensure that any known vulnerabilities are patched.
- Use firewalls and endpoint protection to limit unauthorized traffic.
- Implements virtual private networks (VPNs) to provide an authorized tunnel for all data transfer purposes, and make sure your file transfer software shares compatibility with the VPN.
- Require authentication credentials for data transfer.
- If using [.rt-script]rsync[.rt-script], secure the [.rt-script]rsync[.rt-script] daemon.
