How to Configure Your Firewall for cPanel & WHM Services
Valid for versions 102 through 110
Version:
102
112
Last modified: April 6, 2023
Overview
cPanel & WHM installs and manages many different services on your system, most of which require an external connection in order to function properly. Because of this, your firewall must allow cPanel & WHM to open the ports on which these services run.
This document lists the ports that cPanel & WHM uses, and which services use each of these ports, to allow you to better configure your firewall.
Warning:
- We strongly recommend that you only open ports for services that you use.
- When you work with firewall rules, always make certain to include a way to log back in to your server, and always maintain console access to your server.
Ports
Warning:
We strongly recommend that you use the SSL version of each service whenever possible:
(Video) how to configure cpanel & whm | how to create a firewall rules on digital ocean
- The use of non-SSL services can allow attackers to intercept sensitive information, such as login credentials.
- Always ensure that valid SSL certificates exist for your services in WHM’s Manage Service SSL Certificates interface (WHM » Home » Service Configuration » Manage Service SSL Certificates).
Note:
For more information on how to access cPanel & WHM services, read our How to Log in to Your Server or Account documentation.
See Also
cPanel & WHM uses the following ports:
| Port | Service | TCP | UDP | Inbound | Outbound | Localhost | Notes |
|---|---|---|---|---|---|---|---|
1 | CPAN |  | | The Show Available Modules setting in cPanel’s Perl Modules interface (cPanel » Home » Software » Perl Modules) uses this port to improve the speed with which it appears. | |||
7 | Razor | | | SpamAssassin uses the collaborative Razor spam-tracking database. | |||
20 | FTP | | | | Instead of FTP, we recommend that you use the more-secure SFTP service via SSH. | ||
21 | FTP | | | | Instead of FTP, we recommend that you use the more-secure SFTP service via SSH. | ||
22 | SSH | | | You must open this port before you use WHM’s Transfer Tool interface (WHM » Home » Transfers » Transfer Tool) when:
| |||
25 | SMTP | | | | |||
26 | SMTP | | | | cPanel & WHM only uses this port if you specify it in WHM’s Service Manager interface (WHM » Home » Service Configuration » Service Manager). | ||
37 | rdate | | | ||||
43 | whois | | | ||||
53 | DNS | | | | | cPanel & WHM uses this port for the following functions:
| |
80 | httpd | | | | This port serves the HTTP needs of services on the server. Important:
| ||
110 | POP3 | | | ||||
113 | ident | | | ||||
143 | IMAP | | | ||||
443 | httpd | | | | | This port serves the HTTPS needs of services on the server. Note:
| |
465 | SMTP, SSL/TLS | | | | Important: cPanel & WHM strongly recommends that you enable Transport Layer Security (TLS) protocol version 1.2 on your server. | ||
579 | cPHulk | | This port should only accept connections on the 127.0.0.x IPv4 address. Your system does not require that this port accept external traffic. | ||||
587 | Exim | | | | |||
783 | Apache SpamAssassin™ | | | | |||
873 | rsync | | | | |||
953 | PowerDNS | | This port should only accept connections on the 127.0.0.1 IPv4 address. Your system does not require that this port accept external traffic.Note: You must use this port when you run PowerDNS nameservers. | ||||
993 | IMAP SSL | | | ||||
995 | POP3 SSL | | | ||||
2077 | WebDAV | | | | cPanel’s Web Disk interface (cPanel » Home » Files » Web Disk) uses these ports. | ||
2078 | WebDAV SSL | | | | |||
2079 | CalDAV and CardDAV | | | | |||
2080 | CalDAV and CardDAV (SSL) | | | | |||
2082 | cPanel and cPanel Licensing | | | Note: To disable insecure logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” setting to On in WHM’s Tweak Settings interface (WHM » Home » Server Configuration » Tweak Settings). This will redirect users to secure ports with the | |||
2083 | cPanel SSL and cPanel Licensing | | | ||||
2086 | WHM and cPanel Licensing | | | Note: To disable insecure logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” setting to On in WHM’s Tweak Settings interface (WHM » Home » Server Configuration » Tweak Settings). This will redirect users to secure ports with the | |||
2087 | WHM SSL and cPanel Licensing | | | ||||
2089 | cPanel Licensing | | | Important: You must configure your system to permit outbound TCP connections from source ports | |||
2091 | Exchange ActiveSync (EAS) SSL/TLS | | | This port allows users of Android™ devices to synchronize their calendars, contacts, and email via the EAS protocol. Note: This functionality is only available if you install both the Calendars and Contacts Server and Z-Push - ActiveSync Support plugins. | |||
