How to Configure Your Firewall for cPanel & WHM Services

Valid for versions 86 through 88

Version:

84

86

90


Last modified: October 13, 2020

Overview

cPanel & WHM installs and manages many different services on your system, most of which require an external connection in order to function properly. Because of this, your firewall must allow cPanel & WHM to open the ports on which these services run.

This document lists the ports that cPanel & WHM uses, and which services use each of these ports, to allow you to better configure your firewall.

Warning:
  • We strongly recommend that you only open ports for services that you use.

  • When you work with firewall rules, always make certain to include a way to log back in to your server, and always maintain console access to your server.

Ports

Important:

We strongly recommend that you use the SSL version of each service whenever possible.

  • The use of non-SSL services can allow attackers to intercept sensitive information, such as login credentials.
  • Always ensure that valid SSL certificates exist for your services in WHM’s Manage Service SSL Certificates interface (WHM >> Home >> Service Configuration >> Manage Service SSL Certificates).
Note:

For more information on how to access cPanel & WHM services, read our How to Access cPanel & WHM Services documentation.

Port Service TCP UDP Inbound Outbound Localhost Notes
1 CPAN The Show Available Modules setting in cPanel’s Perl Modules interface (cPanel >> Home >> Software >> Perl Modules) uses this port to improve the speed in which it appears.
20 FTP Instead of FTP, we recommend that you use the more-secure SFTP via SSH.
21 FTP
22 SSH
Warning:
You must open this port before you use WHM’s Transfer Tool interface (WHM >> Home >> Transfers >> Transfer Tool).
25 SMTP
26 SMTP cPanel & WHM only uses this port if you specify it in WHM’s Service Manager interface (WHM >> Home >> Service Configuration >> Service Manager).
37 rdate
43 whois
53 DNS cPanel & WHM uses this port for the following functions:
  • Public DNS services.
  • Communication with root nameservers for AutoSSL.
  • Other functions that require name resolution.
80 httpd This port serves the HTTP needs of services on the server.
Important:
  • We strongly recommend that you encourage your users to use port 443, which uses the more secure SSL/TLS security protocol. For more information, read our More about TLS and SSL documentation.
  • In cPanel & WHM version 76 and later, the cPanel Server Daemon (cpsrvd) listens on this port when you disable the Web Server role. This daemon monitors cPanel & WHM services.
110 POP3
113 ident
143 IMAP
443 httpd This port serves the HTTPS needs of services on the server.
Note:
  • This port can allow users to access cPanel or WHM via certain subdomains. For more information, read our Service and Proxy Subdomains documentation.
  • In cPanel & WHM version 76 and later, the cPanel Server Daemon (cpsrvd) listens on this port when you disable the Web Server role. WHM’s Manage AutoSSL interface (WHM >> Home >> SSL/TLS >> Manage AutoSSL) requires outbound access to the store.cpanel.net server.
465 SMTP, SSL/TLS
Important:
cPanel & WHM supports Transport Layer Security (TLS) protocol version 1.2 and strongly recommends that you enable TLSv1.2 on your server.
579 cPHulk This port should only accept connections on the 127.0.0.x IPv4 address. Your system does not require that this port accept external traffic.
587 Exim
783 Apache SpamAssassin™
873 rsync
953 PowerDNS This port should only accept connections on the 127.0.0.1 IPv4 address. Your system does not require that this port accept external traffic.
Note:
You must use this port when you run PowerDNS nameservers.
993 IMAP SSL
995 POP3 SSL
2073 Razor Razor is a collaborative spam-tracking database. For more information, visit the Razor website.
2077 WebDAV cPanel’s Web Disk interface (cPanel >> Home >> Files >> Web Disk) uses these ports.
2078 WebDAV SSL
2079 CalDAV and CardDAV
2080 CalDAV and CardDAV (SSL)
2082 cPanel
Note:
To disable logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” setting to On in WHM’s Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings). This will redirect users to secure ports with the /cpanel, /whm, and /webmail aliases.
2083 cPanel SSL
2086 WHM
Note:
To disable logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” setting to On in WHM’s Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings). This will redirect users to secure ports with the /cpanel, /whm, and /webmail aliases.
2087 WHM SSL
2089 cPanel Licensing
Warning:
You must open this port in order to contact the cPanel, L.L.C. license servers.
2095 Webmail
Note:
To disable logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” setting to On in WHM’s Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings). This will redirect users to secure ports with the /cpanel, /whm, and /webmail aliases.
2096 Webmail SSL
2195 Apple Push Notification service (APNs) cPanel & WHM only uses this port for the Apple® Push Notification Service (APNs). For more information, read our How to Set Up iOS Push Notifications documentation.
3306 MySQL® MySQL uses this port for remote database connections.
6277 DCC For more information, read the Apache® DCC and NetTestFirewallIssues documentation.
24441 Pyzor For more information, read Apache’s Pyzor and NetTestFirewallIssues documentation.

Example configurations

The following examples explain how to add rules with CSF, APF, and the iptables application.

