How to Change FTP Port in Linux?

FTP (File Transfer Protocol) is a standard network protocol used to transfer files between hosts over a TCP-based network. In Linux systems, FTP servers typically run on port 21 by default. However, changing this default port is a common security practice that makes it harder for attackers to discover and target your FTP service.

Understanding the Default FTP Port

The default FTP port is 21, assigned by the Internet Assigned Numbers Authority (IANA). This port is well-known and widely recognized, making FTP services easily discoverable by both legitimate users and potential attackers.

Security Risks of Default Port 21

Using the default port poses several security risks:

• Port scanning Attackers commonly scan for open port 21 to identify FTP services

• Brute-force attacks Automated tools target known ports with dictionary attacks

• Vulnerability exploitation Malicious actors exploit known FTP vulnerabilities on standard ports

Benefits of Changing the FTP Port

Changing to a non-standard port provides security through obscurity:

• Reduces automated scanning effectiveness

• Limits access to users who know the custom port

• Decreases unauthorized connection attempts

Step-by-Step Port Change Process

Prerequisites

Before proceeding, ensure you have:

• Root or sudo access to the Linux system

• vsftpd or another FTP daemon installed

• Basic knowledge of text editors like nano or vim

Changing vsftpd Configuration

Step 1: Open the terminal using Ctrl+Alt+T or through the applications menu.

Step 2: Edit the vsftpd configuration file:

sudo nano /etc/vsftpd.conf

Step 3: Find and modify the port setting. Look for the line:

#listen_port=21

Uncomment and change it to your desired port (e.g., 2121):

listen_port=2121

Step 4: Save the file and exit the editor (Ctrl+X in nano, then Y to confirm).

Restarting and Verifying the Service

Step 5: Restart the vsftpd service:

sudo systemctl restart vsftpd

Step 6: Verify the change took effect:

sudo grep listen_port /etc/vsftpd.conf

Step 7: Check if the service is listening on the new port:

sudo netstat -tlnp | grep :2121

Firewall Configuration

After changing the port, update your firewall rules to allow traffic on the new port:

For UFW (Ubuntu):

sudo ufw allow 2121/tcp
sudo ufw reload

For iptables:

sudo iptables -A INPUT -p tcp --dport 2121 -j ACCEPT
sudo iptables-save

Common Issues and Troubleshooting

Troubleshooting Commands

Check service status:

sudo systemctl status vsftpd

View service logs for errors:

sudo journalctl -u vsftpd

Test FTP connection on new port:

ftp localhost 2121

Best Practices

• Choose ports between 1024-65535 to avoid conflicts with system services

• Document port changes for team members and administrators

• Update any scripts or applications that connect to your FTP server

• Consider using SFTP instead of FTP for better security

Conclusion

Changing the default FTP port from 21 to a custom port enhances security by reducing automated attacks and unauthorized access attempts. The process involves editing the vsftpd configuration file, updating firewall rules, and verifying the changes. While this provides security through obscurity, it should be combined with other security measures like strong authentication and regular updates.