2095 | Webmail | | | Note: To disable insecure logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” setting to On in WHM’s Tweak Settings interface (WHM » Home » Server Configuration » Tweak Settings). This will redirect users to secure ports with the | |||
2096 | Webmail SSL and cPanel Licensing | | | ||||
2195 | Apple Push Notification service (APNs) | | | cPanel & WHM only uses this port for the Apple® Push Notification Service (APNs). For more information, read our How to Set Up iOS Push Notifications documentation. | |||
2703 | Razor | | | SpamAssassin uses the collaborative Razor spam-tracking database. | |||
3306 | MySQL® | | | MySQL uses this port for remote database connections. | |||
6277 | DCC | | | | For more information, read the Apache® DCC and NetTestFirewallIssues documentation. | ||
11371 | apt | | | Servers running the Ubuntu® operating system use this port to download apt repository GPG keys. | |||
24441 | Pyzor | | | | For more information, read Apache’s Pyzor and NetTestFirewallIssues documentation. |
The License Callback Mechanism
The License Callback Mechanism immediately updates a server after the license changes in either Manage2 or the cPanel Store. It cannot make any changes to the server. It only alerts the server that a change as been made to the license. The license callback mechanism tries the following ports until one succeeds:
| Service | Port | Inbound | Outbound |
|---|---|---|---|
| cPanel | 2082 | | |
| cPanel SSL | 2083 | | |
| WHM | 2086 | | |
| WHM SSL | 2087 | | |
| Webmail SSL | 2096 | |
Note:
At least one port in the above table must be open for the license callback mechanism to work. The server only accepts requests to this API from cPanel & WHM. The license system does not send any other information to the customer’s server.
Example configurations
Important:
- We do not recommend that you use these examples for your personal configurations. Instead, make certain that your firewall rules match the way in which you use cPanel & WHM’s services.
- AlmaLinux, CloudLinux 8 or higher, and Rocky Linux™ servers have additional requirements. For more information, read the AlmaLinux, Rocky Linux, and CloudLinux 8+ firewall management section below.
- CentOS 7, CloudLinux™ 7, and Red Hat® Enterprise Linux® (RHEL) 7 servers have additional requirements. For more information, read the CentOS 7, CloudLinux 7, and RHEL 7 firewall management section below.
- We recommend the
nftablesutility for servers that run the AlmaLinux OS 8, Rocky Linux 8, or CloudLinux 8 operating systems. For servers that run the CentOS 7, CloudLinux 7, or RHEL 7 operating systems, we recommend that you use thefirewalldutility. We recommend theiptablesutility on servers that run the Ubuntu operating system.
AlmaLinux, Rocky Linux, and CloudLinux 8+ firewall management
Important:
(Video) How To Install & Configure CSF Firewall on cPanel Server or VPS
We strongly recommend that you use the nftables framework for the firewall of servers that run the Rocky Linux, CloudLinux 8 or higher, or AlmaLinux operating systems.
Use the nftables framework instead of the iptables utility or legacy services in those operating systems. You can configure nftables with the nft command line tool. You will find the nftables ruleset for your server in the /etc/sysconfig/nftables.conf file.
For example, to block traffic for a single IPv4 address, run the following command, where 198.51.100.1 is the IPv4 address that you wish to block:
nft add rule filter INPUT ip saddr 198.51.100.1 dropTo block traffic for a single IPv6 address, run the following command, where 2001:0db8:0:0:1:0:0:1 is the IPv6 address that you wish to block:
nft add rule ip6 filter INPUT ip6 saddr [2001:0db8:0:0:1:0:0:1] dropFor more information about the nftables framework and the nft tool, read Red Hat’s Getting Started with nftables documentation.
CentOS 7, CloudLinux 7, and RHEL 7 firewall management
We strongly recommend that servers that run the CentOS 7, CloudLinux 7, and RHEL 7 operating systems use the firewalld daemon instead of the iptables utility or legacy services in those operating systems.
For example, to block traffic for a single IPv4 address, run the following command, where 198.51.100.1 is the IPv4 address that you wish to block:
firewall-cmd --add-rich-rule='rule family="ipv4" source address="198.51.100.1" drop' --permanentTo block traffic for a single IPv6 address, run the following command, where 2001:0db8:0:0:1:0:0:1 is the IPv6 address that you wish to block:
firewall-cmd --add-rich-rule='rule family="ipv6" source address="[2001:0db8:0:0:1:0:0:1]" drop' --permanentImportant:
(Video) WHM Cpanel Install Complite Install Dediceted Server And Full Configuration
We recommend that you only use the firewall utilities on CentOS 7, CloudLinux 7, and RHEL 7 servers.
