Failed FTP login but Host Access Control configured to block

keat63

Well-Known Member
Nov 20, 2014
1,843
221
93
cPanel Access Level
Root Administrator
I have Host Access Control to block unauthorised login attempts.
There are only a very small handful of IP allowed access to FTP.
However, this morning I see these in my log files

pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [anonymous]

([email protected]) [WARNING] Authentication failed for user [anonymous]
(ftpd) Failed FTP login from 119.xx.xx.xxx (CN/China/Jilin/-/194.xx.xx.xxx.adsl-pool.example.com): 3 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]

Any ideas how they may have got past HAC, I was under the impression that HAC wouldn't even allow authetication attempts.

I've tons of these coming from different IP's over night.
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
pure-ftpd
Hello :)

The following is documented at Host Access Control - Version 82 Documentation - cPanel Documentation :

  • To control access to the ftpd daemon, you must use the ProFTPD FTP server. Pure-FTP does not support TCP wrappers.
Let me know if this helps.

Thank you.
 

keat63

Well-Known Member
Nov 20, 2014
1,843
221
93
cPanel Access Level
Root Administrator
Thanks for this.
Explains why I'm getting the hit.

I do use pureftp for a reason though, but I don't recall why.
 

keat63

Well-Known Member
Nov 20, 2014
1,843
221
93
cPanel Access Level
Root Administrator
I found my original post from Feb 2017 and it seems that I chose pureftp over proftp due to a constant echo in my log files.

I said:

So I toyed with my FTP server selection last night, and now I remember why I switched from proftp to Pure-ftp.

Proftp is constantly echoing to var/log/messages.
Feb 8 11:25:53 proftpd[17111]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
Feb 8 11:25:53 proftpd[17111]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.

I switched to Pure-ftp to stop this from happening.

Is there a way to supress these messages for Proftp.