[WARNING] Authentication failed for user [__cpanel__service__auth__ftpd
Since around 6am UTC this morning, one of my servers has started alerting that FTP is down, and then reporting that it's back up again shortly after.
Looking at the logs, I'm seeing this:
Nothing has been changed on the server, and all the standard FTP accounts for sites hosted on the server can log in fine.
Jan 17 11:24:20 cp2 pure-ftpd: (?@127.0.0.1) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__jga9jLlmpBb0ydNJ]
Jan 17 11:31:47 cp2 pure-ftpd: (?@127.0.0.1) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__oIPKv0OCvwkiDIQL]
Jan 17 11:38:10 cp2 pure-ftpd: (?@127.0.0.1) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__uXCBsD97Rypv0uQ5]
Jan 17 11:43:14 cp2 pure-ftpd: (?@127.0.0.1) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__SBPx72wyX56eKenL]
Jan 17 11:48:16 cp2 pure-ftpd: (?@127.0.0.1) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__B1osIAc5d_mlKiFc]
Jan 17 11:53:55 cp2 pure-ftpd: (?@127.0.0.1) [INFO] __cpanel__service__auth__ftpd__uwT9Q7sso8p11wO7 is now logged in
Jan 17 11:53:55 cp2 pure-ftpd: (__cpanel__service__auth__ftpd__uwT9Q7sso8p11wO7@127.0.0.1) [INFO] Logout.
Jan 17 11:59:01 cp2 pure-ftpd: (?@127.0.0.1) [INFO] __cpanel__service__auth__ftpd__s1XSA3obnCLt8a5k is now logged in
Jan 17 11:59:01 cp2 pure-ftpd: (__cpanel__service__auth__ftpd__s1XSA3obnCLt8a5k@127.0.0.1) [INFO] Logout.
Jan 17 12:05:26 cp2 pure-ftpd: (?@127.0.0.1) [INFO] __cpanel__service__auth__ftpd__Bs_ynjZ7TyG2ZONI is now logged in
Jan 17 12:05:26 cp2 pure-ftpd: (__cpanel__service__auth__ftpd__Bs_ynjZ7TyG2ZONI@127.0.0.1) [INFO] Logout.
Jan 17 12:10:47 cp2 pure-ftpd: (?@127.0.0.1) [INFO] __cpanel__service__auth__ftpd__AU5CLZy9gTIsfQp4 is now logged in
Jan 17 12:10:47 cp2 pure-ftpd: (__cpanel__service__auth__ftpd__AU5CLZy9gTIsfQp4@127.0.0.1) [INFO] Logout.
Jan 17 12:15:57 cp2 pure-ftpd: (?@127.0.0.1) [INFO] __cpanel__service__auth__ftpd__jkPL5nXjYZ31KjuB is now logged in
Jan 17 12:15:57 cp2 pure-ftpd: (__cpanel__service__auth__ftpd__jkPL5nXjYZ31KjuB@127.0.0.1) [INFO] Logout.
Jan 17 12:21:52 cp2 pure-ftpd: (?@127.0.0.1) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__yMQQo7V3p9e2Qr5o]
Jan 17 12:27:01 cp2 pure-ftpd: (?@127.0.0.1) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__kkEMIkp8VWqEDiiE]
Jan 17 12:32:08 cp2 pure-ftpd: (?@127.0.0.1) [WARNING] Authentication failed for user [__cpanel__service__auth__ftpd__6UeOIu0aN4SQAU9p]Nothing has been changed on the server, and all the standard FTP accounts for sites hosted on the server can log in fine.
-
Thank you for the link. Yes, Imunify360 is installed and I have the "FTP brute-force attack protection" setting enabled. I've disabled that option now. 0 -
With that option being enabled, that certainly sounds like what may have been occurring. Let us know if that resolved the issue with these notifications! 0 -
Hello ... i had the same problem and thanks for ur solution but may i ask what case this issue ? why that happened ? 0 -
@Kareem Hussien - sometimes the FTP Brute Force Detection tool is too aggressive and detects the server monitoring software as being potentially malicious due to the issue mentioned in the support link that Justin posted. I checked the CloudLinux case and they confirmed the issue will be fixed with Imunify360 5.3.0-10+ which should be released soon. 0 -
Hello Yes, i have updated to 5.5 and everything works fine 0
Please sign in to leave a comment.
Comments
8 comments