Today we will show you how to find out what are the cPanel Ports and how to Configure your Firewall to allow work normally for all your control panel based web services.
This system ports are used for many important areas of your web hosting services such as Email, Named, MySQL, and HTTP among others.
On this mini knowledge base that is part of our main cPanel hosting articles post you will also learn how to configure your cPanel email ports, as well as general cPanel Ports on RHEL, CentOS and CloudLinux servers running CSF and APF Firewall. Let’s start with the fun stuff by listing the cpanel default open ports.
List of cPanel Ports
cPanel (control panel) & WHM (webhost manager) installation comes with lot of services installed by default. It’s up to you, your system administrator or web hosting company to review and uninstall all the software you won’t use, as more active services means more system resources destinated to those services, and more services to be exploited trough attacks.
|20||FTP alternative port & transfer protocol|
|21||FTP (file transfer protocol)|
|22||SSH Port (Secure Shell)|
|26||SMTP alternative port|
|53||BIND dns server|
|143||IMAP email port|
|443||https (http over SSL for ssl certificates)|
|465||SMTP, Secure SSL/TLS port|
|579||cPHulk security tool|
|993||IMAP over SSL|
|995||POP3 over SSL|
|2078||WebDAV service over SSL|
|2079||CalDAV and CardDAV|
|2080||CalDAV and CardDAV over SSL|
|2082||cPanel login port|
|2083||cPanel login over SSL|
|2086||WHM (webhost manager) login|
|2087||WHM login over SSL|
|2089||cPanel License Check|
|2096||Webmail over SSL|
Please review this steps carefully to avoid getting locked yourself out of your server, make sure you whitelist your public internet connection IP before applying the definitive firewall rules. Never close your linux terminal (command line) and always keep your shell access open to your server while configuring and testing your firewall setup.
This firewall can only be setup if you have direct root access on a dedicated server or cloud vps as your hosting enviroment… on shared & reseller hosting plans like joomla hosting, wordpress webhosting, magento hosting, etc probably won’t be useful as they don’t offer root access to your server.
ConfigServer has built a great firewall called CSF, it provides a fully customizable shell and WHM firewall management interface, which allows you to edit, restart, stop and start your iptables rules easily. But to be honest, it is more than a simple iptables firewall, it’s a full packet inspection firewall, a intrusion detection system, and also a Linux server security application.
Install CSF Firewall
wget https://download.configserver.com/csf.tgz tar -xzf csf.tgz cd csf & ./install.cpanel.sh
Move to WHM >> Plugins >> ConfigServer & Firewall
Very important, in order to test your firewall settings, you must keep TESTING = “1”, this way if you get blocked from your own server, you can login again within a few minutes after the CSF cron clears the ipables rules, this is just in case you haven’t properly configured the ports in the firewall.
# Testing flag - enables a CRON job that clears iptables incase of # configuration problems when you start csf. This should be enabled until you # are sure that the firewall works - i.e. incase you get locked out of your # server! Then do remember to set it to 0 and restart csf when you're sure # everything is OK. Stopping csf will remove the line from /etc/crontab # # lfd will not start while this is enabled TESTING = "1"
The port variables are as you see below:
# Allow incoming TCP ports TCP_IN = "22,25,26,53,80,110,143,443,465,587,993,995,2077,2078" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,26,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703" # Allow incoming UDP ports UDP_IN = "53" # Allow outgoing UDP ports # To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = "20,21,53,113,873,6277"
This is a basic cPanel port firewall config, you should explore the CSF documentation to configure your firewall properly, as it involves many more options to secure and harden your server ports as well as incoming and outgoing connections. You can also check out our full CSF Firewall installation guide for cPanel servers, in case you have any doubt about how to open a port in CSF.
Configuring Ports on APF Firewall
APF Firewall is another alternative to CSF Firewall, has been there even before CSF, and it’s a front end service for the netfilter/iptables firewall. Same as CSF, it’s not only a firewall management solution but a server security suite.
Install APF Firewall
wget http://www.rfxn.com/downloads/apf-current.tar.gz tar -xvpzf apf-current.tar.gz cd apf-* sh ./install.sh
Now that your APF Firewall is installed, let’s configure it.
nano -w /etc/apf/conf.apf
Searach for ‘DEVEL_MODE’ variable and make sure its set to 1 until you are satisfied with your firewall settings.
# !!! Do not leave set to (1) !!! # When set to enabled; 5 minute cronjob is set to stop the firewall. Set # this off (0) when firewall is determined to be operating as desired. DEVEL_MODE="1"
Now let’s configure the ports needed on TCP and UDP variables:
# Configure inbound (ingress) accepted services. This is an optional # feature; services and customized entries may be made directly to an ip's # virtual net file located in the vnet/ directory. Format is comma separated # and underscore separator for ranges. # # Common inbound (ingress) TCP ports IG_TCP_CPORTS="22,25,26,53,80,110,143,443,465,587,993,995,2077,2078" # Common inbound (ingress) UDP ports IG_UDP_CPORTS="53" # Outbound (egress) filtering EGF="1" # Common outbound (egress) TCP ports EG_TCP_CPORTS="20,21,22,25,26,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703" # Common outbound (egress) UDP ports EG_UDP_CPORTS="20,21,53,113,873,6277"
Once ready, restart APF to apply the changes:
service apf restart
This is just a basic APF firewall configuration, you should read APF Documentation and carefully review and re-configure your iptables firewall to match your own needs.
As we’ve seen on this post, both CSF and APF firewalls offer a solid solution for iptables rules and server security management, however we always recommend CSF as first solution as it’s updated more often than APF Firewall, and it’s a firewall that was built for cPanel platform.