Modifying FTP Ports

It is easy to modify the Well Known Port Number for FTP. However, to allow FTP clients access to your site, keep the FTP server port number set at 21 for most installations of Internet Information Server.

If you want to limit access to your FTP server, you can change the control connection (port 21) to a TCP port number greater than 1023 to "hide" your site.

You can change FTP server TCP port numbers by modifying the Systemroot\System32\Drivers\Etc\Services file or by changing their values in the Registry. The setting in the Services file takes precedence over the Registry setting in all cases. That is, by changing the Services file, you affect both the FTP client and the FTP server. By changing the Registry, you affect only the FTP server.

To change the TCP port in the Services file

  1. At a command prompt, change directories to Systemroot\System32\Drivers\Etc.
  2. Use a text editor to search the Services file for the following two entries:

    3. ftp-data 20/tcp
    ftp 21/tcp

  3. Modify port 21 to a number greater than 1023. See the following example.

    4. ftp-data 20/tcp # The # sign designates a comment.
    ftp 1234/tcp # FTP port changed to 1234, was 21.

  4. Save and close the file. To implement the change, stop, then restart the FTP service.

Note This affects the default TCP ports on both the FTP client and the FTP server.

Your FTP server now waits at port 1234 for all FTP client requests and your FTP client connects only to an FTP server at port 1234.

To verify the new FTP port settings

  1. At a command prompt, type the command ftp.

    2. The ftp> prompt appears.

  2. Type the command open 127.0.0.1 21 and then press enter.

    3. The IP address 127.0.0.1 is the loopback address for your computer. You are specifying 21 as the destination port address. The following message appears:

    -> ftp: connect:Connection refused

  3. Type the command open 127.0.0.1 and then press enter.

The port now reverts to the default number specified in the Services file: 1234. You are prompted with the following logon message:

User <127.0.0.1:<none>>:

This verifies that both the FTP client and FTP server are using port 1234.

To change the Registry entry for FTP

  1. Start the Registry Editor, Regedt32.exe.
  2. Click the HKEY_LOCAL_MACHINE window and locate the following key:

\System

\CurrentControlSet

\Control

\ServiceProvider

\ServiceTypes

\MSFTPSVC

  1. Click MSFTPSVC and then double-click the TcpPort value.

The DWORD Editor dialog box appears.

  1. Click Decimal and enter 5678 in the Data box.
  2. Click OK and close the Registry Editor.
  3. At the command prompt, type the following information:

cd %systemroot%\system32\drivers\etc

ren services services.ok

This prevents the FTP server from using the port address in the Services file after it has been restarted.

  1. To implement the change, stop and restart the FTP service.

Note This situation affects the default port only on the FTP server.

If you have completed the preceding steps, your FTP server now monitors port 5678 for all FTP client requests and your FTP client connects to an FTP server at port 1234 only.

To verify the new FTP port settings

  1. At a command prompt, type ftp, then press enter.

    2. The ftp> prompt appears.

  2. Type the following commands:

open 127.0.0.1

open 127.0.0.1 21

open 127.0.0.1 1234

The following message appears:

-> ftp: connect: Connection refused

  1. Type the command open 127.0.0.1 5678 and then press enter.

The port defaults to the number specified in the Registry: 5678. You are prompted with the following logon message:

User <127.0.0.1:<none>>:

This procedure verifies that both the FTP client and FTP server are using port 5678.