How to Configure Your Firewall for cPanel & WHM Services
This element (ia-generated) isn't supported, or may require an update to be displayed. You can try to refresh the app.
Overview
cPanel & WHM installs and manages many different services on your system, most of which require an external connection in order to function properly. Because of this, your firewall must allow cPanel & WHM to open the ports on which these services run.
This document lists the ports that cPanel & WHM uses, and which services use each of these ports, to allow you to better configure your firewall.
Warning:
We strongly recommend that you only open ports for services that you use.
When you work with firewall rules, always make certain to include a way to log back in to your server, and always maintain console access to your server.
When you install a new third-party firewall on a system using
nftables , the system will ignore rules you add with the Host Access Control interface (WHM » Home » Security Center » Host Access Control).Ports
Warning:
We strongly recommend that you use the SSL version of each service whenever possible:
The use of non-SSL services can allow attackers to intercept sensitive information, such as login credentials.
Always ensure that valid SSL certificates exist for your services in WHM’s Manage Service SSL Certificates interface (WHM » Home » Service Configuration » Manage Service SSL Certificates).
Note:
For more information on how to access cPanel & WHM services, read our How to Log in to Your Server or Account documentation.
cPanel & WHM uses the following ports:
1CPAN
The Show Available Modules setting in cPanel’s Perl Modules interface (cPanel » Home » Software » Perl Modules) uses this port to improve the speed with which it appears.
22SSH
You must open this port before you use WHM’s Transfer Tool interface (WHM » Home » Transfers » Transfer Tool) when you authenticate
root users with SSH keys.25SMTP
26SMTP
cPanel & WHM only uses this port if you specify it in WHM’s Service Manager interface (WHM » Home » Service Configuration » Service Manager).
37rdate
43whois
53DNS
cPanel & WHM uses this port for the following functions:
- Public DNS services.
- Communication with
rootnameservers for AutoSSL. - Other functions that require name resolution.
80httpd
This port serves the HTTP needs of services on the server.
Important:
We strongly recommend that your users configure their websites on port
443, which uses the more secure SSL/TLS security protocol. For more information, read our More about TLS and SSL documentation.The cPanel Server Daemon (
cpsrvd) listens on this port when you disable the Web Server role. This daemon monitors cPanel & WHM services.110POP3
113ident
143IMAP
443httpd
This port serves the HTTPS needs of services on the server.
Note:
This port can allow users to access cPanel or WHM via certain subdomains. For more information, read our Service and Proxy Subdomains documentation.
The cPanel Server Daemon (
cpsrvd) listens on this port when you disable the Web Server role.WHM’s Manage AutoSSL interface (WHM » Home » SSL/TLS » Manage AutoSSL) requires outbound access to the
store.cpanel.net server on this port.465SMTP, SSL/TLS
Important:
cPanel & WHM strongly recommends that you enable Transport Layer Security (TLS) protocol version 1.2 on your server.
579cPHulk
This port should only accept connections on the
127.0.0.x IPv4 address. Your system does not require that this port accept external traffic.587Exim
783Apache SpamAssassin™
873rsync
953PowerDNS
This port should only accept connections on the
127.0.0.1 IPv4 address. Your system does not require that this port accept external traffic.Note:
You must use this port when you run PowerDNS nameservers.
993IMAP SSL
995POP3 SSL
2078WebDAV SSL
2079CalDAV and CardDAV
Important:
This port is insecure and could expose your server to security risks. We strongly recommend that you use port
2080 instead.2080CalDAV and CardDAV (SSL)
2082cPanel and cPanel Licensing
Note:
To disable insecure logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” setting to On in WHM’s Tweak Settings interface (WHM » Home » Server Configuration » Tweak Settings). This will redirect users to secure ports with the
/cpanel, /whm, and /webmail aliases.2083cPanel SSL and cPanel Licensing
2086WHM and cPanel Licensing
Note:
To disable insecure logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” setting to On in WHM’s Tweak Settings interface (WHM » Home » Server Configuration » Tweak Settings). This will redirect users to secure ports with the
/cpanel, /whm, and /webmail aliases.2087WHM SSL and cPanel Licensing
2089cPanel Licensing
Important:
You must configure your system to permit outbound TCP connections from source ports
4 and 1020 to destination port 2089. This will allow the server to contact the WebPros International, LLC license servers.2095Webmail
Note:
To disable insecure logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” setting to On in WHM’s Tweak Settings interface (WHM » Home » Server Configuration » Tweak Settings). This will redirect users to secure ports with the
/cpanel, /whm, and /webmail aliases.2096Webmail SSL and cPanel Licensing
2195Apple Push Notification service (APNs)
cPanel & WHM only uses this port for the Apple® Push Notification Service (APNs). For more information, read our How to Set Up iOS Push Notifications documentation.
3306MySQL®
MySQL uses this port for remote database connections.
11371apt
Servers running the Ubuntu® operating system use this port to download
apt repository GPG keys.
