INFO: Accessible FTP Report

DESCRIPTION LAST UPDATED: 2025-04-08

DEFAULT SEVERITY LEVEL: INFO

This report identifies hosts that have an FTP instance running on port 21/TCP that’s accessible on the Internet.

FTP provides no encryption (unless FTPS is utilized) and may expose sensitive information or system credentials.

If we are able to successfully negotiate a TLS or SSL connection by using an “AUTHTLS” or “AUTHSSL” command, the parsed contents of the SSL handshake and SSL certificate will be shown. Expired certificates will result in severity level of the reported event set to LOW.

If we are not able to negotiate an FTPS connection, the “auth_tls_response” and “auth_ssl_response” fields will contain the error that returned, and the contents of the SSL-related fields will be empty. In those cases we will set the severity level to MEDIUM.

Track current exposed FTP servers on our Dashboard.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page.

This report comes in two versions, IPv4 and IPv6.

Filename(s): scan_ftp, scan6_ftp

 

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the response came on (always TCP)
  • port
    Port that the response came from (21/TCP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Will always be ftp
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • banner
    The login banner of the FTP service
  • handshake
    The highest SSL handshake that could be negotiated (TLSv1.2, TLSv1.1, TLSv1.0, SSLv3)
  • cipher_suite
    The highest CipherSuite that was able to be negotiated
  • cert_length
    Certificate Key Length (1024 bit, 2048 bit, et cetera)
  • subject_common_name
    The Common Name (CN) of the SSL certificate
  • issuer_common_name
    The Common Name (CN) of the entity that signed the SSL certificate
  • cert_issue_date
    Date when the SSL certificate became valid
  • cert_expiration_date
    Date when the SSL certificate expires
  • sha1_fingerprint
    SHA1 fingerprint of the SSL certificate
  • cert_serial_number
    Serial number embedded in the SSL certificate
  • ssl_version
    SSL Version number
  • signature_algorithm
    Algorithm used to sign the SSL certificate
  • key_algorithm
    Algorithm used by the key
  • subject_organization_name
    Organization Name (O) of the SSL certificate
  • subject_organization_unit_name
    Organization Unit Name (OU) of the SSL certificate
  • subject_country
    Country Name (C) of the SSL certificate
  • subject_state_or_province_name
    State or Province Name (ST) of the SSL certificate
  • subject_locality_name
    Locality Name (L) of the SSL certificate
  • subject_street_address
    Street address of the SSL certificate
  • subject_postal_code
    Postal code of the SSL certificate
  • subject_surname
    Surname (SN) of the SSL certificate
  • subject_given_name
    Given name (GN) of the SSL certificate
  • subject_email_address
    Email address of the SSL certificate
  • subject_business_category
    Business category of the SSL certificate
  • subject_serial_number
    Serial number of the SSL certificate
  • issuer_organization_name
    Organization name (O) of the entity that signed the SSL certificate
  • issuer_organization_unit_name
    Organization unit name (OU) of the entity that signed the SSL certificate
  • issuer_country
    Country name (C) of the entity that signed the SSL certificate
  • issuer_state_or_province_name
    State or Province name (ST) of the entity that signed the SSL certificate
  • issuer_locality_name
    Locality name (L) of the entity that signed the SSL certificate
  • issuer_street_address
    Street address of the entity that signed the SSL certificate
  • issuer_postal_code
    Postal code of the entity that signed the SSL certificate
  • issuer_surname
    Surname (SN) of the entity that signed the SSL certificate
  • issuer_given_name
    Given name (GN) of the entity that signed the SSL certificate
  • issuer_email_address
    Email address of the entity that signed the SSL certificate
  • issuer_business_category
    Business category of the entity that signed the SSL certificate
  • issuer_serial_number
    Serial number of the entity that signed the SSL certificate
  • sha256_fingerprint
    SHA256 fingerprint of the SSL certificate
  • sha512_fingerprint
    SHA512 fingerprint of the SSL certificate
  • md5_fingerprint
    MD5 fingerprint of the SSL certificate
  • cert_valid
    Is the SSL certificate valid or not (Y/N)
  • self_signed
    Is the SSL certificate self-signed (Y/N)
  • cert_expired
    Is the SSL certificate expired (Y/N)
  • validation_level
    The validation level of the SSL certificate: EV, OV, or unknown
  • auth_tls_response
    Response when a TLS authentication attempt is made
  • auth_ssl_response
    Response when a SSL authentication attempt is made (attempted only if the TLS Auth attempt fails)
  • tlsv13_support
    TLS v1.3 supported?
  • tlsv13_cipher
    TLS v1.3 cipher
  • jarm
    JARM hash
  • device_vendor
    The identified device vendor
  • device_type
    Device classification (for example, router, firewall, nas, video-system etc)
  • device_model
    The identified device model
  • device_version
    Device version, if any
  • device_sector
    Sector of the IP in question

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","banner","handshake","cipher_suite","cert_length","subject_common_name","issuer_common_name","cert_issue_date","cert_expiration_date","sha1_fingerprint","cert_serial_number","ssl_version","signature_algorithm","key_algorithm","subject_organization_name","subject_organization_unit_name","subject_country","subject_state_or_province_name","subject_locality_name","subject_street_address","subject_postal_code","subject_surname","subject_given_name","subject_email_address","subject_business_category","subject_serial_number","issuer_organization_name","issuer_organization_unit_name","issuer_country","issuer_state_or_province_name","issuer_locality_name","issuer_street_address","issuer_postal_code","issuer_surname","issuer_given_name","issuer_email_address","issuer_business_category","issuer_serial_number","sha256_fingerprint","sha512_fingerprint","md5_fingerprint","cert_valid","self_signed","cert_expired","validation_level","auth_tls_response","auth_ssl_response","tlsv13_support","tlsv13_cipher","jarm","device_vendor","device_type","device_model","device_version","device_sector"
"2010-02-10 00:00:00",info,192.168.0.1,tcp,2121,node01.example.com,ftp,64512,ZZ,Region,City,0,,"Authorized access only",,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,,,rsaEncryption,,,ZZ,,,,,,,,,,,,,,,,,,,,,,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,,Y,,"534 Local policy on server does not allow TLS secure connections.","534 Local policy on server does not allow TLS secure connections.",,,,,,,,
"2010-02-10 00:00:01",info,192.168.0.2,tcp,2121,node02.example.com,ftp;iot,64512,ZZ,Region,City,0,certificate,"Authorized access only",TLSv1.2,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,2,sha256WithRSAEncryption,rsaEncryption,,,ZZ,,,,,,,,,,,,,,,,,,,,,,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,N,Y,DV,"234 AUTH TLS command successful.",,,,,Synology,,,,consumer
"2010-02-10 00:00:02",info,192.168.0.3,tcp,2121,node03.example.com,ftp,64512,ZZ,Region,City,0,,"Authorized access only",,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,,,rsaEncryption,,,ZZ,,,,,,,,,,,,,,,,,,,,,,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,,Y,,"530 Please login with USER and PASS.","530 Please login with USER and PASS.",,,,,,,,

Our 135 Report Types

« Back to Network Reporting