Page tree
Skip to end of metadata
Go to start of metadata

Overview

cPanel & WHM installs and manages many different services on your system, most of which require an external connection in order to function properly. Because of this, your firewall must allow cPanel & WHM to open the ports on which these services run.

This document lists the ports that cPanel & WHM uses, and which services use each of these ports, to allow you to better configure your firewall.

Warning:

  • We strongly recommend that you only open ports for services that you use.
  • When you work with firewall rules, always make certain to include a way to log back in to your server, and always maintain console access to your server.

Ports

Important:

We strongly recommend that you use the SSL version of each service whenever possible.

  • The use of non-SSL services can allow attackers to intercept sensitive information, such as login credentials.
  • Always ensure that valid SSL certificates exist for your services in WHM's Manage Service SSL Certificates interface (WHM >> Home >> Service Configuration >> Manage Service SSL Certificates).

Note:

For more information on how to access cPanel & WHM services, read our How to Access cPanel & WHM Services documentation.

PortServiceTCPUDPInboundOutboundLocalhostNotes
1CPAN




The Show Available Modules option in cPanel's Perl Modules interface (cPanel >> Home >> Software >> Perl Modules) uses this port to improve the speed in which it appears.

20FTP
 

Instead of FTP, we recommend that you use the more secure SFTP via SSH.

21FTP
 

22SSH
 
 

Important:

You must open this port before you use WHM's Transfer Tool interface (WHM >> Home >> Transfers >> Transfer Tool). 

25SMTP
 

 
26SMTP
 

cPanel & WHM only uses this port if you specify it in WHM's Service Manager interface (WHM >> Home >> Service Configuration >> Service Manager).
37rdate
  

 
43whois
  

 
53bind

cPanel & WHM only uses this port if you run a public DNS server.
80httpd
 

This port serves the HTTP needs of services on the server.

Note:

  • The cPanel Server Daemon (cpsrvd) listens on this port when you disable the httpd service. This daemon monitors cPanel & WHM services.
  • In cPanel & WHM version 76, we renamed the following settings:
    • The Proxy subdomains setting to Service subdomains.
    • The Proxy subdomain creation setting to Service subdomain creation.
  • For more information, read our Service Subdomains Explanation documentation.

Important:

We strongly recommend that you encourage your users to use port 443, which uses the more secure SSL/TLS security protocol. For more information, read our More about TLS and SSL documentation.

110POP3
 
 
 
113ident
  

 
143IMAP
 
 
 
443httpd
 

This port serves the HTTPS needs of services on the server.

Notes:

  • The cPanel Server Daemon (cpsrvd) listens on this port when you disable the httpd service. This daemon monitors cPanel & WHM services.
  • In cPanel & WHM version 76, we renamed the following settings:
    • The Proxy subdomains setting to Service subdomains.
    • The Proxy subdomain creation setting to Service subdomain creation.
  • For more information, read our Service Subdomains Explanation documentation.

If you enable the Service subdomains and Service subdomain creation settings in the Domains section of WHM's Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings), users can access cPanel or WHM via the following subdomains:

  • cpanel.example.com delivers to the user's cPanel Home interface.
  • whm.example.com delivers to the user's WHM Home WHM interface.
  • webmail.example.com delivers to the user's Webmail interface (cPanel >> Home >> Email >> Email Accounts).
  • webdisk.example.com delivers to the user's Web Disk interface (cPanel >> Home >> Files >> Web Disk).

WHM's Manage AutoSSL interface (WHM >> Home >> SSL/TLS >> Manage AutoSSL) requires outbound access to the store.cpanel.net server.

465SMTP, SSL/TLS

Warning:

As of cPanel & WHM version 68, we only support Transport Layer Security (TLS) protocol version 1.2

  • We will only support applications that use TLSv1.2.
  • We strongly recommend that you enable TLSv1.2 on your server. 

579cPHulk


   
This port should only accept connections on the 127.0.0.x IPv4 address. Your system does not require that this port accept external traffic.
783Apache SpamAssassin™

 

 
873rsync
 

 
993IMAP SSL
 
 
 
995POP3 SSL
 
 
 
2703Razor

  

Razor is a collaborative spam-tracking database. For more information, visit the Razor website.
2077WebDAV
 

cPanel's Web Disk interface (cPanel >> Home >> Files >> Web Disk) uses these ports.
2078WebDAV SSL
 

2079CalDAV and CardDAV
 

cPanel's Calendars and Contacts interface (cPanel >> Home >> Email >> Calendars and Contacts) uses these ports.
2080CalDAV and CardDAV (SSL)
 

2082cPanel
 
 

Note:

To disable logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” option to On in WHM's Tweak Settings interface (WHM >> Home  >> Server Configuration >> Tweak Settings). This will redirect users to secure ports with the /cpanel, /whm, and /webmail aliases.

