Port 21 · FTP

What runs on port 21

FTP is a 1971-vintage file-transfer protocol. Default control connection binds to TCP/21; data connections are negotiated dynamically (active or passive mode). The protocol is unencrypted plaintext — credentials and file contents are visible to network observers.

Why public exposure is dangerous

Plaintext credentials are the immediate risk. Beyond that, FTP servers are common brute-force targets and have a long history of exploitable parsing vulnerabilities (vsftpd, ProFTPD, Pure-FTPd have all had remote code execution CVEs over the years). 'Anonymous FTP' configurations with writable directories are repurposed by attackers as malware-distribution staging.

How to lock it down

Replace FTP with SFTP (over SSH on port 22) or FTPS (FTP wrapped in TLS, usually port 990). Both encrypt credentials and data. If FTP must remain for a legacy client, restrict it via host firewall to specific source IPs and ensure no anonymous write access.

When public exposure is legitimate

None for greenfield deployments. Some legacy industrial systems and academic file servers still run FTP; the path forward is migration, not preservation.

Other ports DomainCare scans

• :3306 MySQL — MySQL listens on port 3306 by default. Public exposure is a critical data-leak risk.
• :5432 PostgreSQL — PostgreSQL listens on port 5432 by default. Public exposure is a critical data-leak risk equivalent to MySQL.
• :6379 Redis — Redis listens on port 6379 by default. Public exposure historically allows unauthenticated arbitrary code execution.
• :27017 MongoDB — MongoDB listens on port 27017 by default. Historically responsible for the largest single data-leak class — pre-3.0 builds shipped without authentication enabled.