The License Callback Mechanism
The License Callback Mechanism immediately updates a server after the license changes in either Manage2 or the cPanel Store. It cannot make any changes to the server. It only alerts the server that a change as been made to the license. The license callback mechanism tries the following ports until one succeeds:
cPanel
2082
cPanel SSL
2083
WHM
2086
WHM SSL
2087
Webmail SSL
2096
Note:
At least one port in the above table must be open for the license callback mechanism to work. The server only accepts requests to this API from cPanel & WHM. The license system does not send any other information to the customer’s server.
Example configurations
Important:
We do not recommend that you use these examples for your personal configurations. Instead, make certain that your firewall rules match the way in which you use cPanel & WHM’s services.
AlmaLinux OS , CloudLinux™ , and Rocky Linux™ servers have additional requirements. For more information, read the AlmaLinux, Rocky Linux, and CloudLinux firewall management section below.
We recommend the
nftables utility for servers that run the AlmaLinux, Rocky Linux, or CloudLinux operating systems . We recommend the iptables utility on servers that run the Ubuntu operating system .AlmaLinux, Rocky Linux, and CloudLinux firewall management
Important:
We strongly recommend that you use the
nftables framework for the firewall of servers that run the Rocky Linux, CloudLinux, or AlmaLinux operating systems.Use the
nftables framework instead of the iptables utility or legacy services in those operating systems. You can configure nftables with the nft command line tool. You will find the nftables ruleset for your server in the /etc/sysconfig/nftables.conf file.For example, to block traffic for a single IPv4 address, run the following command, where
198.51.100.1 is the IPv4 address that you wish to block:nft add rule filter INPUT ip saddr 198.51.100.1 drop
To block traffic for a single IPv6 address, run the following command, where
2001:0db8:0:0:1:0:0:1 is the IPv6 address that you wish to block:nft add rule ip6 filter INPUT ip6 saddr [2001:0db8:0:0:1:0:0:1] drop
For more information about the
nftables framework and the nft tool, read Red Hat’s Getting Started with nftables documentation.The cpanel service
Important:
The
/usr/local/cpanel/scripts/configure_firewall_for_cpanel script clears all existing rule entries from your server’s iptables utility. If you use custom rules for your firewall, export those rules before you run the script and then re-add them afterward.cPanel & WHM also includes the
cpanel service, which manages all of the rules in the /etc/firewalld/services/cpanel.xml file. This allows TCP access for the server’s ports.To replace your server’s existing
iptables rules with the rules in the /etc/firewalld/services/cpanel.xml file, perform the following steps:Run the
yum install firewalld command to ensure that you have installed the firewalld service daemon on your system.Run the
systemctl start firewalld.service command to start the firewalld service.Run the
systemctl enable firewalld command to start the firewalld service when the server starts.Run the
iptables-save > backupfile command to save your existing firewall rules.Run the
/usr/local/cpanel/scripts/configure_firewall_for_cpanel script.Run the
iptables-restore < backupfile command to incorporate your old firewall rules into the new firewall rules file.Ubuntu firewall management
We recommend that servers that run the Ubuntu operating systems use the
iptables utility instead of the ufw utility that Ubuntu installs by default. The iptables utility offers more customization settings for your packet-filtering rules.Note:
This utility requires that you understand the TCP/IP stack. For more information about the use of
iptables, visit the iptables site , or run the man iptables command from the command line.For example, to block traffic for a single IPv4 address, run the following command, where
198.51.100.1 is the IPv4 address that you wish to block:iptables -I INPUT -s 198.51.100.1 -j DROP
To block traffic for a single IPv6 address, run the following command, where
2001:0db8:0:0:1:0:0:1 is the IPv6 address that you wish to block:ip6tables -I INPUT -s 2001:0db8:0:0:1:0:0:1 -j DROP
Adding rules with the CSF and APF utilities
The following examples explain how to add rules with ConfigServer Security & Firewall (CSF) and Advanced Policy Firewall (APF).
Warning:
CSF and APF do not function with the
firewalld utility. If you install CSF or APF, you must remove the firewalld utility. To do this, run the yum remove firewalld command.Remember:
We recommend the
nftables utility for servers that run the AlmaLinux, Rocky Linux, or CloudLinux operating systems . We recommend the iptables utility on servers that run the Ubuntu operating system .ConfigServer Security & Firewall
ConfigServer provides the free WHM plugin CSF, which allows you to modify your server’s
iptables rules in WHM. For information about how to install and configure CSF, read our Additional Security Software documentation.Advanced Policy Firewall
APF acts as a front-end interface for the
iptables utility, and allows you to open or close ports without the use of the iptables syntax.The following example provides two rules that you can add to the
/etc/apf/conf.apf file to allow HTTP and HTTPS access to your system:# Common ingress (inbound) TCP portsIG_TCP_CPORTS="80,443"EG_TCP_CPORTS="80"