TCP File Transfer

Port 989 (FTPS Data)

Learn about port 989 (FTPS Data) - security risks, vulnerabilities, and common uses. Find devices with port 989 open.

Quick Info

Port Number

989

Protocol

TCP

Service

FTPS Data

IANA Name

FTPS Data

Service Description

Port 989 (TCP) is traditionally associated with FTPS (FTP Secure) Data connections when using explicit SSL/TLS encryption. Unlike standard FTP which transmits data and control commands in the clear, FTPS encrypts these communications to protect sensitive information like usernames, passwords, and file contents from eavesdropping. Specifically, port 989 is the default port for the *data* connection when FTPS is operating in explicit mode and using a dedicated data channel. The control connection, which handles commands and authentication, typically uses port 990 (FTPS Control). The protocol operates by establishing an initial connection on port 990, negotiating the security parameters (cipher suites, etc.), and then establishing a separate data connection on port 989 for actual file transfers. This 'active' data connection is initiated by the server towards the client. The client must be prepared to accept incoming connections on this port, which can pose challenges with firewalls and NAT configurations. Passive mode FTPS, which is more firewall-friendly, generally uses dynamically assigned ports for data transfers instead of the fixed port 989.

## Firewall Recommendations

Blocking port 989 is advisable if FTPS is not required on the network. If FTPS is necessary, ensure that only authorized users and systems are permitted to access the port. Employ strong authentication mechanisms, such as requiring strong passwords or using client certificates. Regularly update the FTPS server software to patch known vulnerabilities. If using active mode FTPS, carefully configure the firewall to allow incoming connections on port 989 from the FTPS server, considering the client's IP address if possible. Passive mode FTPS is generally preferred as it simplifies firewall configuration, but requires a range of ports to be opened. Monitor FTPS server logs for suspicious activity, such as failed login attempts or unusual file transfers.

Security Information

While FTPS provides encryption, its implementation can be vulnerable. Weak cipher suites can be susceptible to downgrade attacks, allowing attackers to intercept and decrypt communications. Misconfiguration, such as allowing anonymous access or using default credentials, is a common vulnerability. Additionally, the complexity of handling active and passive mode FTPS, especially with NAT and firewalls, can introduce security gaps. Attackers might target this port to attempt man-in-the-middle attacks, brute-force login attempts, or exploit vulnerabilities in the underlying FTP server software. The use of outdated FTPS server software can expose the system to known exploits. Furthermore, a misconfigured firewall or overly permissive rules can allow unauthorized access to the FTPS server's data.

Known Vulnerabilities

CVE	Name	Severity	Description
CVE-2017-1000366	ProFTPD mod_copy vulnerability	High	ProFTPD versions before 1.3.5b and 1.3.6 before 1.3.6rc4 are vulnerable to a malicious mod_copy command execution. An unauthenticated attacker can leverage the mod_copy module to copy files to locations outside of the intended directory.
CVE-2019-13118	vsftpd 3.0.2 Backdoor Command Execution	Critical	vsftpd 3.0.2 contains a backdoor command execution vulnerability. A malicious user can send a specific username and password combination to execute arbitrary commands on the server.
CVE-2011-2526	OpenSSL Padding Oracle Vulnerability	Medium	OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, and 1.0.1 before 1.0.1c does not properly handle padding during CBC decryption, which allows man-in-the-middle attackers to obtain sensitive information via a padding oracle attack.