[WARNING] Authentication failed for user [__cpanel__service__auth__ftpd

Operating System & Version
CentOS Linux release 7.9.2009 (Core)
cPanel & WHM Version
92.0.8

matt1206

Active Member
Dec 20, 2011
41
2
58
cPanel Access Level
Root Administrator
Since around 6am UTC this morning, one of my servers has started alerting that FTP is down, and then reporting that it's back up again shortly after.

Looking at the logs, I'm seeing this:

Code:
Jan 17 11:24:20 cp2 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__jga9jLlmpBb0ydNJ]
Jan 17 11:31:47 cp2 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__oIPKv0OCvwkiDIQL]
Jan 17 11:38:10 cp2 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__uXCBsD97Rypv0uQ5]
Jan 17 11:43:14 cp2 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__SBPx72wyX56eKenL]
Jan 17 11:48:16 cp2 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__B1osIAc5d_mlKiFc]
Jan 17 11:53:55 cp2 pure-ftpd: ([email protected]) [INFO] __cpanel__service__auth__ftpd__uwT9Q7sso8p11wO7 is now logged in
Jan 17 11:53:55 cp2 pure-ftpd: ([email protected]) [INFO] Logout.
Jan 17 11:59:01 cp2 pure-ftpd: ([email protected]) [INFO] __cpanel__service__auth__ftpd__s1XSA3obnCLt8a5k is now logged in
Jan 17 11:59:01 cp2 pure-ftpd: ([email protected]) [INFO] Logout.
Jan 17 12:05:26 cp2 pure-ftpd: ([email protected]) [INFO] __cpanel__service__auth__ftpd__Bs_ynjZ7TyG2ZONI is now logged in
Jan 17 12:05:26 cp2 pure-ftpd: ([email protected]) [INFO] Logout.
Jan 17 12:10:47 cp2 pure-ftpd: ([email protected]) [INFO] __cpanel__service__auth__ftpd__AU5CLZy9gTIsfQp4 is now logged in
Jan 17 12:10:47 cp2 pure-ftpd: ([email protected]) [INFO] Logout.
Jan 17 12:15:57 cp2 pure-ftpd: ([email protected]) [INFO] __cpanel__service__auth__ftpd__jkPL5nXjYZ31KjuB is now logged in
Jan 17 12:15:57 cp2 pure-ftpd: ([email protected]) [INFO] Logout.
Jan 17 12:21:52 cp2 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__yMQQo7V3p9e2Qr5o]
Jan 17 12:27:01 cp2 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__kkEMIkp8VWqEDiiE]
Jan 17 12:32:08 cp2 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__6UeOIu0aN4SQAU9p]
Nothing has been changed on the server, and all the standard FTP accounts for sites hosted on the server can log in fine.
 
Last edited by a moderator:

matt1206

Active Member
Dec 20, 2011
41
2
58
cPanel Access Level
Root Administrator
Thank you for the link. Yes, Imunify360 is installed and I have the "FTP brute-force attack protection" setting enabled. I've disabled that option now.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
3,134
394
243
cPanel Access Level
Root Administrator
@Kareem Hussien - sometimes the FTP Brute Force Detection tool is too aggressive and detects the server monitoring software as being potentially malicious due to the issue mentioned in the support link that Justin posted.

I checked the CloudLinux case and they confirmed the issue will be fixed with Imunify360 5.3.0-10+ which should be released soon.
 

nickgr67

Member
Mar 8, 2019
13
3
3
Greece
cPanel Access Level
Root Administrator
Hello

This link
seems broken

>> I checked the CloudLinux case and they confirmed the issue will be fixed with Imunify360 5.3.0-10+ which should be released soon

I am running Imunify360 5.4.9.2 but on some servers ( not all) when I enable Immunify FTP brute-force attack protection the ftp server fails
 

cPanelAustin

Linux Technical Analyst II
Staff member
Dec 4, 2017
23
2
78
Houston Tx
cPanel Access Level
Root Administrator
Hey @nickgr67, I just confirmed with our partners at CloudLinux that the fix is in 5.5 and not in 5.3. It seems that was a typo.

Could you update according to the instructions at the bottom of the Release Notes here and let us know if you have any further questions or concerions?

Also please note that the specific fix for your issue is not mentioned in the above release notes, but our partners at CloudLinux that I just spoke with double-checked to be sure that the fix was included in 5.5.
 
  • Like
Reactions: cPRex