Failed FTP login but Host Access Control configured to block

keat63 · Sep 18, 2019

I have Host Access Control to block unauthorised login attempts.
There are only a very small handful of IP allowed access to FTP.
However, this morning I see these in my log files

pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [anonymous]

([email protected]) [WARNING] Authentication failed for user [anonymous]
(ftpd) Failed FTP login from 119.xx.xx.xxx (CN/China/Jilin/-/194.xx.xx.xxx.adsl-pool.example.com): 3 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]

Any ideas how they may have got past HAC, I was under the impression that HAC wouldn't even allow authetication attempts.

I've tons of these coming from different IP's over night.

cPanelMichael · Sep 18, 2019

keat63 said:
pure-ftpd

Hello

The following is documented at Host Access Control - Version 82 Documentation - cPanel Documentation :

To control access to the ftpd daemon, you must use the ProFTPD FTP server. Pure-FTP does not support TCP wrappers.

To choose an FTP server, use WHM's FTP Server Selection interface (WHM >> Home >> Service Configuration >> FTP Server Selection).

For more information, read our ProFTPD Configuration for Host Access Control documentation.

Let me know if this helps.

Thank you.

keat63 · Sep 19, 2019

Thanks for this.
Explains why I'm getting the hit.

I do use pureftp for a reason though, but I don't recall why.

cPanelMichael · Sep 20, 2019

keat63 said:
I do use pureftp for a reason though, but I don't recall why.

You can review some of the differences on the document below:

FTP Server Selection - Version 82 Documentation - cPanel Documentation

documentation.cpanel.net

Thanks!

keat63 · Sep 23, 2019

I found my original post from Feb 2017 and it seems that I chose pureftp over proftp due to a constant echo in my log files.

I said:

So I toyed with my FTP server selection last night, and now I remember why I switched from proftp to Pure-ftp.

Proftp is constantly echoing to var/log/messages.
Feb 8 11:25:53 proftpd[17111]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
Feb 8 11:25:53 proftpd[17111]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.

I switched to Pure-ftp to stop this from happening.

Is there a way to supress these messages for Proftp.

Thread starter	Similar threads	Forum	Replies	Date
T	DCV failed - connection timeout	Security	1	Aug 25, 2023
A	Failed FTP logins/actions	Security	3	Nov 20, 2019
	failed ftp logins	Security	4	Nov 19, 2019
Y	SFTP Login authentication failed Error	Security	1	Feb 24, 2012
Y	FTP Connection failed Through TLS Encryption Support	Security	2	Jan 27, 2012

Search

Search

Failed FTP login but Host Access Control configured to block

keat63

Well-Known Member

cPanelMichael

Administrator

keat63

Well-Known Member

cPanelMichael

Administrator

FTP Server Selection - Version 82 Documentation - cPanel Documentation

keat63

Well-Known Member