530 Login Authentication Failed
लक्षण
- FTP client shows "530 Login incorrect" or "530 Login authentication failed"
- Error appears immediately after the PASS command is sent
- Credentials work correctly in the web hosting control panel but fail over FTP
- Connection to port 22 (SFTP) succeeds but port 21 (FTP) returns 530
- Account locks out after several attempts — subsequent connections are refused immediately
- Error appears immediately after the PASS command is sent
- Credentials work correctly in the web hosting control panel but fail over FTP
- Connection to port 22 (SFTP) succeeds but port 21 (FTP) returns 530
- Account locks out after several attempts — subsequent connections are refused immediately
मूल कारण
- Username or password contains special characters (@, #, $) that the FTP client fails to escape properly in the AUTH exchange
- Connecting to SFTP (port 22) with FTP credentials, or to FTP (port 21) with SFTP-only credentials — the two protocols use separate authentication systems
- FTP server configured with virtual users (PAM, /etc/vsftpd.virtual or a MySQL backend) and the account does not exist in the virtual user database
- TLS required (explicit FTPS, AUTH TLS) but client is connecting in plain text, causing the server to reject credentials before the PASS command is processed
- Account locked by fail2ban or the server's own login-failure policy after too many incorrect PASS attempts — all subsequent attempts fail instantly
निदान
**Step 1 — Confirm protocol, host, and port**
```
Protocol : FTP (not SFTP)
Host : ftp.example.com (or the raw IP)
Port : 21
Encryption: Explicit TLS / FTPS if the server requires it
```
Open a raw connection and check the server banner:
```bash
telnet ftp.example.com 21
# Expected banner: 220 (vsFTPd 3.0.5)
# If you get 'Connection refused', the server may be offline or the port is wrong.
```
**Step 2 — Test credentials manually via FTP command line**
```bash
ftp -n ftp.example.com
# At the ftp> prompt:
user yourusername yourpassword
# Look for '230 Login successful' or '530 Login incorrect'
```
If the password contains special characters, quote it:
```bash
# In FileZilla: Site Manager → Password field — paste literally, no quoting needed
# In CLI ftp client: wrap in quotes if your shell expands the character
```
**Step 3 — Check the server-side log**
```bash
# vsftpd
sudo tail -50 /var/log/vsftpd.log
# Look for: FAIL LOGIN: Client "1.2.3.4"
# ProFTPD
sudo tail -50 /var/log/proftpd/auth.log
```
**Step 4 — Check fail2ban status**
```bash
sudo fail2ban-client status vsftpd
# If your IP appears under 'Banned IP list', unban it:
sudo fail2ban-client set vsftpd unbanip YOUR_IP
```
**Step 5 — Verify the virtual user database (vsftpd)**
```bash
# List virtual users in the Berkeley DB
db_dump -p /etc/vsftpd/virtual_users.db | grep -A1 '^ '
# Or check the plain-text source:
cat /etc/vsftpd/virtual_users.txt
```
```
Protocol : FTP (not SFTP)
Host : ftp.example.com (or the raw IP)
Port : 21
Encryption: Explicit TLS / FTPS if the server requires it
```
Open a raw connection and check the server banner:
```bash
telnet ftp.example.com 21
# Expected banner: 220 (vsFTPd 3.0.5)
# If you get 'Connection refused', the server may be offline or the port is wrong.
```
**Step 2 — Test credentials manually via FTP command line**
```bash
ftp -n ftp.example.com
# At the ftp> prompt:
user yourusername yourpassword
# Look for '230 Login successful' or '530 Login incorrect'
```
If the password contains special characters, quote it:
```bash
# In FileZilla: Site Manager → Password field — paste literally, no quoting needed
# In CLI ftp client: wrap in quotes if your shell expands the character
```
**Step 3 — Check the server-side log**
```bash
# vsftpd
sudo tail -50 /var/log/vsftpd.log
# Look for: FAIL LOGIN: Client "1.2.3.4"
# ProFTPD
sudo tail -50 /var/log/proftpd/auth.log
```
**Step 4 — Check fail2ban status**
```bash
sudo fail2ban-client status vsftpd
# If your IP appears under 'Banned IP list', unban it:
sudo fail2ban-client set vsftpd unbanip YOUR_IP
```
**Step 5 — Verify the virtual user database (vsftpd)**
```bash
# List virtual users in the Berkeley DB
db_dump -p /etc/vsftpd/virtual_users.db | grep -A1 '^ '
# Or check the plain-text source:
cat /etc/vsftpd/virtual_users.txt
```
समाधान
**Fix 1 — Use the correct protocol and port**
| Protocol | Port | Use when |
|----------|------|----------|
| FTP | 21 | Legacy, requires FTPS for encryption |
| FTPS (Explicit) | 21 | FTP + STARTTLS upgrade |
| SFTP | 22 | SSH-based, completely separate protocol |
In FileZilla: Site Manager → Protocol → select the correct entry.
