Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
Which ports should be open in firewall on a Plesk server?
Answer
Ports that need to be opened depend on the services that are running on a server.
Plesk interface port is 8443 for HTTPS connection and 8880 for HTTP connection.
The possible ports that can be used by Plesk and its related services are listed below:
-
20 - ftp-data (TCP)
-
21 - ftp (TCP)
-
22 - ssh (TCP)
-
25 - smtp (TCP)
-
53 - dns (TCP and UDP)
-
80 - http (Web server and Plesk updater) (TCP)
-
106 - poppassd (for localhost only) (TCP)
-
110 - pop3 (TCP)
-
113 - auth (TCP)
-
143 - imap (TCP)
-
443 - https (TCP)
-
465 - smtps (TCP)
-
587 - mail message submission (TCP)
-
953 - rndc (TCP)
-
990 - ftps (TCP)
-
993 - imaps (TCP)
-
995 - pop3s (TCP)
-
1433 - mssql (TCP) - Windows Only
-
3306 - mysql (TCP)
-
3389 - rdp (TCP) - Windows Only
-
5224 - (outgoing connections only) plesk-license-update (TCP)
-
5432 - postgres (TCP) - Linux Only
-
8401 - sqladmin (TCP) - Windows Only
-
8443 - plesk-https (TCP)
-
8447 - autoinstaller (TCP)
-
8880 - plesk-http (TCP)
-
12768 - psa-pc-remote (for localhost only) (TCP) - Linux only, Postfix
-
135, 139, 445 - (TCP) ports for migration - Windows Only
-
137, 138 - (UPD) ports for migration - Windows Only
-
10155 - (TCP) for a custom Plesk Migrator service performing miscellaneous tasks - Windows Only
-
10156 - (TCP) for rsync server (migration) - Windows Only
-
49152-65535 - (TCP) for passive mode (incoming connections only)
Additional Information
- On Linux servers, access to none of these ports must be denied in
/etc/hosts.deny. If/etc/hosts.denyincludes general access rules, then explicit allowing rules should be put to/etc/hosts.allowfor all the ports mentioned (only the ports that accept incoming connections). -
The same rules also should be applied on any intermediate firewall/router that is between the Plesk server and an external network.
Comments
16 comments
Nginx needs 7080 and 7081. 953 needs to be opened for the DNS server (named). 12443 may also be needed, "Parallels Customer and Business Manager payment gateways".
Hi @feralfruitfreak, Nginx does not use 7080,7081 ports in Plesk, Apache uses it internally. Customer and Business Manager is not longer supported by Plesk.
I made a script to open all required ports on Centos firewall fast:
https://github.com/Reiser89/plesk-centos-firewall-opener
@Reiser
Hi!
Thank you for the script!
Other Pleskians may find it useful =)
./fwplesk.sh: ligne7: Erreur de syntaxe près du symbole inattendu « newline »
./fwplesk.sh: ligne7: `<!DOCTYPE html>'
syntax error signalized
Hello @GravuTrad,
Please contact the script developer as it is not created by Plesk:
https://github.com/Reiser89/plesk-centos-firewall-opener
Hi,
The Plesk Firewall extension does not show port numbers:
Any possibilities of adding a column with the port number?
Regards
Hello @Mario,
Thank you for your input!
The feature that you have reported is yet to be implemented in Plesk, thus I can suggest you take part in our product improvement by referring to the following link: Feature Suggestions
The top-ranked suggestions are likely to be included in the next versions of Plesk.
When setting up a firewall on Digital Ocean, for my Plesk droplet, should I include these ports for Inbound Rules? The default is to only accept inbound connections on port 22 for SSH. Otherwise, should I deny access to all of these ports from everyone but my own IP on my Plesk firewall?
Hello,
The ports should be opened in any internal/external firewalls. If DigitalOcean filters these ports, they are required to be configured on their side also.
Hi. We close all unnecessary ports for security reasons. We then have the CSF firewall to only allow access to 80 and 443 for websites. We would then need to allow any necessary ports Plesk uses, for example, does it connect through another port for updates? I assume #5224 is necessary for license updates, so any others needed? Most of the list above are not necessary ports, as Plesk on its own does not need FTP, Email etc etc. to operate.
So does anyone know what the actual necessary ports are for Plesk to work? So assume you only have Plesk and no other service... are there any other necessary ports?
Thanks
You should also add port 8080 for node applications
Hi Laurence Cope,
If you only have Plesk, then you must have at least the next ports:
#8443 plesk-https (TCP)
#8447 autoinstaller (TCP)
#8880 plesk-http (TCP)
Other ports are for services (SSH, FTP, DNS, Mail, DB, etc...), or to run a Plesk Migration as stated in after the port number.
Hi infra,
Such port is not listed since the Node Application runs through web service (80, 443), thus if the app you're running works on a specific port (due to programming) it is an application-specific port that has to be open by the administrator of the server. Like for example direct access to Apache (when Proxy Mode enabled) on port 7080 or 7081, not required because by default works through Nginx on 80/443 ports.
Thanks Francisco, exactly what's needed to know!
Plesk firewall block smtp and imap from connecting, when I turn off the firewall it works. and this seems to be unpredictable it will connect some user accounts but not others. As soon as the firewall is turned off it works. This also seems to be an issue if I try and add the rules manually. There seems to be some kind of bug in the firewall.
Hello Christopher Graham
We haven't received such a complaint about Plesk firewall functionality yet. There's a possibility that some custom rules is leading to the issue.
Could you submit a request for Plesk Support to have this investigated in details:https://support.plesk.com/hc/en-us/articles/213608509
Please sign in to leave a comment.