- If you use
firewalld, you must enable the daemon before you change the firewall settings. To do this, run thesystemctl enable firewalldcommand. If you do not enable the daemon, the system will erase any firewall changes when you reboot the server. - If you use
firewalld, the system will remove theiptables-servicespackage through the yum package manager with the following command:yum remove iptables-services - If you use the the legacy
iptablesutility, remove thefirewalldpackage through the yum package manager with the following command:yum remove firewalld - If you use a third-party firewall management service, we recommend that you check the firewall’s documentation before you remove the unused
firewalldoriptablespackages.
For more information about the firewall utilities and the firewalld daemon, read Red Hat’s Using Firewalls documentation.
The cpanel service
Important:
The /usr/local/cpanel/scripts/configure_firewall_for_cpanel script clears all existing rule entries from your server’s iptables utility. If you use custom rules for your firewall, export those rules before you run the script and then re-add them afterward.
cPanel & WHM also includes the cpanel service, which manages all of the rules in the /etc/firewalld/services/cpanel.xml file. This allows TCP access for the server’s ports.
To replace your server’s existing iptables rules with the rules in the /etc/firewalld/services/cpanel.xml file, perform the following steps:
- Run the
yum install firewalldcommand to ensure that you have installed thefirewalldservice daemon on your system. - Run the
systemctl start firewalld.servicecommand to start thefirewalldservice. - Run the
systemctl enable firewalldcommand to start thefirewalldservice when the server starts. - Run the
iptables-save > backupfilecommand to save your existing firewall rules. - Run the
/usr/local/cpanel/scripts/configure_firewall_for_cpanelscript. - Run the
iptables-restore < backupfilecommand to incorporate your old firewall rules into the new firewall rules file.
Ubuntu firewall management
We recommend that servers that run the Ubuntu operating systems use the iptables utility instead of the ufw utility that Ubuntu installs by default. The iptables utility offers more customization settings for your packet-filtering rules.
Note:
This utility requires that you understand the TCP/IP stack. For more information about the use of iptables, visit the iptables site, or run the man iptables command from the command line.
For example, to block traffic for a single IPv4 address, run the following command, where 198.51.100.1 is the IPv4 address that you wish to block:
iptables -I INPUT -s 198.51.100.1 -j DROP(Video) How to Install Cpanel WHM and Configuration
To block traffic for a single IPv6 address, run the following command, where 2001:0db8:0:0:1:0:0:1 is the IPv6 address that you wish to block:
ip6tables -I INPUT -s 2001:0db8:0:0:1:0:0:1 -j DROPAdding rules with the CSF and APF utilities
The following examples explain how to add rules with ConfigServer Security & Firewall (CSF) and Advanced Policy Firewall (APF).
Warning:
CSF and APF do not function with the firewalld utility. If you install CSF or APF, you must remove the firewalld utility. To do this, run the yum remove firewalld command.
Remember:
We recommend that you use the firewalld utility on servers that run the CentOS 7, CloudLinux 7, or RHEL 7 operating systems. We recommend the nftables utility for servers that run the AlmaLinux OS 8, Rocky Linux 8, or CloudLinux 8 operating systems. We recommend the iptables utility on servers that run the Ubuntu operating system.
ConfigServer Security & Firewall
ConfigServer provides the free WHM plugin CSF, which allows you to modify your server’s iptables rules in WHM. For information about how to install and configure CSF, read our Additional Security Software documentation.
Advanced Policy Firewall
APF acts as a front-end interface for the iptables utility, and allows you to open or close ports without the use of the iptables syntax.
The following example provides two rules that you can add to the /etc/apf/conf.apf file to allow HTTP and HTTPS access to your system:
| |
(Video) WHM Tutorials - How to Install cPanel & WHM
1. cPanel & WHM - Security - Part 2
2. SSL/TLS - cPanel & WHM | How to install SSL certificate in WHM & cPanel | WHM Mastering Course Ep23
3. How to Install and Setup CSF Firewall, ClamAV In cPanel CentOS 7 - Make Money with Websites Part 11
4. WHM (CPanel) Original Setup Walkthrough
5. How to change WHM/cPanel update preferences
6. Step-9: WHM Security Center (WHM Configuration) ✔️
Article information
Author: Gov. Deandrea McKenzie
Last Updated: 23/01/2023
Views: 6730
Rating: 4.6 / 5 (66 voted)
Reviews: 81% of readers found this page helpful
Author information
Name: Gov. Deandrea McKenzie
Birthday: 2001-01-17
Address: Suite 769 2454 Marsha Coves, Debbieton, MS 95002
Phone: +813077629322
Job: Real-Estate Executive
Hobby: Archery, Metal detecting, Kitesurfing, Genealogy, Kitesurfing, Calligraphy, Roller skating
Introduction: My name is Gov. Deandrea McKenzie, I am a spotless, clean, glamorous, sparkling, adventurous, nice, brainy person who loves writing and wants to share my knowledge and understanding with you.
