[WARNING] Authentication failed for user [cpanelserviceauthftpd

matt1206 · Jan 17, 2021

Since around 6am UTC this morning, one of my servers has started alerting that FTP is down, and then reporting that it's back up again shortly after.

Looking at the logs, I'm seeing this:

Code:

Jan 17 11:24:20 cp2 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__jga9jLlmpBb0ydNJ]
Jan 17 11:31:47 cp2 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__oIPKv0OCvwkiDIQL]
Jan 17 11:38:10 cp2 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__uXCBsD97Rypv0uQ5]
Jan 17 11:43:14 cp2 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__SBPx72wyX56eKenL]
Jan 17 11:48:16 cp2 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__B1osIAc5d_mlKiFc]
Jan 17 11:53:55 cp2 pure-ftpd: ([email protected]) [INFO] __cpanel__service__auth__ftpd__uwT9Q7sso8p11wO7 is now logged in
Jan 17 11:53:55 cp2 pure-ftpd: ([email protected]) [INFO] Logout.
Jan 17 11:59:01 cp2 pure-ftpd: ([email protected]) [INFO] __cpanel__service__auth__ftpd__s1XSA3obnCLt8a5k is now logged in
Jan 17 11:59:01 cp2 pure-ftpd: ([email protected]) [INFO] Logout.
Jan 17 12:05:26 cp2 pure-ftpd: ([email protected]) [INFO] __cpanel__service__auth__ftpd__Bs_ynjZ7TyG2ZONI is now logged in
Jan 17 12:05:26 cp2 pure-ftpd: ([email protected]) [INFO] Logout.
Jan 17 12:10:47 cp2 pure-ftpd: ([email protected]) [INFO] __cpanel__service__auth__ftpd__AU5CLZy9gTIsfQp4 is now logged in
Jan 17 12:10:47 cp2 pure-ftpd: ([email protected]) [INFO] Logout.
Jan 17 12:15:57 cp2 pure-ftpd: ([email protected]) [INFO] __cpanel__service__auth__ftpd__jkPL5nXjYZ31KjuB is now logged in
Jan 17 12:15:57 cp2 pure-ftpd: ([email protected]) [INFO] Logout.
Jan 17 12:21:52 cp2 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__yMQQo7V3p9e2Qr5o]
Jan 17 12:27:01 cp2 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__kkEMIkp8VWqEDiiE]
Jan 17 12:32:08 cp2 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__6UeOIu0aN4SQAU9p]

Nothing has been changed on the server, and all the standard FTP accounts for sites hosted on the server can log in fine.

cPJustinD · Jan 18, 2021

Hey there! Do you happen to have Imunify360 installed on the server? If so, I may recommend checking to see if the "FTP brute-force attack protection" setting is enabled and disable it if it is.

We've also published an article on this here that may help:

cPanel

support.cpanel.net

matt1206 · Jan 18, 2021

Thank you for the link. Yes, Imunify360 is installed and I have the "FTP brute-force attack protection" setting enabled. I've disabled that option now.

cPJustinD · Jan 18, 2021

With that option being enabled, that certainly sounds like what may have been occurring. Let us know if that resolved the issue with these notifications!

Kareem Hussien · Feb 10, 2021

Hello ... i had the same problem and thanks for ur solution but may i ask what case this issue ?
why that happened ?

cPRex · Feb 11, 2021

@Kareem Hussien - sometimes the FTP Brute Force Detection tool is too aggressive and detects the server monitoring software as being potentially malicious due to the issue mentioned in the support link that Justin posted.

I checked the CloudLinux case and they confirmed the issue will be fixed with Imunify360 5.3.0-10+ which should be released soon.

nickgr67 · Feb 28, 2021

Hello

This link

cPanel

support.cpanel.net

seems broken

>> I checked the CloudLinux case and they confirmed the issue will be fixed with Imunify360 5.3.0-10+ which should be released soon

I am running Imunify360 5.4.9.2 but on some servers ( not all) when I enable Immunify FTP brute-force attack protection the ftp server fails

cPanelAustin · Mar 1, 2021

Hey @nickgr67, I just confirmed with our partners at CloudLinux that the fix is in 5.5 and not in 5.3. It seems that was a typo.

Could you update according to the instructions at the bottom of the Release Notes here and let us know if you have any further questions or concerions?

Release Notes: ImunifyAV(+) v.5.5

blog.imunify360.com

Also please note that the specific fix for your issue is not mentioned in the above release notes, but our partners at CloudLinux that I just spoke with double-checked to be sure that the fix was included in 5.5.

nickgr67 · Mar 1, 2021

Hello

Yes , i have updated to 5.5 and everything works fine

Thread starter	Similar threads	Forum	Replies	Date
R	PHP Warning: File upload error - unable to create a temporary file in Unknown on line 0	Web Servers and Applications	1	Jan 3, 2023
M	Warning: chmod(): No such file or directory in...	Web Servers and Applications	1	Sep 25, 2022
X	SOLVED PHP Warning: Module 'memcached' already loaded in Unknown on line 0	Web Servers and Applications	5	Jul 10, 2022
N	1 service generated warnings while checking SSL certificates	Web Servers and Applications	1	Feb 6, 2022
G	How to fix “PHP Warning: ftp_login(): Login authentication failed”	Web Servers and Applications	6	Oct 13, 2019

Search

Search

[WARNING] Authentication failed for user [cpanelserviceauthftpd

matt1206

Well-Known Member

cPJustinD

Administrator

cPanel

matt1206

Well-Known Member

cPJustinD

Administrator

Kareem Hussien

Member

cPRex

Jurassic Moderator

nickgr67

Member

cPanel

cPanelAustin

Linux Technical Analyst II

Release Notes: ImunifyAV(+) v.5.5

nickgr67

Member