Configure Instance Security-Group for WHM compatibility

Configure Instance Security-Group for WHM compatibility

March 14, 2019 / Nirav Shah

Configure Instance Security-Group for WHM compatibility

Abstract Here, we will see the ports that we need to be configured for WHM to function properly and also provide a brief note for the same. This is a part/continuation of our previous blog post on How to Migrate WHM From Third Party Providers to AWS, where we showed the steps to install WHM on an EC-2 server. In this blog post we will show the steps that you need to take in order to make your WHM secure without losing any of its functionality.

List of ports, protocols, and layers To Secure WHM

Here is an exclusive list of ports and the required protocols and layers on which they need to be open at the time of writing this AWS technology blog.

PORT SERVICE TCP UDP Inbound Outbound Localhost Notes
1 CPAN YES     YES   “Show Available Modules” option in cPanel’s Perl Modules interface (cPanel >> Home >> Software >> Perl Modules) uses this port to improve the speed in which it appears.
20 FTP YES   YES YES   Instead of FTP, we recommend that you use the more secure SFTP via SSH.
21 FTP YES   YES YES   Instead of FTP, we recommend that you use the more secure SFTP via SSH.
22 SSH YES   YES     You must open this port before you use WHM’s Transfer Tool interface (WHM >> Home >> Transfers >> Transfer Tool).
and later on
Open this port only for private access from your IP as keeping it open to the world is a big Security Risk
25 SMTP YES   YES YES    
26 SMTP YES   YES YES   cPanel & WHM only uses this port if you specify it in WHM’s Service Manager interface (WHM >> Home >> Service Configuration >> Service Manager).
37 rdate YES     YES    
43 whois YES     YES    
53 bind YES YES YES YES   cPanel & WHM only uses this port if you run a public DNS server.
80 httpd YES   YES YES   This port serves the HTTP needs of services on the server.
We strongly recommend that you encourage your users to use port 443, which uses the more secure SSL/TLS security protocol.
110 POP3 YES   YES      
113 ident YES     YES    
143 IMAP YES   YES      
443 httpd YES   YES YES   This port serves the HTTPS needs of services on the server.
465 SMTP,SSL/TLS YES YES YES YES    
579 cPHulk           This port should only accept connections on the 127.0.0.x IPv4 address. Your system does not require that this port accept external traffic.
783 Apache SpamAssassin™ YES YES     YES  
873 Rsync YES YES   YES    
993 IMAP SSL YES   YES      
995 POP3 SSL YES   YES      
2703 Razor YES     YES   Razor is a collaborative spam-tracking database. For more information, visit the Razor website.
2077 WebDAV YES   YES YES   cPanel’s Web Disk interface (cPanel >> Home >> Files >> Web Disk) uses these ports.
2078 WebDAV SSL YES   YES YES    
2079 CalDAV and CardDAV YES   YES YES   cPanel’s Calendars and Contacts interface (cPanel >> Home >> Email >> Calendars and Contacts) uses these ports.
2080 CalDAV and CardDAV (SSL) YES   YES YES   cPanel’s Calendars and Contacts interface (cPanel >> Home >> Email >> Calendars and Contacts) uses these ports.
2082 cPanel YES   YES     To disable logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” option to On in WHM’s Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings). This will redirect users to secure ports with the /cpanel, /whm, and /webmail aliases.
2083 cPanel SSL YES   YES      
2086 WHM YES   YES     To disable logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” option to On in WHM’s Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings). This will redirect users to secure ports with the /cpanel, /whm, and /webmail aliases.
2087 WHM SSL YES   YES      
2089 cPanel Licensing YES     YES   You must open this port in order to contact the cPanel license servers.
2095 Webmail YES   YES     To disable logins via this port and only allow SSL logins, set the Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” option to On in WHM’s Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings). This will redirect users to secure ports with the /cpanel, /whm, and /webmail aliases.
2096 Webmail SSL YES   YES      
2195 APNs YES     YES   cPanel & WHM only uses this port for the Apple® Push Notification Service (APNs). For more information, read our How to Set Up iOS Push Notifications documentation.
3306 MySQL® YES   YES     MySQL uses this port for remote database connections.
6277 DCC YES YES   YES    
24441 Pyzor YES YES   YES    

These are the ports and the protocols that are generally needed to opened for the WHM server to function properly along with all the different services it provides. If you face any issues regarding connectivity or failure of services just go through this list and audit your security-group configuration to check if any port was denied access.

Also Read : How to Install PHP GD Library on CentOS using WHM

FAQs:

1. What is the default setting of a security group in AWS?

2. What is a port in the security group?

3. How many security groups does an instance have

Talk to AWS Certified Consultant

    Spread Love By Sharing:

    Let’s Talk About Your Needed AWS Infrastructure Management Services

    Have queries about your project idea or concept? Please drop in your project details to discuss with our AWS Global Cloud Infrastructure service specialists and consultants.

    • Swift Hiring and Onboarding
    • Experienced and Trained AWS Team
    • Quality Consulting and Programming
    Let’s Connect and Discuss Your Project