2083cPanel SSL
 
 
 
2086WHM
 
 

Note:

To disable logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” option to On in WHM's Tweak Settings interface (WHM >> Home  >> Server Configuration >> Tweak Settings). This will redirect users to secure ports with the /cpanel, /whm, and /webmail aliases.

2087WHM SSL
 
 
 
2089cPanel Licensing
  

Warning:

You must open this port in order to contact the cPanel license servers. 

2095Webmail
 
 

Note:

To disable logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” option to On in WHM's Tweak Settings interface (WHM >> Home  >> Server Configuration >> Tweak Settings). This will redirect users to secure ports with the /cpanel, /whm, and /webmail aliases.

2096Webmail SSL
 
 
 
2195APNs

  


cPanel & WHM only uses this port for the Apple® Push Notification Service (APNs). For more information, read our How to Set Up iOS Push Notifications documentation.
3306MySQL®
 
 
MySQL uses this port for remote database connections.
6277DCC



For more information, read Apache's DCC and NetTestFirewallIssues documentation.
24441Pyzor


For more information, read Apache's Pyzor and NetTestFirewallIssues documentation.

Example configurations

The following examples explain how to add rules with CSF, APF, and the iptables application.

Important:

  • We do not recommend that you use these examples for your personal configurations. Instead, make certain that your firewall rules match the way in which you use cPanel & WHM's services.
  • CentOS 7, CloudLinux™ 7, and Red Hat® Enterprise Linux (RHEL) 7 servers have additional requirements. For more information, read the CentOS 7, CloudLinux 7, and RHEL 7 firewall management section below.

CSF

ConfigServer provides the free WHM plugin CSF, which allows you to modify your iptables rules within WHM.

To install CSF, run the following commands as the root user:

cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf && ./install.sh

To configure CSF, use WHM's ConfigServer & Firewall interface (Home >> Plugins >> ConfigServer & Firewall).

Note:

For more information about how to install and use CSF, visit the CSF website.

APF

APF acts as a front-end interface for the iptables application, and allows you to open or close ports without the use of the iptables syntax.

The following example includes two rules that you can add to the /etc/apf/conf.apf file in order to allow HTTP and HTTPS access to your system:

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="80,443″# Common egress (outbound) TCP ports
EG_TCP_CPORTS="80″

Note:

For more information about APF, visit the APF site.

iptables

The iptables application offers more customization options for your packet filtering rules. This application requires that you understand the TCP/IP stack.

The following example includes iptables rules for HTTP traffic on port 80:

Note:

This example assumes that a DMZ exists on eth0 for the 192.168.1.1 port, and the 66.66.66.66 broadcast IP address.

$IPTABLES -A FORWARD -p TCP -i 66.66.66.66 -o eth0 -d 192.168.1.1 -dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i 66.66.66.66 -o eth0 -d 192.168.1.1 -j icmp_packets

Note:

For more information about the use of iptables, visit the iptables site, or run the man iptables command from the command line.

CentOS 7, CloudLinux 7, and RHEL 7 firewall management

Servers that run the CentOS 7, CloudLinux 7, and RHEL 7 operating systems require that you use the firewalld daemon. 

Important:

We recommend that you only use the firewall utilities on CentOS 7, CloudLinux 7, and RHEL 7 servers.

Note:

For more information about the firewall utilities and the firewalld daemon, read Red Hat's Using Firewalls documentation.

The cpanel service

Important:

The /usr/local/cpanel/scripts/configure_firewall_for_cpanel script clears all existing entries from the iptables application. If you use custom rules for your firewall, export those rules before you run the script and then re-add them afterward.

cPanel & WHM version 11.50 and later also includes the cpanel service, which manages all of the rules in the /etc/firewalld/services/cpanel.xml file. This allows TCP access for the server's ports.

To replace your existing iptables rules with the rules in the /etc/firewalld/services/cpanel.xml file, perform the following steps:

  1. Run the yum install firewalld command to ensure that your system has firewalld installed.
  2. Run the systemctl start firewalld.service command to start the firewalld service.
  3. Run the systemctl enable firewalld command to start the firewalld service when the server starts.
  4. Run the iptables-save > backupfile command to save your existing firewall rules.
  5. Run the /usr/local/cpanel/scripts/configure_firewall_for_cpanel script.
  6. Run the iptables-restore < backupfile command to incorporate your old firewall rules into the new firewall rules file.

Additional documentation