Trying to open Port 21 on my router.

Appreciate any thoughts on this.

I have a website which I run from a server in my home. I use a domestic style router provided by Plusnet who are the ISP.

I can open Port 80 without any issues via Port Forwarding, which allows my website to be viewed on the web.

However when I try to open Port 21 via Port Forwarding to administer the site via FTP it is blocked.

I have disabled all firewalls, both on my Mac and on the router itself. I've also tried placing the router into DMZ mode, but to no avail.


I'm wondering if it may be blocked as part of the ISPs security policy. I have asked them, but no answer.


Any help welcome.

MM
 
Appreciate any thoughts on this.

I have a website which I run from a server in my home. I use a domestic style router provided by Plusnet who are the ISP.

I can open Port 80 without any issues via Port Forwarding, which allows my website to be viewed on the web.

However when I try to open Port 21 via Port Forwarding to administer the site via FTP it is blocked.

I have disabled all firewalls, both on my Mac and on the router itself. I've also tried placing the router into DMZ mode, but to no avail.


I'm wondering if it may be blocked as part of the ISPs security policy. I have asked them, but no answer.


Any help welcome.

MM

You sometimes have to open TCP 20 as well as TCP 21 for FTP. Data on one and Auth on the other.
Depends on the FTP server and is rarely obvious in any of the config so just open TCP 20 as well as TCP 21 and see if it works.
 
You really don't want Port 21 open, I suggest.

It is the designated port for the File Transfer Protocol as you say, which is unsecure, and a fast win for unskilled l33t hax0rs
 
You really don't want Port 21 open, I suggest.

It is the designated port for the File Transfer Protocol as you say, which is unsecure, and a fast win for unskilled l33t hax0rs
typical sysadmin response that. Let him see if he can get the rules right first and run the server on a different port after. Better still, just use ssh instead
 
You sometimes have to open TCP 20 as well as TCP 21 for FTP. Data on one and Auth on the other.
Depends on the FTP server and is rarely obvious in any of the config so just open TCP 20 as well as TCP 21 and see if it works.
Thanks, will give it a try.
MM
 
You really don't want Port 21 open, I suggest.

It is the designated port for the File Transfer Protocol as you say, which is unsecure, and a fast win for unskilled l33t hax0rs
Thanks for the heads up. Only planning to open it for a minute or so to upload some files.
 
No worries mate.

From memory the recommended mitigation is to use SFTP over Secure Shell Protocol which runs on Port 22

(Thank You Sec + !)

I would caution people though, that if I can run a simple Shodan query others will automate it. There were 162k open port 21 connections when I scanned, I didn't start checking for no authentication. Bet my evil twin is!
Capture.JPG
 
typical sysadmin response that. Let him see if he can get the rules right first and run the server on a different port after. Better still, just use ssh instead

You know, out of all the stuff that is said about me on this site - that is the nicest that I get mistaken for a SysAdmin!

Thanks so much!

I'm off to do some subnet masking.

14e30f38c0e68fa0387d4408e6e8e520
 
Is anyone who is knowledgeable about such things able to explain to me what a port is/does? I realise that ports are assigned (very often automatically) but what are they and why would you want to change it?
 
Is anyone who is knowledgeable about such things able to explain to me what a port is/does? I realise that ports are assigned (very often automatically) but what are they and why would you want to change it?

There are 65,535 ports (thank you Network +)

They get chopped up to "well known ones" which you have to memorise for certifcations (only 40 or so).

The malicious need them to scan and work out how to break in (which is why my ears pricked up on Port 21 as a question). You scan to find open ports on your target, and try all the simple ones first. Depending on how much noise you want to make or how aggressive you feel like being.

(This is, of course, illegal).

Ultimately and correctly, you need the ports to run protocols to ensure that what you want to do works and can reach out from your computer and network to the net. The ports are "logical", in that they don't exist physically (like something you can plug in), but they are very important to ensure the correct routing of internet traffic.

You can send over alternative ports probably as an obsfuscation technique, but then you are starting to run the risk of being identified and blocked as abnormal behaviour by your sysadmin who will be curious why you are doing this.

Some ports are well known for abusive programs and are so probably blocked as standard. For example, Cobalt Strike runs on port 50,050 (when used properly!)


Given that this is the really popular abused program right now for ransomware attackers, they would most likely attempt to run that over another port to get it in your system.

I cannot think of a reason why you'd want to run a protocol on a non-standard port, as this would likely cause an alert to fire due to abormal behaviour on firewalls or security monitoring.

Don't know if anyone else has a good idea?
 
To upload files? You don't need to do anything. FFS don't run your computer and router with them turned off.

It'd be the cyber equivalent of shagging a Kenyan whore bareback.
 