Important:
  • We do not recommend that you use these examples for your personal configurations. Instead, make certain that your firewall rules match the way in which you use cPanel & WHM’s services.
  • CentOS 7, CloudLinux™ 7, and Red Hat® Enterprise Linux (RHEL) 7 servers have additional requirements. For more information, read the CentOS 7, CloudLinux 7, and RHEL 7 firewall management section below.

ConfigServer Security & Firewall

ConfigServer provides the free WHM plugin ConfigServer Security & Firewall (CSF), which allows you to modify your iptables rules within WHM. For information about how to install and configure CSF, read our Additional Security Software documentation.

Advanced Policy Firewall

Advanced Policy Firewall (APF) acts as a front-end interface for the iptables application, and allows you to open or close ports without the use of the iptables syntax.

The following example includes two rules that you can add to the /etc/apf/conf.apf file in order to allow HTTP and HTTPS access to your system:

1
2
3
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="80,443"
EG_TCP_CPORTS="80"

iptables

The iptables application offers more customization settings for your packet filtering rules. This application requires that you understand the TCP/IP stack. For more information about the use of iptables, visit the iptables site, or run the man iptables command from the command line.

The following example includes iptables rules for HTTP traffic on port 80:

1
2
$IPTABLES -A FORWARD -p TCP -i 66.66.66.66 -o eth0 -d 192.168.1.1 -dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i 66.66.66.66 -o eth0 -d 192.168.1.1 -j icmp_packets
Note:

This example assumes that a DMZ exists on eth0 for the 192.168.1.1 port, and the 66.66.66.66 broadcast IP address.

CentOS, CloudLinux™, or Red Hat® Enterprise Linux (RHEL) 6, or Amazon Linux firewall management

On a CentOS, CloudLinux, or RHEL 6, or Amazon® Linux system, use the iptables utility to manage your firewall.

  • You can block a specific IP address with the iptables command. For example, to block the IPv4 address 192.168.0.0, run the following command:

    iptables -A INPUT -s 192.168.0.0 -j DROP
    

    To block the IPv6 address 2001:0db8:0:0:1:0:0:1, run the following command:

    iptables -A INPUT -s [2001:0db8:0:0:1:0:0:1] -j DROP
    
  • You can block a specific port for an IP address. For example, to block port 23 on the IPv4 address 192.168.0.0, run the following command:

    iptables -A INPUT -s 192.168.0.0 -p tcp --destination-port 23 -j DROP
    

    To block port 23 on the IPv6 address 2001:0db8:0:0:1:0:0:1, run the following command:

    iptables -A INPUT -s [2001:0db8:0:0:1:0:0:1] -p tcp --destination-port 23 -j DROP
    

CentOS 7, CloudLinux 7, and RHEL 7 firewall management

We strongly recommend that servers which run the CentOS 7, CloudLinux 7, and RHEL 7 operating systems use the firewalld daemon instead of iptables programs or legacy services in those operating systems.

For example, to block traffic for a single IPv4 address, run the following command, where 192.168.0.0 is the IPv4 address that you wish to block:

firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.0.0" drop' --permanent

To block traffic for a single IPv6 address, run the following command, where 2001:0db8:0:0:1:0:0:1 is the IPv6 address that you wish to block:

firewall-cmd --add-rich-rule='rule family="ipv6" source address="[2001:0db8:0:0:1:0:0:1]" drop' --permanent
Important:

We recommend that you only use the firewall utilities on CentOS 7, CloudLinux 7, and RHEL 7 servers.

  • If you use firewalld, remove the ipables-services package through the yum package manager with the following command: yum remove iptables-service
  • If you use the the legacy iptables service, remove the firewalld package through the yum package manager with the following command: yum remove firewalld
  • If you use a third-party firewall management service, we recommend that you check the firewall’s documentation before you remove the unused firewalld or iptables services.

For more information about the firewall utilities and the firewalld daemon, read Red Hat’s Using Firewalls documentation.

The cpanel service

Important:

The /usr/local/cpanel/scripts/configure_firewall_for_cpanel script clears all existing entries from the iptables application. If you use custom rules for your firewall, export those rules before you run the script and then re-add them afterward.

cPanel & WHM version 11.50 and later also includes the cpanel service, which manages all of the rules in the /etc/firewalld/services/cpanel.xml file. This allows TCP access for the server’s ports.

To replace your existing iptables rules with the rules in the /etc/firewalld/services/cpanel.xml file, perform the following steps:

  1. Run the yum install firewalld command to ensure that you have installed the firewalld service daemon on your system.

  2. Run the systemctl start firewalld.service command to start the firewalld service.

  3. Run the systemctl enable firewalld command to start the firewalld service when the server starts.

  4. Run the iptables-save > backupfile command to save your existing firewall rules.

  5. Run the /usr/local/cpanel/scripts/configure_firewall_for_cpanel script.

  6. Run the iptables-restore < backupfile command to incorporate your old firewall rules into the new firewall rules file.

Additional Documentation