Vsftpd Change Port Number

geoff_noob · 20 October 2016 22:27

I was wondering how I can modify the default port number of vsftpd.

I thought I would find the existing port would be 21, but it’s 20. Funny thing is that my FTP client (Filezilla FTP Client) is definitely reaching into vsftpd on 21.

If I change the FTP port in vsftpd to something like 2222, and I modify the Filezilla setting according I’m not able to connect.

Have I missed a trick here?

Cheers, Geoff.

sam_nazarko · 20 October 2016 22:33

Port 21 (command channel)
Port 20 (data channel)

I think there’s a slight misconception that FTP runs on port 21, when it uses two ports.

OSMC uses active mode. You could always fall back to passive FTP if you only want to open two ports.

geoff_noob · 21 October 2016 01:02

thanks. so if I would like to use active mode, would I then, for example;

Change vsftp port to say, 9999 from 20 (Data)
Leave Filezilla port at 21 (command)

Then Filezilla would presumably send commands (requests) via 21, then expect the data (file) back on 9999.

Sounds feasible if I’m correct, however doesn’t sound like a good approach to hiding my ftp server by changing from default data port (20), as if I understand correctly, bad actors could then still connect on expected port 21?

i suppose what I’m asking is what is the best configuration to configure for vsFTPd by obfuscating the obvious port to the obscure?

Cheers, Geoff.

sam_nazarko · 21 October 2016 06:52

FTP is inherently insecure

If you don’t want ‘bad actors’ don’t use FTP. Changing port # implies obscurity will help

jb2cool · 21 October 2016 06:54

If you are wanting to do this because you are exposing your Pi to the outside world you probably want to see if your router supports port address translation, that way the exposed port could be something weird but the internal stuff is untouched.

Or

Forget FTP altogether and instead look at SFTP which uses the SSH mechanism. There are already other posts about changing the port of SSH although you could also use port address translation here too.

fzinken · 21 October 2016 07:05

Or forget about any of that and use openvpn.
You should not directly expose the Pi to the internet always have it behind a router.

geoff_noob · 21 October 2016 09:00

Thanks, got NAT sorted, just trying make a bit more secure . Have changed creds, set to update automatically. Only a bunch of media on box. Not worried about man in middle; clear text ok…didn’t think about PAT. Will play around with SFTP . Thanks for suggestions…Geoff

yknivag · 21 October 2016 09:43

It’s not only about what isn that box, once someone has FTP access to one box on your network then you must consider every box on your network wide open to the internet.

I would really recommend you don’t open any insecure protocol to the internet, irrespective of any obfuscation.

Changing the port is pointless as modern scanning software will reveal all open ports.