However when I try to open Port 21 via Port Forwarding to administer the site via FTP it is blocked.
FTP is the worlds worst protocol at a technical level. As well as using ports 20 and 21 it also, depending on the mode also uses a random port. This makes it an absolute pain for firewalls.

It's also completely unencrypted and passes credentials in plain text.

This is not much help, but if you have another option rather than FTP, use it.
 
Is anyone who is knowledgeable about such things able to explain to me what a port is/does? I realise that ports are assigned (very often automatically) but what are they and why would you want to change it?
Just to add to Boumer's post - basically a port is a software construct (it's just numbers in the network header [information] packet). A connection consists of the Server IP + port and the Client IP + port - this makes a unique combination - no two connections have the same information.

The server port is usually fixed ("well-known" in terminology, and usually less than 1000) and the client port is randomly assigned (and above 1000) - there are exceptions as with anything.
 
There are 65,535 ports (thank you Network +)

They get chopped up to "well known ones" which you have to memorise for certifcations (only 40 or so).

The malicious need them to scan and work out how to break in (which is why my ears pricked up on Port 21 as a question). You scan to find open ports on your target, and try all the simple ones first. Depending on how much noise you want to make or how aggressive you feel like being.

(This is, of course, illegal).

Ultimately and correctly, you need the ports to run protocols to ensure that what you want to do works and can reach out from your computer and network to the net. The ports are "logical", in that they don't exist physically (like something you can plug in), but they are very important to ensure the correct routing of internet traffic.

You can send over alternative ports probably as an obsfuscation technique, but then you are starting to run the risk of being identified and blocked as abnormal behaviour by your sysadmin who will be curious why you are doing this.

Some ports are well known for abusive programs and are so probably blocked as standard. For example, Cobalt Strike runs on port 50,050 (when used properly!)


Given that this is the really popular abused program right now for ransomware attackers, they would most likely attempt to run that over another port to get it in your system.

I cannot think of a reason why you'd want to run a protocol on a non-standard port, as this would likely cause an alert to fire due to abormal behaviour on firewalls or security monitoring.

Don't know if anyone else has a good idea?
I'm still not quite sure how they manifest themselves. Is a port like a dedicated channel or a wavelength?
 
As @Drazyl says, the port numbers help get stuff from and to.

This is a "internet packet" that gets routed around the net, and has a source and destination port to make sure that it gets from and to correctly.
tcp-headers-f2c0881ea4c94e919794b7c0677ab90a.jpg
 
The issue with FTP is it has two modes, both broken:

Active FTP (doesn't work with anything):

Client connects to Server port 21
Client opens a random port (n)
Client tells Server this port
Server connects FROM port 20 to Client port (n)

Passive FTP (needs firewall snooping and co-operation)

Client connects to Server port 21
Client starts passive mode
Server opens a random port (n)
Client connects to Server port (n)

In active mode a new connection is opened to the client - this fails with 99% of situations where FTP might be used.

In passive mode, the server firewall needs to understand FTP and watch the actual commands being sent over port 21, notice the passive request, detect the response being sent back, and then open the new port on the firewall. If NAT is being used this gets even more complicated as it also has to correct the IP address being sent back.
 
@MrMemory - how old is the Mac? Specifically its OS.

For good reason, as outlined above, Apple disabled FTP in macOS some years ago. I can't remember how long, but it was at least 3 or 4 releases ago.

It was possible to re-enable it (at least back then), but when I tried that at the time, it was incredibly difficult/PITA, because you had to turn off all manner of security policies, and then all the features (eg iCloud) that depend on those policies being enabled weren't available. It was much easier to find an alternative to FTP. The device I was trying to FTP from did not support SFTP at the time, but it did not too long afterward...

ETA: now I think back, they shitcanned telnet at the same time. May have been telnet that was more troublesome to re-instate. Right pain in the arrse that was. The Unix processes on the products I was working with had debug ports, so you could telnet right into the individual processes, and get a read-out of what was happening. Not that big a deal since it was possible to ssh to the device and then from within the device, telnet to the process, but it was much easier (if less secure) previously.

Upshot is, I'd be checking that the Mac has ftp to begin with.
 
Last edited:
I'm still not quite sure how they manifest themselves. Is a port like a dedicated channel or a wavelength?
I will attempt to explain this in plain English instead of geek gibberish. To connect to a sever you need an IP address, which is the address of the server computer. Once you get to the right server you need a port number to tell the operating system which server program it is that you want to talk to.

So suppose you want to go to visit a business located in a large office tower.
  • IP address = office building address.
  • port number = office number in the building.
You need both to get to the right place.
 
Thanks for the heads up. Only planning to open it for a minute or so to upload some files.
Use an ssh server instead of FTP. You should be able to find an OpenSSH server for free.

At the client install an ssh client, if it doesn't already have one. Then use the "scp" command to upload or download files. This is pretty much the standard way of doing these things these days.
 

Latest Threads

Top