keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
Of late, I'm seeing a number of failed ftp logins.
I'm aware that HostAccessControl has no effect on pureftp.

What I a little confused with is CSF has port 20 and 21 closed, so I'm not sure how these are getting through.

Nov 18 16:13:29 leeds pure-ftpd: ([email protected]) [INFO] New connection from 123.232.19.90
Nov 18 16:13:29 leeds pure-ftpd: ([email protected]) [INFO] New connection from 123.232.19.90
Nov 18 16:13:29 leeds pure-ftpd: ([email protected]) [INFO] New connection from 123.232.19.90
Nov 18 16:13:30 leeds pure-ftpd: ([email protected]) [INFO] New connection from 123.232.19.90
Nov 18 16:13:35 leeds pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [name]
Nov 18 16:13:35 leeds pure-ftpd: ([email protected]) [INFO] Logout.
Nov 18 16:13:35 leeds pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [anonymous]
Nov 18 16:13:35 leeds pure-ftpd: ([email protected]) [INFO] Logout.
Nov 18 16:13:35 leeds pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [www]
Nov 18 16:13:35 leeds pure-ftpd: ([email protected]) [INFO] Logout.
Nov 18 16:13:36 leeds pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [anonymous]
Nov 18 16:13:36 leeds pure-ftpd: ([email protected]) [INFO] Logout.

Messages log doesn't show me if these attempts are via any other port.

Any ideas ?
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter
Hi,

Can you check if those ports are still listening on those ports?
# netstat -anpt | grep :21

If you do not want to have connection on those port, then it will best for you to just change the BIND section to different port, so you can change it to different port than common 21 for FTP.
# cat /etc/pure-ftpd.conf | grep Bind

 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
The Netstat didn't reveal anything.
And there are no entries in messages/log since this morning, however, i've no doubt that i'll find them again in the morning.

Maybe changing the FTP port isn't a bad idea
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,268
313
Houston
A more accurate way to determine whether or not a port is open would be to run something similar to the following from outside your server:

Code:
sudo nmap -sU -sT <IPADDRESS> -p 20,21

Starting Nmap 7.00 ( https://nmap.org ) at 2019-11-20 17:20 CST
Nmap scan report for <HOSTNAME> (<IPADDRESS>)
Host is up (0.010s latency).
PORT   STATE  SERVICE
20/tcp closed ftp-data
21/tcp open   ftp
20/udp closed ftp-data
21/udp closed ftp

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
netstat will just show you what is listening on those ports, and it's perfectly reasonable to expect FTP to be listening on 20 and 21.

To see what iptables has blocked you can view:

Code:
iptables -L -n
 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
As there is really only myself who has FTP access, I configured CSF to ban on a single ftp login failure.
I'm no longer seeing any failed ftp logins, but this might just mean that they admitted defeat and went away.
 
  • Like
Reactions: cPanelLauren