FAQs
How do I enable firewall in WHM? ›
- Log into WHM.
- Navigate to ConfigServer Security & Firewall.
- Click "Firewall Enable"
- Log in to your server as the root user via SSH.
- Run the cd /root command to change to the root directory.
- Run the tar -xzf csf. tgz command to decompress the downloaded file.
- Run the cd csf command to change directories.
- To begin the CSF installation, run the ./install.cpanel.sh command.
- Log into your WHM.
- Click the “Add IP to Firewall” link in the left menu. This link is one of the last links in the left menu in WHM. ...
- Enter your IP address in the “Allow Rule:” field and click the “Add Rule / Restart” button. Note!
One of the most-requested features on cPanel servers is the ability to manage and filter traffic at a country level. With the ConfigServer Firewall (CSF) plugin in WebHost Manager, you can do exactly that.
How do I whitelist an IP address in WHM firewall? ›- Log into WHM as the 'root' user.
- Type “cphulk” in the search box, then click the cPHulk Brute Force Protection link in the Security Center section.
- Click the Whitelist Management tab.
- Add the IP addresses that you want to whitelist to the New Whitelist Records section.
- Enter your WHM username in the Username text box.
- Enter your password in the Password text box.
- Click Log in.
Setup ConfigServer Firewall (CSF)
CSF (ConfigServer Security and Firewall) is one of the most popular firewalls for cPanel servers.
- Step 1: Secure access to the firewall. ...
- Step 2: Define network architecture. ...
- Step 3: Configure the firewall. ...
- Step 4: Testing of the firewall.
Microsoft firewall settings are found through Start > Settings > Update & Security > Windows Security > Firewall and Network Protection.
How do I configure my firewall IP address? ›- Select the Advanced settings option from the sidebar menu.
- The Windows Firewall with Advanced Security panel will open. ...
- Windows Firewall will open a new window New Inbound Rule Wizard. ...
- A form will appear in the window. ...
- Another window named IP Address will pop up.
How do I install cPanel and WHM on my server? ›
- Step 1: Login to the server. Login via SSH to the server using the root username. ...
- Step 2: Open a screen. Install screen if it is not yet installed: ...
- Step 3: Set a hostname. ...
- Step 4: Execute the Installation Command. ...
- Step 5: Proceed with web installation. ...
- Step 6: Restart the server.
- Log into WHM as the 'root' user.
- Navigate to "Home / Plugins / ConfigServer Security & Firewall / Firewall Configuration."
- Click the "csf" tab.
- In the text box following "Allow IP address," Enter the IP address to be whitelisted.
- Click the "Quick Allow" button.
- Run the yum install firewalld command to ensure that you have installed the firewalld service daemon on your system.
- Run the systemctl start firewalld. ...
- Run the systemctl enable firewalld command to start the firewalld service when the server starts.
What Are the Differences Between cPanel and hPanel? From easy-to-follow installations to MySQL databases, hPanel appears similar to cPanel. The main difference between the two is the developer – hPanel is an in-house tool developed by Hostinger to make every customer's online experience as easy and smooth as possible.
How do I know if my IP is blocked by cPanel firewall? ›Step 1 − Open cPanel IP Blocker by clicking on IP Blocker Link found under security section of cPanel Home. Step 2 − Scroll down to find Currently–Blocked IP Addresses. Find the IP address or Range you want to remove, and click on Delete link.
Which IP address is used to whitelist? ›IP whitelisting is when you grant network access only to specific IP addresses. Each employee (or approved user) shares their home IP address with the network administrator, who then enters their IP address on a “whitelist” that grants them network access.
What is blacklist and whitelist IP? ›Whitelisting and blacklisting are two methodologies to control access to websites, email, software and IP addresses on networks. Whitelisting denies access to all resources and only the “owner” can allow access. Blacklisting allows access to all with the provision that only certain items are denied.
How do I check my WHM server configuration? ›- Log in to WHM.
- Using the search box either on the left-side panel or at the top of the page, search for the Server Information section.
- Select Server Information from the list.
