Valid for versions 94 through the latest version
Version:
84
86
90
92
94
Overview
cPanel & WHM installs and manages many different services on your system, most of which require an external connection in order to function properly. Because of this, your firewall must allow cPanel & WHM to open the ports on which these services run.
This document lists the ports that cPanel & WHM uses, and which services use each of these ports, to allow you to better configure your firewall.
- We strongly recommend that you only open ports for services that you use.
- When you work with firewall rules, always make certain to include a way to log back in to your server, and always maintain console access to your server.
Ports
We strongly recommend that you use the SSL version of each service whenever possible:
- The use of non-SSL services can allow attackers to intercept sensitive information, such as login credentials.
- Always ensure that valid SSL certificates exist for your services in WHM’s Manage Service SSL Certificates interface (WHM >> Home >> Service Configuration >> Manage Service SSL Certificates).
For more information on how to access cPanel & WHM services, read our How to Access cPanel & WHM Services documentation.
cPanel & WHM uses the following ports:
Port | Service | TCP | UDP | Inbound | Outbound | Localhost | Notes |
---|---|---|---|---|---|---|---|
1 |
CPAN | The Show Available Modules setting in cPanel’s Perl Modules interface (cPanel >> Home >> Software >> Perl Modules) uses this port to improve the speed in which it appears. | |||||
20 |
FTP | Instead of FTP, we recommend that you use the more-secure SFTP via SSH. | |||||
21 |
FTP | ||||||
22 |
SSH | You must open this port before you use WHM’s Transfer Tool interface (WHM >> Home >> Transfers >> Transfer Tool) when:
|
|||||
25 |
SMTP | ||||||
26 |
SMTP | cPanel & WHM only uses this port if you specify it in WHM’s Service Manager interface (WHM >> Home >> Service Configuration >> Service Manager). | |||||
37 |
rdate |
||||||
43 |
whois |
||||||
53 |
DNS | cPanel & WHM uses this port for the following functions:
|
|||||
80 |
httpd |
This port serves the HTTP needs of services on the server.
Important:
|
|||||
110 |
POP3 | ||||||
113 |
ident |
||||||
143 |
IMAP | ||||||
443 |
httpd |
This port serves the HTTPS needs of services on the server.
Note:
|
|||||
465 |
SMTP, SSL/TLS |
Important:
cPanel & WHM strongly recommends that you enable Transport Layer Security (TLS) protocol version 1.2 on your server.
|
|||||
579 |
cPHulk | This port should only accept connections on the 127.0.0.x IPv4 address. Your system does not require that this port accept external traffic. |
|||||
587 |
Exim | ||||||
783 |
Apache SpamAssassin |
||||||
873 |
rsync | ||||||
953 |
PowerDNS | This port should only accept connections on the 127.0.0.1 IPv4 address. Your system does not require that this port accept external traffic.
Note:
You must use this port when you run PowerDNS nameservers.
|
|||||
993 |
IMAP SSL | ||||||
995 |
POP3 SSL | ||||||
2077 |
WebDAV | cPanel’s Web Disk interface (cPanel >> Home >> Files >> Web Disk) uses these ports. | |||||
2078 |
WebDAV SSL | ||||||
2079 |
CalDAV and CardDAV | ||||||
2080 |
CalDAV and CardDAV (SSL) | ||||||
2082 |
cPanel and cPanel Licensing |
Note:
To disable logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” setting to On in WHM’s Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings). This will redirect users to secure ports with the
/cpanel , /whm , and /webmail aliases.
|
|||||
2083 |
cPanel SSL and cPanel Licensing | ||||||
2086 |
WHM and cPanel Licensing |
Note:
To disable logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” setting to On in WHM’s Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings). This will redirect users to secure ports with the
/cpanel , /whm , and /webmail aliases.
