Active and passive are two modes that FTP can run in. Active FTP is the earliest mode of FTP, although today most connections are done through a Passive FTP method. But what are Passive and Active FTP and what are their differences? Which one is more secure and easier to setup? Here we have tried to answer all common questions about Active vs Passive FTP. But let us start with definitions in details:
What is Active FTP?
Comparing FTP Active vs Passive, Active mode is an older method of FTP connection and comes with upsides and downfalls as well. Within an FTP connection, you have a client and a server. These two computers are connected through two ports. One is called a command port and the other is called the data port. The server and client have to decide which port number they are using to connect to each other. Here is how the active mode (vaguely) proceeds:
- The client uses a random port to send a command (PORT command) to the server’s port 21. This command tells the server which data port on the client-side it should connect to.
- The server uses port 20 to reach that port and establish a connection.
This process is called Active because the client is actively specifying the port number it prefers the server to connect to. In an Active FTP, the server is the one initiating the connection, following the command of the client. But what is Passive FTP?
What is Passive FTP?
Passive FTP is a newer FTP mode and is considered more secure and easier to work with. Similar to Active FTP, the client sends a command to the server’s port 21. But this time the client sends a command named PASV command. Then the server decides the port it wants to receive the data through. Then the client initiates the connection.
So it goes like this:
- The client uses a random port to send a command (PASV command) to port 21 of the server.
- The server answers by specifying the data port it wants to use (which is a random port).
- The client uses a random port to send the data to the server port that was identified.
Notice the server’s data port now is also randomly chosen. So the port 21 is still used in Passive FTP as the server’s command port, but the server’s data port is now random (rather than just being port 21).
Also notice that the client is initiating the connection of both ports.
Difference between FTP Active vs Passive
As we mentioned, the major difference is the fact that in Active FTP, the server initiates the data connection, whilst in Passive FTP it’s the client that initiates the data connection. This results in a couple of changes that are important for the security and convenience of your data transfer. In the following
Active FTP vs Passive FTP in security
The Active FTP always uses ports 21 (command) and 20 (data) to transfer information. This means if someone is to hack your network, they already know which ports to target.
In Passive FTP the data port on the server-side is random. So although you will still use Port 21 for command, the actual transfer is harder to intercept.
On the other hand, to use the Passive mode the server needs more ports open, as the data port will be random this time. This may create some vulnerabilities for the server. Server admins usually limit the range of open ports to limit the chances of a possible attacker.
Active FTP vs Passive FTP in firewall issues
As you know firewalls can be a problem when it comes to a network connection. Their job is to block any connection attempt from unknown ports. This problem is more serious with the client firewall. As the server’s firewall is expecting more advances from unknown ports.
In Active FTP, the client is receiving a connection from the server through a random port. So the client’s firewall may block the connection.
In Passive FTP, the client is initiating both connections. So it is easier to pass through the client’s firewall without a problem. The server’s firewall can still cause a problem because its data port is random this time. But it usually is a smaller issue as the server firewall is already set to receive more unknown connections than the client’s computer.
What are the command channels and data channels in FTP Active vs Passive?
To recap, the command channels and data channels go like this:
- In the Active mode, the client’s command and data port are both random. The server’s command channel is Port 21, and the server’s data channel is Port 20.
- In Passive mode, the client’s command and data port are both random. The server’s command channel is Port 21, and the server’s data channel is also random.
You can still use port 20 as your data channel in Passive mode if you want, or just limit the channel to a certain range.
Why use Active over Passive FTP?
comparing FTP Active vs Passive, there are two major reasons why people may use Active FTP over Passive FTP. One is for server security reasons. Passive FTP needs a number of ports open through the firewall because the data port is chosen randomly. This makes identifying the port harder, but also it leaves lots of ports open for attack.
Another reason is sometimes configuring the server firewall is difficult or the firewall is out of your reach. So people switch to an active method to go through port 20 which is known to every firewall.
Changing FTP from Active to Passive
The way to change from Active FTP to a Passive FTP is different considering the kind of software you use.
To change FTP from Active to Passive on FileZilla, you can take the steps below:
- Open Filezilla
- From the menu bar go to Edit > Settings.
- In the Settings window go to Connections, then FTP.
- Choose ‘Passive (recommended)’ from the Transfer Mode.
- Click on OK.
You can find the same kind of setting in every modern FTP client. Although as we mentioned you may run to issues with the server’s firewall on both cases and need to change.
Is Command Prompt FTP Active or Passive?
The Windows Command Prompt FTP line is Active and does not support Passive FTP. You can use WinSCP or other command-line clients to connect to your server through passive mode.
Is Windows 7 FTP server Active or Passive?
Windows 7 users can use services such as IIS to use Windows 7 as a server. To do so you need to enable IIS on Windows 7.
IIS supports active and passive and there is no need to enable either one. But you can configure the passive port range within IIS. To do so you can read this article.
Does a web browser use Passive or Active FTP?
Web browsers such as Chrome and IE use your operating system’s networking settings for using Active or Passive FTP. Normally Windows uses Passive FTP, as it is the most compatible mode.
To Enable/Disable Passive mode for web browsers, take the steps below:
- Press ‘WinKey + S’ for the Windows search to appear.
- Type-in ‘Internet Options’ and click on it.
- In the Internet Properties window go to the ‘Advanced’ tab.
- Scroll down to the Browsing section.
- Check-mark the ‘Use Passive FTP (for firewall…’ option.
- Click OK.
FTP Active vs Passive go through different steps to establish a connection, and they have their pros and cons. Choose the one that works best for you. In this article, we also answered some of the most common questions regarding Active and Passive FTP.