- The Server Information page gives us information about the specific hardware configuration of the server.
In the Welcome email, you will find: WHM Address - This is your WHM's URL and usually ends with ":2087." You may want to open that link in a browser and bookmark the URL. Username - This is your WHM's username. Password - You now have the option to set your root password upon receiving the Welcome email.
How do I check my WHM server space? ›- Login to your WHM.
- Type “list” in the search box.
- Click the List Accounts link which is under the Account Information heading in the left menu. You will see a listing of all of your accounts, and disk space usage can be seen under the “Disk Used” column.
What are the 3 types of cPanel users? ›
The account tiers are separated into Solo, Admin, Pro, and Premier account tiers. The main difference between these tiers is the number of cPanel user accounts available to be created as well as the monthly pricing.
What is the strongest type of firewall? ›Proxy Firewalls (Application-Level Gateways)
As the most powerfully secure choice available, proxy firewalls serve as an intermediary where source computers connect to the proxy instead of the destination device.
Proxy servers are the most secure type of firewall, as they filter packets through a protected proxy server. This is done before traffic even reaches the network perimeter.
What are the five 5 steps to configure a firewall? ›- Secure the Firewall. ...
- Establish Firewall Zones and an IP Address Structure. ...
- Configure Access Control Lists (ACLs) ...
- Configure Other Firewall Services and Logging. ...
- Test the Firewall Configuration. ...
- Manage Firewall Continually.
Firewall configuration involves configuring domain names and Internet Protocol (IP) addresses and completing several other actions to keep firewalls secure. Firewall policy configuration is based on network types called “profiles” that can be set up with security rules to prevent cyber attacks.
What is the proper rule for a firewall? ›Firewall rules: Determine what traffic your firewall allows and what is blocked. Examine the control information in individual packets, and either block or allow them according to the criteria that you define. Control how the firewalls protect your network from malicious programs and unauthorized access.
How do I configure firewall on my client computer? ›Open Control Panel and double-click System and Security. Select Windows Firewall. Select Allow a program or feature through Windows Firewall. Select the Change settings option.
How to activate firewall? ›- Open the Control Panel in Windows.
- Click on System and Security.
- Click on Windows Firewall.
- If your firewall is disabled, you'll see Windows Firewall marked “Off.” To turn it on, in the left navigation pane, you can click on Turn Windows Firewall on or off.
- Log into WHM.
- Navigate to EasyApache 4.
- Click Customize under Currently Installed Packages.
- Click Apache Modules.
- Use the search bar to search for the extension you need to install. ...
- Mark the module for installation by clicking the switch icon to the far right of the extension.
- First, log into WHM as the 'root' user.
- Click the cPHulk Brute Force Protection link in the Security Center section after entering "cphulk" in the search box.
- Go to the cPHulk Brute Force Protection website and click the Countries Management option.
How do I find my firewall settings? ›
Click the Start button, then type Windows Firewall in the Search box. Click Windows Firewall, and then click Allow a program or feature through Windows Firewall. Click the Change settings button. If a User Account Control window appears, click Yes, or enter your user name and password, then click OK.
How do I know if my firewall is open? ›- Press Windows Key + R to open Run.
- Type "control" and press OK to open Control Panel.
- Click on System and Security.
- Click on Windows Defender Firewall.
- From the left panel Allow an app or feature through Windows Defender Firewall.
Apache web server is the most important part of your WHM server. It's the program that allows visitors to view your websites.
How to access WHM through SSH? ›- Open a Terminal session.
- Run the following command: ssh -p port -i ssh-key user@IP where port represents the port number, ssh-key represents the file path to your SSH key, user represents your username, and IP represents your IP address. For example: ...
- Enter your SSH key password.
- Log into WHM as the root user.
- Navigate to EasyApache 4.
- Click "Customize"under "Currently Installed Packages."
- Click "PHP Versions."
- Mark the version for installation by clicking the switch icon to the far right of the version.
- Then find Search for IP.
- Enter the IP address and click on Search for IP.
- Then you will get the results as follows:
- If you want to unblock the IP address, then click the Unblock button on bottom of the page.
...
- Login to WHM.
- Type firewall in Find bar and click on ConfigServer Security&Firewall link.
- Click on the Firewall Configuration button.
- Scroll down and locate Allow incoming TCP ports section. ...
- Lastly, you will need to restart csf by clicking on Restart csf+lfd button.
To reduce security risks, disable all services and daemons that you do not use. Disable any services that you do not currently use with WHM's Service Manager interface (WHM » Home » Service Configuration » Service Manager).