Page tree
Skip to end of metadata
Go to start of metadata

Overview

cPanel & WHM installs and manages many different services on your system. Most of these services require an external connection in order to function properly. Because of this, your firewall must allow cPanel & WHM to open the ports on which these services run. This document lists the ports that cPanel & WHM uses, and which services use each of these ports, to allow you to better configure your firewall.

Warning:

  • We strongly recommend that you only open ports for services that you use.
  • So that you do not lock yourself out of your server, make certain to include a way to log back in to your server when you work with firewall rules. Always maintain console access to your server.

Ports

Important:

We strongly recommend that you use the SSL version of each service whenever possible.

  • The use of non-SSL services could allow attackers to intercept sensitive information (for example, login credentials). 
  • Ensure that valid SSL certificates exist for your services in WHM's Manage Service SSL Certificates interface (Home >> Service Configuration >> Manage Service SSL Certificates).
  • For more information on how to access cPanel & WHM services, read our How to Access cPanel & WHM Services documentation.
PortServiceTCPUDPInboundOutboundNotes
20FTP 

We recommend that you use SFTP via SSH, because it is more secure than FTP.

21FTP 
22SSH   
25SMTP  
26SMTP cPanel & WHM only uses this port if you specify it in WHM's Service Manager interface (Home >> Service Configuration >> Service Manager).
37rdate   
43whois   
53bindcPanel & WHM only uses this port if you run a public DNS server.
80http  
110POP3   
113ident   
143IMAP   
443https WHM's Manage AutoSSL feature (Home >> SSL/TLS >> Manage AutoSSL) requires outbound access to the store.cpanel.net server.
465SMTP, SSL/TLS 
783Apache SpamAssassin™  
873rsync  
993IMAP SSL   
995POP3 SSL   
2703Razor   Razor is a collaborative spam-tracking database. For more information, visit the Razor website.
2077WebDAV cPanel's Web Disk interface (Home >> Files >> Web Disk) uses this port.
2078WebDAV SSL cPanel's Web Disk interface (Home >> Files >> Web Disk) uses this port.
2079CalDAV and CardDAV cPanel's Calendars and Contacts interface (Home >> Email >> Calendars and Contacts) uses this port.
2080CalDAV and CardDAV (SSL) cPanel's Calendars and Contacts interface (Home >> Email >> Calendars and Contacts) uses this port.
2082cPanel   
2083cPanel SSL   
2086WHM   
2087WHM SSL   
2089cPanel Licensing  

Warning:

You must open this port in order to contact the cPanel license servers. 

2095Webmail   
2096Webmail SSL   
3306MySQL®  MySQL uses this port for remote database connections.
6277DCCFor more information, read Apache's DCC and NetTestFirewallIssues documentation.
24441PyzorFor more information, read Apache's Pyzor and NetTestFirewallIssues documentation.

Example configurations

The following examples illustrate how to add rules with CSF, APF, and the iptables application.

Important:

  • We do not recommend that you use these examples. Instead, make certain that your firewall rules match the way in which you use cPanel & WHM's services.
  • CentOS 7, CloudLinux™ 7, and Red Hat® Enterprise Linux (RHEL) 7 servers have additional requirements. For more information, read the CentOS 7, CloudLinux 7, and RHEL 7 firewall management section below.

CSF

ConfigServer provides the free WHM plugin CSF, which allows you to modify your iptables rules within WHM. It is a stateful packet inspection (SPI) firewall, login, and intrusion detection mechanism, and general security application for Linux servers.

To install CSF, run the following commands as the root user:

wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz 
cd csf & ./install.cpanel.sh

To configure CSF, use WHM's ConfigServer & Firewall interface (Home >> Plugins >> ConfigServer & Firewall).

For more information about how to install and use CSF, visit the CSF website.

APF

APF acts as a frontend for the iptables application, and allows you to open or close ports without the use of the iptables syntax. For more information, read the APF site

The following example includes two rules to add to the /etc/apf/conf.apf file to allow HTTP and HTTPS access to your system:

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="80,443″# Common egress (outbound) TCP ports
EG_TCP_CPORTS="80″

iptables

While CSF and APF are easy to use, the iptables application offers more customization options for your packet filtering rules. The iptables application requires that you understand the TCP/IP stack. For more information, visit the iptables site or run the man iptables command from the command line.

The following example includes iptables rules for HTTP traffic on port 80:

Note:

This example assumes that you have a DMZ set up on eth0 for 192.168.1.1 and a broadcast IP address of 66.66.66.66.

$IPTABLES -A FORWARD -p TCP -i 66.66.66.66 -o eth0 -d 192.168.1.1 -dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i 66.66.66.66 -o eth0 -d 192.168.1.1 -j icmp_packets

CentOS 7, CloudLinux 7, and RHEL 7 firewall management

Servers that run the CentOS 7, CloudLinux 7, and RHEL 7 operating systems require that you use the firewalld daemon.

  • While you can use the iptables command for temporary firewall rules, we recommend that you only use the firewall utilities on CentOS 7, CloudLinux 7, and RHEL 7 servers.
  • For more information about the firewall utilities and the firewalld daemon, read Red Hat's Using Firewalls documentation.

cPanel & WHM version 11.50 and later also includes the cpanel service, which manages all of the rules in the /etc/firewalld/services/cpanel.xml file. This allows TCP access for the server's ports.

To add these rules automatically, perform the following steps:

  1. Run the yum install firewalld command to ensure that your system has firewalld installed.
  2. Run the systemctl start firewalld.service command to start the firewalld service.
  3. Run the /scripts/configure_firewall_for_cpanel script.

Additional documentation