With the convenient ConfigServer Security & Firewall
free plugin for cPanel, you can quickly block unnecessary ports.
Go to the CSF page -- usually https//server.com:2087/cgi/addon_csf.cgi
-- and select Port Settings
from the dropdown menu.
You'll see a list of all the ports allowed by the server's firewall. Inversely, non-listed ports will be blocked by default.
One of the primary fundamentals of security is to revoke any unnecessary access.
You'll see these default ports on most cPanel servers:
# Allow incoming TCP ports
TCP_IN = 20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096
# Allow incoming UDP ports
UDP_IN = 20,21,53
These ports correspond to the following services:
- 20 = FTP ... remove if ftp not used
- 21 = FTP ... remove if ftp not used
- 22 = SSH ... the ssh/sshd service should be moved to an alternate port to avoid brute force attacks; also disable root logins!
- 25 = SMTP ... the smtp service should be moved to an alternate port to avoid abuse.
- 53 = DNS
- 80 = HTTP
- 110 = POP3 ... remove if pop3 is not in use (webmail only, or not using mail on server)
- 143 = IMAP ... remove if imap service (mostly used by mobile mail) not in use
- 443 = HTTPS (http + SSL)
- 465 = SMTP + SSL ... remove if no ssl certificate is in use; plus its legacy/deprecated anyhow
- 587 = SMTP alternate to 25
- 993 = IMAP + SSL ... remove if imap and/or imap with an ssl certificate is not in use
- 995 = POP3 + SSL ... remove if pop3 and/or pop3 with an ssl certificate is not in use
- 2077 = webdisk ... remove if not in use
- 2078 = webdisk ... remove if not in use
- 2082 = cPanel login via http ... remove; always login to cPanel with 2083 (SSL), even if self-signed
- 2083 = cPanel secure login
- 2086 = WHM login via http ... remove; always login to WHM with 2087 (SSL), even if self-signed
- 2087 = WHM secure login
- 2095 = cPanel webmail login via http ...remove; always login to webmail with 2096 (SSL), even if self-signed
- 2096 = cPanel secure login for webmail (includes SquirrelMail, Roundcube, AtMail Open, others)
- Leave non-bold, non-color items alone.
- Bolded items can be removed if not used.
- Red bolded items provide unnecessary and/or unsafe access and should be blocked and/or changed to alternate ports.
Note that this can/should be repeated in the IPv6 section, if the server has IPv6 access.
# Allow incoming IPv6 TCP ports
TCP6_IN = 22,25,53,80,110,143,443,465,587
And that's it for this mini-guide. I hope it helps you.
Need a good web host? — Read our 2018 Review of the Best Web Hosts
Quite often, problems with web sites are caused by having a rotten web host. Worse yet, many hosts try to blame you (the customer) for the problems! So dump that lousy company. Say goodbye to slow sites, unresponsive support techs, and downtime. Find yourself a new host today. Whether you need shared, reseller, VPS, semi-dedicated, cloud, or dedicated hosting, something on our list should be a good upgrade for you.