**Fix 2 — Escape or re-enter the password**
```bash
# Reset the FTP password via cPanel / Plesk to remove special characters,
# or use a new password that is alphanumeric-only for FTP accounts.
```
**Fix 3 — Add the user to the virtual user database**
```bash
# vsftpd virtual users: append to the plain-text file
echo -e 'newuser\nnewpassword' >> /etc/vsftpd/virtual_users.txt
# Rebuild the Berkeley DB
db_load -T -t hash -f /etc/vsftpd/virtual_users.txt /etc/vsftpd/virtual_users.db
sudo systemctl restart vsftpd
```
**Fix 4 — Enable or fix FTPS (Explicit TLS)**
```ini
# /etc/vsftpd.conf
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.key
```
**Fix 5 — Unban IP and increase fail2ban thresholds**
```bash
sudo fail2ban-client set vsftpd unbanip 1.2.3.4
# In /etc/fail2ban/jail.local:
# maxretry = 10 (increase from default 5)
# bantime = 300 (reduce from 3600 seconds)
```
| Protocol | Port | Use when |
|----------|------|----------|
| FTP | 21 | Legacy, requires FTPS for encryption |
| FTPS (Explicit) | 21 | FTP + STARTTLS upgrade |
| SFTP | 22 | SSH-based, completely separate protocol |
In FileZilla: Site Manager → Protocol → select the correct entry.
**Fix 2 — Escape or re-enter the password**
```bash
# Reset the FTP password via cPanel / Plesk to remove special characters,
# or use a new password that is alphanumeric-only for FTP accounts.
```
**Fix 3 — Add the user to the virtual user database**
```bash
# vsftpd virtual users: append to the plain-text file
echo -e 'newuser\nnewpassword' >> /etc/vsftpd/virtual_users.txt
# Rebuild the Berkeley DB
db_load -T -t hash -f /etc/vsftpd/virtual_users.txt /etc/vsftpd/virtual_users.db
sudo systemctl restart vsftpd
```
**Fix 4 — Enable or fix FTPS (Explicit TLS)**
```ini
# /etc/vsftpd.conf
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.key
```
**Fix 5 — Unban IP and increase fail2ban thresholds**
```bash
sudo fail2ban-client set vsftpd unbanip 1.2.3.4
# In /etc/fail2ban/jail.local:
# maxretry = 10 (increase from default 5)
# bantime = 300 (reduce from 3600 seconds)
```
रोकथाम
- Use SFTP (port 22) instead of FTP wherever possible — it uses SSH key authentication and is encrypted by default, eliminating credential exposure
- Use strong, alphanumeric-only passwords for FTP accounts to avoid special-character escaping issues across clients
- Configure fail2ban with a reasonable `maxretry` (5-10) and whitelist your own IP ranges to avoid accidental lockouts
- Document protocol choice (FTP vs FTPS vs SFTP) in your team's runbook — most 530 errors in production are caused by protocol confusion after infrastructure changes
- Rotate FTP passwords regularly and store them in a secrets manager rather than hard-coding in deploy scripts
- Use strong, alphanumeric-only passwords for FTP accounts to avoid special-character escaping issues across clients
- Configure fail2ban with a reasonable `maxretry` (5-10) and whitelist your own IP ranges to avoid accidental lockouts
- Document protocol choice (FTP vs FTPS vs SFTP) in your team's runbook — most 530 errors in production are caused by protocol confusion after infrastructure changes
- Rotate FTP passwords regularly and store them in a secrets manager rather than hard-coding in deploy scripts