Symptom

After a clean reboot, FTP over TLS connected to port 21, showed the 331 prompt, then returned 530 Login incorrect. WHM/cPanel login still worked with the same password, which made the issue confusing.

What Worked Temporarily

Opening the passive port range to 49152 through 65534 (in your firewall rules) immediately restored transfers once. After the next reboot the 530 error returned, which ruled out a pure networking problem because TLS negotiation and the server banner were already succeeding.

Root Cause

Password desynchronization between the cPanel account and the ProFTPD/Pure-FTPd virtual user database. cPanel authentication succeeded, but ProFTPD/Pure-FTPd was still using an older hash. Note: This issuse can happen with boht FTP Server types. When the server restarted, ProFTPD/Pure-FTPd read the stale credentials and began rejecting the FTP login.

Quick Fix

Reset the cPanel account password and select the option to synchronize the FTP password. This forces a rebuild of the ProFTPD/Pure-FTPd user data. After doing this, FTP over TLS authenticated normally.

How To Prevent A Repeat

  • Keep the passive port range aligned in both locations: your hosting provider’s platform (such as AWS, Lightsail, EC2, or another third party) and the server’s firewall software. In our case, the setup is AWS EC2 combined with Imunify360.
    • (optional) Configure PassivePorts 49152 65534 in an include file for ProFTPD/Pure-FTPd so it persists across reboots.
  • If you change an account password, do it from WHM or cPanel to trigger an FTP resync. You can also run /scripts/ftpupdate and /scripts/ftpusers to rebuild the database.
  • Check blockers first if you see 530 again: cPHulk history, Imunify360 IP lists, and server logs such as /var/log/ProFTPD/Pure-FTPd/auth.log and /var/log/secure.
  • Consider SFTP on port 22 for routine file management. It uses the system password directly and avoids passive port ranges and ProFTPD/Pure-FTPd syncing.

Takeaway

Hours were lost chasing ports and TLS even though the handshake was fine. The real fix was a simple password reset that resynced ProFTPD/Pure-FTPd with the cPanel account. If you see TLS established followed by 331 and then 530 after a reboot, verify credentials synchronization before diving deep into networking.