Quantcast Remove unnecessary port access with CSF/LFD firewall in cPanel - digitalFAQ Forum
Go Back    Forum > Digital Publishing / Web Sites > Web Hosting Tutorials > cPanel WHM

Reply
 
LinkBack Thread Tools
  #1  
01-12-2012, 02:23 AM
kpmedia's Avatar
kpmedia kpmedia is offline
Site Staff | Web Hosting, Photo
 
Join Date: Feb 2004
Posts: 4,242
Thanked 354 Times in 332 Posts
With the convenient ConfigServer Security & Firewall free plugin for cPanel, you can quickly block unnecessary ports.

Go to the CSF page -- usually https//server.com:2087/cgi/addon_csf.cgi -- and select Port Settings from the dropdown menu.
You'll see a list of all the ports allowed by the server's firewall. Inversely, non-listed ports will be blocked by default.

One of the primary fundamentals of security is to revoke any unnecessary access.

You'll see these default ports on most cPanel servers:
Code:
# Allow incoming TCP ports
TCP_IN = 20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096

# Allow incoming UDP ports
UDP_IN = 20,21,53
These ports correspond to the following services:
  • 20 = FTP ... remove if ftp not used
  • 21 = FTP ... remove if ftp not used
  • 22 = SSH ... the ssh/sshd service should be moved to an alternate port to avoid brute force attacks; also disable root logins!
  • 25 = SMTP ... the smtp service should be moved to an alternate port to avoid abuse.
  • 53 = DNS
  • 80 = HTTP
  • 110 = POP3 ... remove if pop3 is not in use (webmail only, or not using mail on server)
  • 143 = IMAP ... remove if imap service (mostly used by mobile mail) not in use
  • 443 = HTTPS (http + SSL)
  • 465 = SMTP + SSL ... remove if no ssl certificate is in use; plus its legacy/deprecated anyhow
  • 587 = SMTP alternate to 25
  • 993 = IMAP + SSL ... remove if imap and/or imap with an ssl certificate is not in use
  • 995 = POP3 + SSL ... remove if pop3 and/or pop3 with an ssl certificate is not in use
  • 2077 = webdisk ... remove if not in use
  • 2078 = webdisk ... remove if not in use
  • 2082 = cPanel login via http ... remove; always login to cPanel with 2083 (SSL), even if self-signed
  • 2083 = cPanel secure login
  • 2086 = WHM login via http ... remove; always login to WHM with 2087 (SSL), even if self-signed
  • 2087 = WHM secure login
  • 2095 = cPanel webmail login via http ...remove; always login to webmail with 2096 (SSL), even if self-signed
  • 2096 = cPanel secure login for webmail (includes SquirrelMail, Roundcube, AtMail Open, others)
Key:
  • Leave non-bold, non-color items alone.
  • Bolded items can be removed if not used.
  • Red bolded items provide unnecessary and/or unsafe access and should be blocked and/or changed to alternate ports.
Note that this can/should be repeated in the IPv6 section, if the server has IPv6 access.
Code:
# Allow incoming IPv6 TCP ports
TCP6_IN = 22,25,53,80,110,143,443,465,587
And that's it for this mini-guide. I hope it helps you.

__________________


Need a good web host? — Read our 2018 Review of the Best Web Hosts
Quite often, problems with web sites are caused by having a rotten web host. Worse yet, many hosts try to blame you (the customer) for the problems! So dump that lousy company. Say goodbye to slow sites, unresponsive support techs, and downtime. Find yourself a new host today. Whether you need shared, reseller, VPS, semi-dedicated, cloud, or dedicated hosting, something on our list should be a good upgrade for you.


- Did my advice help you? Then become a Premium Member and support this site.
- Please Like Us on Facebook | Follow Us on Twitter

- Need a good web host? Ask me for help! Get the shared, VPS, semi-dedicated, cloud, or reseller you need.
Reply With Quote
Someday, 12:01 PM
admin's Avatar
Ads / Sponsors
 
Join Date: ∞
Posts: 42
Thanks: ∞
Thanked 42 Times in 42 Posts
Reply




Similar Threads
Thread Thread Starter Forum Replies Last Post
USB port connection problems, mouse and keyboard not found ty3 Computers 3 01-10-2012 01:54 AM
How to change SMTP port: Exim, DirectAdmin, SquirrelMail and Roundcube kpmedia SSH for VPS/Dedicated (CLI) 0 01-10-2012 01:43 AM
Access menu without remote on JVC S-VHS VCR ? via Email or PM Videography: Cameras, TVs and Players 1 03-26-2010 09:03 PM
Access the other Windows account without password? lordsmurf Computers 3 03-26-2010 02:02 PM
Do you use an anti-virus? firewall? lordsmurf Computers 3 11-21-2005 04:51 AM

Thread Tools



 
All times are GMT -5. The time now is 07:22 PM