Hey there! cPanel tech here :D Yes, it can be annoying, but we really don't want to be the reason a perceived security issue happens, or get blamed for making a server unresponsive. So that's the "why" behind that rule.
We do have a list of ports that are required for cPanel to function properly in our documentation here:
docs.cpanel.net
and tools like CSF usually open those by default when installed on a cPanel system. For additional configurations, you'd have to make manual adjustments to the configuration.
How to Configure Your Firewall for cPanel & WHM Services | cPanel & WHM Documentation
This document lists the ports that cPanel & WHM uses, and which services use each of these ports, to allow you to better configure your firewall.
docs.cpanel.net
and tools like CSF usually open those by default when installed on a cPanel system. For additional configurations, you'd have to make manual adjustments to the configuration.
Hello @petermatra,
https://docs.cpanel.net/knowledge-base/ftp/how-to-enable-ftp-passive-mode/
could help you in understanding why FTP needed changes in the firewall. It is a very well explained article from cPanel.
https://docs.cpanel.net/knowledge-base/ftp/how-to-enable-ftp-passive-mode/
could help you in understanding why FTP needed changes in the firewall. It is a very well explained article from cPanel.
I read the articles and could not figure out why the ports were not opened up. But the tech said they weren't. If I were confident enough to touch my own nft tables I would have.
This sounds like a perfect case where hiring a professional isn't a bad idea. It's no different than any other service - plumbing, electrical work, auto maintenance - no everyone knows everything about everything. If you're not confident in performing the work yourself, there's zero shame in asking or hiring someone.
A question on this...We do have a list of ports that are required for cPanel to function properly in our documentation here:
How to Configure Your Firewall for cPanel & WHM Services | cPanel & WHM Documentation
This document lists the ports that cPanel & WHM uses, and which services use each of these ports, to allow you to better configure your firewall.
and tools like CSF usually open those by default when installed on a cPanel system. For additional configurations, you'd have to make manual adjustments to the configuration.
There are ports I don't use (i.e. for non-secure connections like 110, 143, 2077, 2079, 2082, 2086, 2095, or ones I have changed to a custom port different from the cPanel default) that I remove from the firewalld's cPanel service.
If I do that will cPanel open them back up in future updates, or checks? (I'm specifically talking about the cPanel service in firewalld.) Or do I need to block them in the zone (I assume zone overrides the service inside that zone.)
I have read reports of others who removed a port(s) from the cPanel service xml file but later it was re-added by an update. I'm almost 100% that happened on one of my servers also. (No offense, it IS cPanel's file.
)My solution instead is to add a rich rule that overrides the port(s) in the cPanel service xml file.
Example:
# firewall-cmd --permanent --add-rich-rule='rule port port=110 protocol=tcp reject'
# firewall-cmd --reload
