Today we will show you how to find out what are the cPanel Ports and how to Configure your Firewall to allow cPanel Ports to work normally for all your web services.
This system ports are used for many important areas of your web hosting services such as Email, Named, MySQL, and HTTP among others.
On this post you will also learn how to configure your cPanel email ports, as well as general cPanel Ports on RHEL, CentOS and CloudLinux servers running CSF and APF Firewall. Let’s start with the fun stuff.
List of cPanel Ports
cPanel & WHM installation comes with lot of services installed by default. It’s up to you, your system administrator or web hosting company to review and uninstall all the software you won’t use, as more active services means more system resources destinated to those services, and more services to be exploited trough attacks.
|20||FTP alternative port|
|22||SSH Secure Shell port|
|26||SMTP alternative port|
|53||BIND dns server|
|143||IMAP email port|
|443||https (http over SSL)|
|465||SMTP, Secure SSL/TLS port|
|579||cPHulk security tool|
|993||IMAP over SSL|
|995||POP3 over SSL|
|2078||WebDAV service over SSL|
|2079||CalDAV and CardDAV|
|2080||CalDAV and CardDAV over SSL|
|2082||cPanel login port|
|2083||cPanel login over SSL|
|2087||WHM login over SSL|
|2089||cPanel License Check|
|2096||Webmail over SSL|
cPanel Ports Firewall Configuration
Please review this steps carefully to avoid getting locked yourself out of your server, make sure you whitelist your public internet connection IP before applying the definitive firewall configuration rules. Never close your linux terminal and always keep your shell access open to your server while configuring and testing your cPanel ports firewall configuration.
Configuring cPanel Ports on CSF Firewall
ConfigServer has built a great firewall called CSF, it provides a fully customizable shell and WHM firewall interface, which allows you to edit, restart, stop and start your iptables rules easily. But to be honest, it is more than a simple iptables firewall, it’s a full packet inspection firewall, a intrusion detection system, and also a Linux server security application.
Install CSF Firewall
wget https://download.configserver.com/csf.tgz tar -xzf csf.tgz cd csf & ./install.cpanel.sh
Move to WHM >> Plugins >> ConfigServer & Firewall
Very important, in order to test your firewall configuration, you must keep TESTING = “1”, this way if you get blocked from your own server, you can login again within a few minutes after the CSF cron clears the ipables rules.
# Testing flag - enables a CRON job that clears iptables incase of # configuration problems when you start csf. This should be enabled until you # are sure that the firewall works - i.e. incase you get locked out of your # server! Then do remember to set it to 0 and restart csf when you're sure # everything is OK. Stopping csf will remove the line from /etc/crontab # # lfd will not start while this is enabled TESTING = "1"
The port variables are as you see below:
# Allow incoming TCP ports TCP_IN = "22,25,26,53,80,110,143,443,465,587,993,995,2077,2078" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,26,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703" # Allow incoming UDP ports UDP_IN = "53" # Allow outgoing UDP ports # To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = "20,21,53,113,873,6277"
This is a basic cPanel port firewall configuration, you should explore the CSF documentation to configure your firewall properly, as it involves many more options to secure and harden your server ports as well as incoming and outgoing connections. You can also check out our full CSF Firewall installation guide for cPanel servers.
Configuring cPanel Ports on APF Firewall
APF Firewall is another alternative to CSF Firewall, has been there even before CSF, and it’s a front end service for the netfilter/iptables firewall. Same as CSF, it’s not only a firewall but a server security suite.
Install APF Firewall
wget http://www.rfxn.com/downloads/apf-current.tar.gz tar -xvpzf apf-current.tar.gz cd apf-* sh ./install.sh
Now that your APF Firewall is installed, let’s configure it.
nano -w /etc/apf/conf.apf
Searach for ‘DEVEL_MODE’ variable and make sure its set to 1 until you are satisfied with your firewall configuration.
# !!! Do not leave set to (1) !!! # When set to enabled; 5 minute cronjob is set to stop the firewall. Set # this off (0) when firewall is determined to be operating as desired. DEVEL_MODE="1"
Now let’s configure the cPanel ports needed on TCP and UDP variables:
# Configure inbound (ingress) accepted services. This is an optional # feature; services and customized entries may be made directly to an ip's # virtual net file located in the vnet/ directory. Format is comma separated # and underscore separator for ranges. # # Common inbound (ingress) TCP ports IG_TCP_CPORTS="22,25,26,53,80,110,143,443,465,587,993,995,2077,2078" # Common inbound (ingress) UDP ports IG_UDP_CPORTS="53" # Outbound (egress) filtering EGF="1" # Common outbound (egress) TCP ports EG_TCP_CPORTS="20,21,22,25,26,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703" # Common outbound (egress) UDP ports EG_UDP_CPORTS="20,21,53,113,873,6277"
Once ready, restart APF to apply the changes:
service apf restart
This is just a basic APF firewall configuration, you should read APF Documentation and carefully review and re-configure your iptables firewall to match your own needs.
As we’ve seen on this post, both CSF and APF firewalls offer a solid solution for iptables rules and server security management, however we always recommend CSF as first solution as it’s updated more often than APF Firewall, and it’s a firewall that was built for cPanel platform.