|
|||||
2087 |
WHM SSL and cPanel Licensing | ||||||
2089 |
cPanel Licensing |
Important:
You must configure your system to permit outbound tcp connections from source ports
4 and 1020 to destination port 2089 . This will allow the server to contact the cPanel, L.L.C. license servers.
|
|||||
2095 |
Webmail |
Note:
To disable logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” setting to On in WHM’s Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings). This will redirect users to secure ports with the
/cpanel , /whm , and /webmail aliases.
|
|||||
2096 |
Webmail SSL and cPanel Licensing | ||||||
2195 |
Apple Push Notification service (APNs) | cPanel & WHM only uses this port for the Apple® Push Notification Service (APNs). For more information, read our How to Set Up iOS Push Notifications documentation. | |||||
2703 |
Razor | Razor is a collaborative spam-tracking database. | |||||
3306 |
MySQL® | MySQL uses this port for remote database connections. | |||||
6277 |
DCC | For more information, read the Apache® DCC and NetTestFirewallIssues documentation. | |||||
24441 |
Pyzor | For more information, read Apache’s Pyzor and NetTestFirewallIssues documentation. |
The License Callback Mechanism
The License Callback Mechanism immediately updates a server after the license changes in either Manage2 or the cPanel Store. It cannot make any changes to the server. It only alerts the server that a change as been made to the license. The license callback mechanism tries the following ports until one succeeds:
Service | Port | Inbound | Outbound |
---|---|---|---|
cPanel | 2082 |
||
cPanel SSL | 2083 |
||
WHM | 2086 |
||
WHM SSL | 2087 |
||
Webmail SSL | 2096 |
At least one port in the above table must be open for the license callback mechanism to work. The server only accepts requests to this API from cPanel & WHM. The license system does not send any other information to the customer’s server.
Example configurations
- We do not recommend that you use these examples for your personal configurations. Instead, make certain that your firewall rules match the way in which you use cPanel & WHM’s services.
- CentOS 8, AlmaLinux 8, and CloudLinux
8 servers have additional requirements. For more information, read the CentOS 8, AlmaLinux 8, and CloudLinux 8 firewall management section below. - CentOS 7, CloudLinux
7, and Red Hat® Enterprise Linux® (RHEL) 7 servers have additional requirements. For more information, read the CentOS 7, CloudLinux 7, and RHEL 7 firewall management section below. - Red Hat Enterprise Linux 8 deprecated the
iptables
utility. While cPanel, L.L.C. does not support this version of RHEL, this change affects all cPanel-supported operating systems. We recommend thenftables
utility for servers that run CentOS 8, AlmaLinux 8, or CloudLinux 8. For servers that run CentOS 7, CloudLinux 7, or RHEL 7, we recommend that you use thefirewalld
utility. For more information, read Red Hat’s When to use firewalld, nftables, or iptables documentation.
CentOS 8, AlmaLinux 8, and CloudLinux 8 firewall management
We strongly recommend that you use the nftables
framework for your CentOS 8, AlmaLinux 8, or CloudLinux 8 firewall.
Use the nftables
framework instead of iptables
programs or legacy services in those operating systems. You can configure nftables
with the nft
command line tool. You will find the nftables
ruleset for your server in the /etc/sysconfig/nftables.conf
file.
For example, to block traffic for a single IPv4 address, run the following command, where 192.168.0.0
is the IPv4 address that you wish to block:
nft add rule filter INPUT ip saddr 192.168.0.0 drop
To block traffic for a single IPv6 address, run the following command, where 2001:0db8:0:0:1:0:0:1
is the IPv6 address that you wish to block:
nft add rule ip6 filter INPUT ip6 saddr [2001:0db8:0:0:1:0:0:1] drop
For more information about the nftables
framework and the nft
tool, read Red Hat’s Getting Started with nftables documentation.
CentOS 7, CloudLinux 7, and RHEL 7 firewall management
We strongly recommend that servers which run the CentOS 7, CloudLinux 7, and RHEL 7 operating systems use the firewalld
daemon instead of iptables
programs or legacy services in those operating systems.
For example, to block traffic for a single IPv4 address, run the following command, where 192.168.0.0
is the IPv4 address that you wish to block:
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.0.0" drop' --permanent
To block traffic for a single IPv6 address, run the following command, where 2001:0db8:0:0:1:0:0:1
is the IPv6 address that you wish to block:
firewall-cmd --add-rich-rule='rule family="ipv6" source address="[2001:0db8:0:0:1:0:0:1]" drop' --permanent
We recommend that you only use the firewall utilities on CentOS 7, CloudLinux 7, and RHEL 7 servers.
- If you use
firewalld
, you must enable the daemon before you change the firewall settings. To do this, run thesystemctl enable firewalld
command. If you do not enable the daemon, the system will erase any firewall changes when you reboot the server. - If you use
firewalld
, the system will remove theipables-services
package through the yum package manager with the following command:yum remove iptables-service
- If you use the the legacy
iptables
service, remove thefirewalld
package through the yum package manager with the following command:yum remove firewalld
- If you use a third-party firewall management service, we recommend that you check the firewall’s documentation before you remove the unused
firewalld
oriptables
services.
For more information about the firewall utilities and the firewalld
daemon, read Red Hat’s Using Firewalls documentation.
The cpanel service
The /usr/local/cpanel/scripts/configure_firewall_for_cpanel
script clears all existing entries from the iptables
application. If you use custom rules for your firewall, export those rules before you run the script and then re-add them afterward.
cPanel & WHM also includes the cpanel
service, which manages all of the rules in the /etc/firewalld/services/cpanel.xml
file. This allows TCP access for the server’s ports.
To replace your existing iptables
rules with the rules in the /etc/firewalld/services/cpanel.xml
file, perform the following steps:
- Run the
yum install firewalld
command to ensure that you have installed thefirewalld
service daemon on your system. - Run the
systemctl start firewalld.service
command to start thefirewalld
service. - Run the
systemctl enable firewalld
command to start thefirewalld
service when the server starts. - Run the
iptables-save > backupfile
command to save your existing firewall rules. - Run the
/usr/local/cpanel/scripts/configure_firewall_for_cpanel
script. - Run the
iptables-restore < backupfile
command to incorporate your old firewall rules into the new firewall rules file.
Adding rules with the iptables utility
The following examples explain how to add rules with ConfigServer Security & Firewall (CSF), Advanced Policy Firewall (APF), and the iptables
utility.
Red Hat Enterprise Linux 8 deprecated the iptables
utility. While cPanel, L.L.C. does not support this version of RHEL, this change affects all cPanel-supported operating systems. We recommend the nftables
utility for servers that run CentOS 8, AlmaLinux 8, or CloudLinux 8. For servers that run CentOS 7, CloudLinux 7, or RHEL 7, we recommend that you use the firewalld
utility.
For more information, read Red Hat’s When to use firewalld, nftables, or iptables documentation.
ConfigServer Security & Firewall
ConfigServer provides the free WHM plugin ConfigServer Security & Firewall, which allows you to modify your iptables
rules within WHM. For information about how to install and configure CSF, read our Additional Security Software documentation.
Advanced Policy Firewall
Advanced Policy Firewall (APF) acts as a front-end interface for the iptables
application, and allows you to open or close ports without the use of the iptables
syntax.
The following example includes two rules that you can add to the /etc/apf/conf.apf
file in order to allow HTTP and HTTPS access to your system:
|
|
iptables
The iptables
application offers more customization settings for your packet filtering rules. This application requires that you understand the TCP/IP stack. For more information about the use of iptables
, visit the iptables site, or run the man iptables
command from the command line.
The following example includes iptables
rules for HTTP traffic on port 80
:
|
|
This example assumes that a DMZ exists on eth0
for the 192.168.1.1
port, and the 66.66.66.66
broadcast IP address.