CPanel firewall-d ports

I’ve read all over the Interwebs about firewalld and everyone makes it so complicated…in a way.

I use firewalld on my CentOS servers which many run CPanel.  I had a problem with cphulk today and I accidentally rebooted it (ctrl + alt + del crap on a VM with a keyboard snafoo…fat finger…ugh!).

So two things:

I – If you get locked out of CPanel because your password for root won’t work that’s talked about in the CPanel derpumentation (yes…derp, aka the forums).

CPHulk is the culprit and according to “Joshua” in support it’s working perfectly according to my configuration LOL.  Yeah Joshua…so perfectly I can’t log into my console!!!  WTF right???  You’re all locked out with no place to go…especially not CPanel support so what do you do?

1 – Boot to a live distro (CentOS for example LIVE)
2 – Rename the cphulk enable file found in your derpumenation here:
To disable cPHulk to keep it offline, even after a restart of cPanel & WHM, remove the cPHulk touch file with the following command:
rm /var/cpanel/hulkd/enabled
* I did an "mv /var/cpanel/hulkd/enabled /var/cpanel/hulkd/enabled.old"
** Technically, with a CentOS live distro you open a terminal > Type: passwd > change to whatever your root password is on your working host > cd to where the LIVE user has the drive mounted (I forget that that is something like /usr/live/media....some long GUID...blah blah blah)
3 – Reboot out of the live distro (shutdown -r now)
4 – Logon to CPanel / WHM > reconfigure CPhulk + create another more cryptic user account that won’t get brute force locked WITH root privileges

II – Your CPanel SHOULD (mine after it rebooted did not) have an xml file in:  /etc/firewalld/services

Per the Red Hat firewalld documentation you can make an xml file with your exceptions!

Here’s CPanels:

Filename:  cpanel.xml


<?xml version=”1.0″ encoding=”utf-8″?>
<description>This option allows you to access cPanel &amp; WHM’s standard services.</description>
<module name=”iptable_filter”/>
<module name=”ip6table_filter”/>
<port protocol=”tcp” port=”21″/>
<port protocol=”tcp” port=”22″/>
<port protocol=”tcp” port=”25″/>
<port protocol=”tcp” port=”26″/>
<port protocol=”tcp” port=”53″/>
<port protocol=”tcp” port=”80″/>
<port protocol=”tcp” port=”110″/>
<port protocol=”tcp” port=”143″/>
<port protocol=”tcp” port=”443″/>
<port protocol=”tcp” port=”465″/>
<port protocol=”tcp” port=”993″/>
<port protocol=”tcp” port=”995″/>
<port protocol=”tcp” port=”2077″/>
<port protocol=”tcp” port=”2078″/>
<port protocol=”tcp” port=”2079″/>
<port protocol=”tcp” port=”2080″/>
<port protocol=”tcp” port=”2082″/>
<port protocol=”tcp” port=”2083″/>
<port protocol=”tcp” port=”2086″/>
<port protocol=”tcp” port=”2087″/>
<port protocol=”tcp” port=”2095″/>
<port protocol=”tcp” port=”2096″/>
<port protocol=”tcp” port=”3306″/>
<port protocol=”tcp” port=”8080″/>
<port protocol=”udp” port=”53″/>

So I hope that helps someone in Internet land.  It’s hard to find good help!


Leave a Reply

Your email address will not be published. Required fields are marked *