FTP NOTES : active vs passive vs ftp vs ftps vs ftpes
#####################################################
#####################################################

NOTE: All ports below are TCP

ACTIVE OR PASSIVE
#################

http://stackoverflow.com/questions/1699145/what-is-the-difference-between-active-and-passive-ftp

Active and passive are the two modes that FTP can run in. FTP uses two channels between client and server, the command channel and the data channel, which are actually separate TCP connections. The command channel is for commands and responses, the data channel is for actually transferring files. It’s a nifty way of sending commands to the server without having to wait for the current data transfer to finish.

In active mode, the client establishes the command channel (from client port X to server port 21(b)) but the server establishes the data channel (from server port 20(b) to client port Y, where Y has been supplied by the client).

In passive mode, the client establishes both channels. In that case, the server tells the client which port should be used for the data channel.

Passive mode is generally used in situations where the FTP server is not able to establish the data channel. One of the major reasons for this is network firewalls. While you may have a firewall rule which allows you to open up FTP channels to ftp.microsoft.com, Microsoft’s servers may not have the power to open up the data channel back through your firewall.

Passive mode solves this by opening up both types of channel from the client side. In order to make this hopefully clearer:

Active mode:
Client opens up command channel from client port 2000(a) to server port 21(b).
Client sends PORT 2001(a) to server and server acknowledges on command channel.
Server opens up data channel from server port 20(b) to client port 2001(a).
Client acknowledges on data channel.

Passive mode:
Client opens up command channel from client port 2000(a) to server port 21(b).
Client sends PASV to server on command channel.
Server sends back (on command channel) PORT 1234(a) after starting to listen on that port.
Client opens up data channel from client 2001(a) to server port 1234(a).
Server acknowledges on data channel.
At this point, the command and data channels are both open.

(a)Note that the selection of ports on the client side is up to the client, as the selection of the server data channel port in passive mode is up to the server.

(b)Further note that the use of port 20 and 21 is only a convention (although a strong one). There’s no absolute requirement that those ports be used although the client and server both have to agree on which ports are being used. I’ve seen implementations that try to hide from clients by using different ports (futile, in my opinion).

FIREWALL NOTES on PASSIVE (good for crossing internet/WANS and staying in LAN): Passive ports are usually setup as a range on the server like 3000 to 4000 (or whatever the defaults are). Then the network admin should port forwards port 21 from the Firewall to the FTP server (and also port 990 for FTPS/FTPES) and portforward port 3000 to 4000 to the FTP Server as well for the passive ports.

FIREWALL NOTES on ACTIVE (only good good for staying in LAN, to cross WAN client firewall needs portforward):With active ftp, skip portforwarding ports the passive ports to the server (however still port forward 21 for normal ftp, and also 990 if your using FTPS/FTPES), and port forward the data port at the clients firewall to the client pc (this is why active ftp is not used across WANs)

NOTE: across internet use PASSIVE ftp, in LAN use ACTIVE or PASSIVE ftp (it doesnt matter)

FTP
####

KEYS and USERS: no keys, just local username and password database (can have it tied to system database)

NORMAL FTP: ftp://ip/ or ftp://username@hostname/ or ftp://username:password@hostname/

Control 21
Data 20 – in active mode
Passive 3000 to 4000 (or whatever range) – in passive mode

Example Client programs: Filezilla, ncftpget/ncftput, lftp
Example Server programs: Filezilla server, proftpd

FTPS (FTP over SSL)
####################

Lots of info from: https://wiki.filezilla-project.org/SSL/TLS

KEYS and USERS: This requires setting up SSL certificates, usernames and passwords database as well (that can be tied to system userdatabase but usually is seperate)

IMPLICIT FTP: ftps://ip/ or ftps://username:password@hostname/ or ftps://username:password@hostname/
EXPLICIT FTP: ftpes://ip/ or ftpes://username:password@hostname/ or ftpes://username:password@hostname/

990 instead of 21 – FTPS (implicit – SSL only)
21 then 990 – FTPES (explicit – NORMAL then SSL)

NOTE: can tell filezilla to only accept FTP

Can also use ACTIVE and PASSIVE (use PASSIVE) – because clients rarely have port forwards of port 20 from router (when speaking about remote servers), its better for client to establish the CONTROL (21 or 990) and the DATA (the passive ports)

Example Client programs: FileZilla, ftps/ftpes with lftp
Example Server programs: Filezilla, proftpd

—Client Setup—
For a client to connect to a server using SSL, then the host for that connection needs to be set to FTPS. In FileZilla client this means prefixing the host with “FTPES://” for “explicit” FTPS, or “FTPS://” for the legacy “implicit” FTPS.

—Explicit vs Implicit FTPS—
FTPS (SSL/TLS) is served up in two incompatible modes. If using explicit FTPS, the client connects to the normal FTP port and explicitly switches into secure (SSL/TLS) mode with “AUTH TLS”, whereas implicit FTPS is an older style service that assumes SSL/TLS mode right from the start of the connection (and normally listens on TCP port 990, rather than 21). In a FileZilla client this means prefixing the host with “FTPES://” to connect an “explicit” FTPS server, or “FTPS://” for the legacy “implicit” server (for which you will likely also need to set the port to 990).

SFTP
#####

KEYS and USERS: This doesnt require manually setting up SSH keys on server as they are already setup, connecting user most often is just asked for Password (can have it ask for key file). This uses the System users (the same ones used for SSH)

Think of this as SSH servers other mode, besides connecting and being able to give you a prompt, you can also connect in and share files.

Port: 22 <- no other ports (just goes thru port 22)

SSH tunnel used for FTP

This is something completely different
This uses sftpserver on the ssh server
openssh automatically installs and configures sftpserver by now

Example Client programs: WinSCP
Example Server programs: openssh/sshd

SCP
####

Uses SSH and port 22

KEYS and USERS: This doesnt require manually setting up SSH keys on server as they are already setup, connecting user most often is just asked for Password (can have it ask for key file). This uses the System users (the same ones used for SSH)

Looks like SFTP if you launch it from WinSCP, but its different it uses SCP program via SSH (not sure how it gets file list in its backend programming – maybe it just runs remote “ls -l” on the remote machine via SSH to get the info you need)

Example Client programs: WinSCP
Example Server programs: openssh/sshd
NOTE: when SFTP option doesnt work with WinSCP, I usally select SCP and it works (if SFTP didnt work)