Eek! I really don't know why people still bother with FTP.
It's a legacy protocol, has no build-in encryption, and wreaks havoc on firewalls.
I only skimmed the thread, so sorry if this is repeating something, but it seems the original question hasn't been properly addressed.
Okay, deep breath...
There's rarely a technical
reason why you can't put a service on any port you desire (between 1 and 65535), assuming you're not trying to run two services on the same machine that are trying to bind to the same port. Most server softwares allow you to pick a port for the daemon to listen on. You could
technically have a machine with sshd and httpd, but flip their port numbers so that HTTP is on 22 and ssh is on 80 (not that you'd want to do that).
(and I realize most people couldn't give two rips about this), by IANA's port number assignments, you're supposed
to use 49152-65535 if you desire to run a service on a nonstandard port. So if one wants to stay IANA and RFC compliant, it's not a matter as simple as saying "pick whatever you want."
It's also worth noting that FTP is more complicated than just running on port 21. 21 is the command port. The protocol also uses port 20 for data transfer. (Clients use a port in the dynamic range to speak to the server.) Without getting even more
wordy, suffice it to say FTP is a massive PITA from a firewalling standpoint, and one reason why the protocol should be relegated to the dustbin of history (another is the lack of native encryption).
Anywho, Glenn, I believe you already had a thread talking about denyhosts and fail2ban, so I think you're already running SSH. If it were my rodeo I'd just stick with SFTP and call it a day. The SFTP functionality is enabled by default on most distros I've seen with an ssh daemon, and most good graphical FTP clients can use SFTP as well. (Also, don't let the acronyms confuse you. SFTP is a "subsystem" of SSH and really has nothing to do with the original, legacy FTP. Of course, don't get it confused with FTPS or FTPES either.
) Any naughty IPs you block via something like denyhosts or fail2ban apply to SFTP, too.
As for port number obfuscation: meh. It might be worth it, if
you're running services for your own use, but only to save some traffic on the interface and keep your logs cleaner. You'll only momentarily delay a real threat who knows what he's doing.