cPanel Ports & Firewall Configuration

cPanel Ports & Firewall Configuration
5 (100%) 14 votes

Today we will show you how to find out what are the cPanel Ports and how to Configure your Firewall to allow cPanel Ports to work normally for all your web services.
This system ports are used for many important areas of your web hosting services such as Email, Named, MySQL, and HTTP among others.

On this post you will also learn how to configure your cPanel email ports, as well as general cPanel  Ports on RHEL, CentOS and CloudLinux servers running CSF and APF Firewall. Let’s start with the fun stuff.

List of cPanel Ports

cPanel & WHM installation comes with lot of services installed by default. It’s up to you, your system administrator or web hosting company to review and uninstall all the software you won’t use, as more active services means more system resources destinated to those services, and more services to be exploited trough attacks.

PortService
20FTP alternative port
21FTP port
22SSH Secure Shell port
25SMTP
26SMTP alternative port
37rdate daemon
43whois server
53BIND dns server
80http server
110POP3 damon
113ident
143IMAP email port
443https (http over SSL)
465SMTP, Secure SSL/TLS port
579cPHulk security tool
783SpamAssassin™ daemon
873rsync daemon
993IMAP over SSL
995POP3 over SSL
2077WebDAV service
2078WebDAV service over SSL
2079CalDAV and CardDAV
2080CalDAV and CardDAV over SSL
2082cPanel login port
2083cPanel login over SSL
2086WHM login
2087WHM login over SSL
2089cPanel License Check
2095Webmail
2096Webmail over SSL
3306MySQL

cPanel Ports Firewall Configuration

Please review this steps carefully to avoid getting locked yourself out of your server, make sure you whitelist your public internet connection IP before applying the definitive firewall configuration rules. Never close your linux terminal and always keep your shell access open to your server while configuring and testing your cPanel ports firewall configuration.

Configuring cPanel Ports on CSF Firewall

ConfigServer has built a great firewall called CSF, it provides a fully customizable shell and WHM firewall interface, which allows you to edit, restart, stop and start your iptables rules easily. But to be honest, it is more than a simple iptables firewall, it’s a full packet inspection  firewall, a  intrusion detection system, and also a Linux server security application.

Install CSF Firewall

wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf & ./install.cpanel.sh

Move to WHM >> Plugins >> ConfigServer & Firewall

Screenshot of cpanel ports firewall configuration using whm csf interface
Screenshot of cpanel ports firewall configuration using whm csf interface

Very important, in order to test your firewall configuration, you must keep TESTING = “1”, this way if you get blocked from your own server, you can login again within a few minutes after the CSF cron clears the ipables rules.

# Testing flag - enables a CRON job that clears iptables incase of
# configuration problems when you start csf. This should be enabled until you
# are sure that the firewall works - i.e. incase you get locked out of your
# server! Then do remember to set it to 0 and restart csf when you're sure
# everything is OK. Stopping csf will remove the line from /etc/crontab
#
# lfd will not start while this is enabled
TESTING = "1"

The port variables are as you see below:

# Allow incoming TCP ports
TCP_IN = "22,25,26,53,80,110,143,443,465,587,993,995,2077,2078"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,26,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703"

# Allow incoming UDP ports
UDP_IN = "53"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,873,6277"

This is a basic cPanel port firewall configuration, you should explore the CSF documentation to configure your firewall properly, as it involves many more options to secure and harden your server ports as well as incoming and outgoing connections. You can also check out our full CSF Firewall installation guide for cPanel servers.

Configuring cPanel Ports on APF Firewall

APF Firewall is another alternative to CSF Firewall, has been there even before CSF, and it’s a front end service for the netfilter/iptables firewall. Same as CSF, it’s not only a firewall but a server security suite.

Install APF Firewall

wget http://www.rfxn.com/downloads/apf-current.tar.gz
tar -xvpzf apf-current.tar.gz
cd apf-*
sh ./install.sh

Now that your APF Firewall is installed, let’s configure it.

nano -w /etc/apf/conf.apf

Searach for ‘DEVEL_MODE’ variable and make sure its set to 1 until you are satisfied with your firewall configuration.

# !!! Do not leave set to (1) !!!
# When set to enabled; 5 minute cronjob is set to stop the firewall. Set
# this off (0) when firewall is determined to be operating as desired.
DEVEL_MODE="1"

Now let’s configure the cPanel ports needed on TCP and UDP variables:

# Configure inbound (ingress) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory. Format is comma separated
# and underscore separator for ranges.
#

# Common inbound (ingress) TCP ports
IG_TCP_CPORTS="22,25,26,53,80,110,143,443,465,587,993,995,2077,2078"

# Common inbound (ingress) UDP ports
IG_UDP_CPORTS="53"

# Outbound (egress) filtering
EGF="1"

# Common outbound (egress) TCP ports
EG_TCP_CPORTS="20,21,22,25,26,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703"

# Common outbound (egress) UDP ports
EG_UDP_CPORTS="20,21,53,113,873,6277"

Once ready, restart APF to apply the changes:

service apf restart

This is just a basic APF firewall configuration, you should read APF Documentation and carefully review and re-configure your iptables firewall to match your own needs.

Conclusion

As we’ve seen on this post, both CSF and APF firewalls offer a solid solution for iptables rules and server security management, however we always recommend CSF as first solution as it’s updated more often than APF Firewall, and it’s a firewall that was built for cPanel platform.

Further reading: