How to Configure Your Firewall for cPanel Services

Overview

cPanel & WHM installs and manages many different services on your system, most of which require an external connection in order to function properly. Because of this, your firewall must allow cPanel & WHM to open the ports on which these services run.

This document lists the ports that cPanel & WHM uses, and which services use each of these ports, to allow you to better configure your firewall.

Ports

Port	Service	TCP	UDP	Inbound	Outbound	Localhost	Notes
1	CPAN						The Show Available Modules option in cPanel's Perl Modules interface (cPanel >> Home >> Software >> Perl Modules) uses this port to improve the speed in which it appears.
20	FTP						Instead of FTP, we recommend that you use the more-secure SFTP via SSH.
21	FTP
22	SSH						Important: You must open this port before you use WHM's Transfer Tool interface (WHM >> Home >> Transfers >> Transfer Tool).
25	SMTP
26	SMTP						cPanel & WHM only uses this port if you specify it in WHM's Service Manager interface (WHM >> Home >> Service Configuration >> Service Manager).
37	rdate
43	whois
53	DNS						cPanel & WHM uses this port for the following functions: Public DNS services. Communication with root nameservers for AutoSSL. Other functions that require name resolution.
80	httpd						This port serves the HTTP needs of services on the server. Note: In cPanel & WHM version 76 and later, the cPanel Server Daemon (cpsrvd) listens on this port when you disable the Web Server role. This daemon monitors cPanel & WHM services. Important: We strongly recommend that you encourage your users to use port 443, which uses the more secure SSL/TLS security protocol. For more information, read our More about TLS and SSL documentation.
110	POP3
113	ident
143	IMAP
443	httpd						This port serves the HTTPS needs of services on the server. Note: This port can allow users to access cPanel or WHM via certain subdomains. For more information, read our Service and Proxy Subdomains documentation. In cPanel & WHM version 76 and later, the cPanel Server Daemon (cpsrvd) listens on this port when you disable the Web Server role. WHM's Manage AutoSSL interface (WHM >> Home >> SSL/TLS >> Manage AutoSSL) requires outbound access to the store.cpanel.net server.
465	SMTP, SSL/TLS						Warning: As of cPanel & WHM version 68, we only support Transport Layer Security (TLS) protocol version 1.2.  We will only support applications that use TLSv1.2. We strongly recommend that you enable TLSv1.2 on your server.
579	cPHulk						This port should only accept connections on the 127.0.0.x IPv4 address. Your system does not require that this port accept external traffic.
587	Exim
783	Apache SpamAssassin™
873	rsync
993	IMAP SSL
995	POP3 SSL
2703	Razor						Razor is a collaborative spam-tracking database. For more information, visit the Razor website.
2077	WebDAV						cPanel's Web Disk interface (cPanel >> Home >> Files >> Web Disk) uses these ports.
2078	WebDAV SSL
2079	CalDAV and CardDAV						cPanel's Calendars and Contacts interface (cPanel >> Home >> Email >> Calendars and Contacts) uses these ports.
2080	CalDAV and CardDAV (SSL)
2082	cPanel						Note: To disable logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” option to On in WHM's Tweak Settings interface (WHM >> Home  >> Server Configuration >> Tweak Settings). This will redirect users to secure ports with the /cpanel, /whm, and /webmail aliases.
2083	cPanel SSL
2086	WHM						Note: To disable logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” option to On in WHM's Tweak Settings interface (WHM >> Home  >> Server Configuration >> Tweak Settings). This will redirect users to secure ports with the /cpanel, /whm, and /webmail aliases.
2087	WHM SSL
2089	cPanel Licensing						Warning: You must open this port in order to contact the cPanel license servers.
2095	Webmail						Note: To disable logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” option to On in WHM's Tweak Settings interface (WHM >> Home  >> Server Configuration >> Tweak Settings). This will redirect users to secure ports with the /cpanel, /whm, and /webmail aliases.
2096	Webmail SSL
2195	APNs						cPanel & WHM only uses this port for the Apple® Push Notification Service (APNs). For more information, read our How to Set Up iOS Push Notifications documentation.
3306	MySQL®						MySQL uses this port for remote database connections.
6277	DCC						For more information, read Apache's DCC and NetTestFirewallIssues documentation.
8063	PowerDNS						This port should only accept connections on the 127.0.0.1 IPv4 address. Your system does not require that this port accept external traffic. Note: This port is the default but you can change it. This port is required when you run PowerDNS nameservers. Only the root and named users require access to this port. For more information, read our How to Use cPanel's PowerDNS documentation.
24441	Pyzor						For more information, read Apache's Pyzor and NetTestFirewallIssues documentation.

Example configurations

The following examples explain how to add rules with CSF, APF, and the iptables application.

CSF

ConfigServer provides the free WHM plugin CSF, which allows you to modify your iptables rules within WHM.

To install CSF, run the following commands as the root user:

cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf && ./install.sh

To configure CSF, use WHM's ConfigServer & Firewall interface (Home >> Plugins >> ConfigServer & Firewall).

APF

APF acts as a front-end interface for the iptables application, and allows you to open or close ports without the use of the iptables syntax.

The following example includes two rules that you can add to the /etc/apf/conf.apf file in order to allow HTTP and HTTPS access to your system:

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="80,443″# Common egress (outbound) TCP ports
EG_TCP_CPORTS="80″

iptables

The iptables application offers more customization options for your packet filtering rules. This application requires that you understand the TCP/IP stack.

The following example includes iptables rules for HTTP traffic on port 80:

$IPTABLES -A FORWARD -p TCP -i 66.66.66.66 -o eth0 -d 192.168.1.1 -dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i 66.66.66.66 -o eth0 -d 192.168.1.1 -j icmp_packets

CentOS 7, CloudLinux 7, and RHEL 7 firewall management

Servers that run the CentOS 7, CloudLinux 7, and RHEL 7 operating systems require that you use the firewalld daemon. 

The cpanel service

cPanel & WHM version 11.50 and later also includes the cpanel service, which manages all of the rules in the /etc/firewalld/services/cpanel.xml file. This allows TCP access for the server's ports.

To replace your existing iptables rules with the rules in the /etc/firewalld/services/cpanel.xml file, perform the following steps:

1. Run the yum install firewalld command to ensure that your system has firewalld installed.
2. Run the systemctl start firewalld.service command to start the firewalld service.
3. Run the systemctl enable firewalld command to start the firewalld service when the server starts.
4. Run the iptables-save > backupfile command to save your existing firewall rules.
5. Run the /usr/local/cpanel/scripts/configure_firewall_for_cpanel script.
6. Run the iptables-restore < backupfile command to incorporate your old firewall rules into the new firewall rules file.

Additional documentation