Overview
cPanel & WHM manages various services on your system, many of which
require external connections to operate correctly. To enable these services, your firewall
must allow cPanel & WHM to open the necessary ports.
This guide provides a list of ports and their associated services to help you effectively
configure your firewall.
Warnings:
- Only open ports for the services you actively use.
- Ensure you maintain console access and configure firewall rules to allow server
login at all times.
- When using a third-party firewall with nftables, rules added via the Host Access
Control interface (WHM » Home » Security Center » Host Access Control) will be
ignored.
Important Recommendations
- Always use the SSL version of services when available to prevent potential interception
of sensitive data, like login credentials.
- Verify that all services have valid SSL certificates via WHM’s Manage Service SSL
Certificates interface (WHM » Home » Service Configuration » Manage Service SSL
Certificates).
License Callback Mechanism Overview
The License Callback Mechanism ensures that a server promptly updates
its license information after changes are made in Manage2 or the cPanel Store. It serves a
notification role and cannot directly modify server settings or configurations. Its purpose
is strictly to inform the server of a license update.
Ports Used by the License Callback
Mechanism
| Service | Port | Inbound | Outbound |
|---|
| cPanel | 2082 | YES | - |
| cPanel SSL | 2083 | YES | - |
| WHM | 2086 | YES | - |
| WHM SSL | 2087 | YES | - |
| Webmail SSL | 2096 | YES | - |
Key Notes:
- Port Accessibility:At least one of these ports must be open for the mechanism
to function correctly.
- Communication Scope:
- The mechanism sends requests exclusively to the cPanel & WHM API.
- No additional information is transmitted to the server.
- Security Assurance: The license system strictly limits data exchanges to
notifications about license changes, ensuring no customer data is affected.
Let me know if you need further elaboration or a simplified summary!
Firewall
Management for AlmaLinux, Rocky Linux, and CloudLinux
Recommendations:
- Use nftables Framework:
For servers running AlmaLinux, Rocky Linux, or CloudLinux, the nftables framework is the
recommended firewall utility. It replaces the older iptables utility and legacy
services.
- Configure it using the nft command-line tool.
- Firewall rules are stored in /etc/sysconfig/nftables.conf.
- For Ubuntu Servers:
Use the iptables utility for firewall management.
Example Commands for Blocking Traffic:
- Block a single IPv4 address:
nft add rule filter INPUT ip saddr 198.51.100.1 drop
- Block a single IPv6 address:
nft add rule ip6 filter INPUT ip6 saddr
[2001:0db8:0:0:1:0:0:1] drop
Notes:
- Configuration File: All rules can be persisted by adding them to
/etc/sysconfig/nftables.conf.
- Red Hat Documentation: Refer to Red Hat’s Getting Started with nftables for
detailed guidance.
Warning:
The provided examples are for illustration only. Customize your firewall rules to align
with how you use cPanel & WHM services, ensuring proper security and functionality.
Firewall
Configuration for cPanel & WHM
Important Information:
- The script /usr/local/cpanel/scripts/configure_firewall_for_cpanel clears all
existing iptables rules on your server. If you have custom firewall rules, export
them before running the script, then re-add them afterward.
Managing Firewall with cPanel Service:
cPanel & WHM includes a service that manages firewall rules via the
/etc/firewalld/services/cpanel.xml file, which allows TCP access for necessary ports. To
integrate these rules with your firewall, follow these steps:
- Install firewalld:
- Start firewalld service:
systemctl start firewalld.service
- Enable firewalld to start at boot:
systemctl enable firewalld
- Save existing iptables rules (backup):
iptables-save > backupfile
- Run the cPanel firewall configuration script:
/usr/local/cpanel/scripts/configure_firewall_for_cpanel
- Restore previous firewall rules (optional):
iptables-restore < backupfile
Ubuntu
Firewall Management
For Ubuntu servers, the default firewall utility is UFW (Uncomplicated
Firewall). However, it is recommended to use iptables for more advanced customization. If
you need to block specific traffic, use the following commands:
- Block IPv4 address:
iptables -I INPUT -s 198.51.100.1 -j DROP
- Block IPv6 address:
ip6tables -I INPUT -s 2001:0db8:0:0:1:0:0:1 -j DROP
Note:
- Using iptables requires knowledge of the TCP/IP stack. For more information, consult
the iptables documentation or run man iptables in the command line.
Key Points to Remember:
- Backup and restore your firewall settings when using cPanel’s firewall management
script.
- If using Ubuntu, avoid the default UFW utility and opt for iptables for better control
over firewall rules.
Adding
Rules
with CSF and APF Utilities
Important Notes:
- Incompatibility with firewalld: The ConfigServer Security & Firewall (CSF)
and Advanced Policy Firewall (APF) are not compatible with the firewalld utility. To
use CSF or APF, you must uninstall firewalld by running the following command:
- Recommended Tools:
- For servers running AlmaLinux, Rocky Linux, or CloudLinux, use the nftables
utility.
- For servers running Ubuntu, use the iptables utility.
Steps to Add Rules in CSF:
- Edit the CSF configuration file:
- Add an IP address or range to allow:
192.168.1.1 # Example IP address
- To allow traffic for a specific port (e.g., SSH on port 22), use this format:
tcp|in|d=22|s=192.168.1.1
- Save the file and restart CSF to apply the changes:
Steps to Add Rules in APF:
- Open the APF configuration file for allowed hosts:
nano /etc/apf/allow_hosts.rules
- Include the desired IP address or range:
192.168.1.1 # Example IP address
- To allow specific ports, edit the allow_ports.rules file:
nano /etc/apf/allow_ports.rules
- Specify the port and protocol (e.g., SSH using TCP port 22):
- Restart APF to activate the new rules:
Key Recommendations:
- Use a firewall utility that matches your server's operating system for optimal
compatibility.
- Always backup existing rules before making changes to avoid accidental
misconfigurations.
- Regularly review and monitor your firewall settings to ensure your server’s
security.
ConfigServer Security &
Firewall (CSF)
Overview:
The ConfigServer Security & Firewall (CSF) is a free WHM plugin that
simplifies managing your server's iptables rules directly from the WHM interface. For
installation and configuration details, refer to the Additional Security Software
documentation.
Advanced Policy
Firewall (APF)
Overview:
The Advanced Policy Firewall (APF) serves as an easy-to-use front-end
for the iptables utility, enabling you to manage ports without requiring knowledge of
iptables syntax.
Example Configuration for APF:
To allow HTTP and HTTPS traffic, add the following rules to your
/etc/apf/conf.apf file:
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="80,443"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="80"
These settings ensure that your system permits inbound HTTP (port 80) and HTTPS (port 443) traffic, as well as outbound HTTP traffic.
