Applicable to:
- Plesk for Windows
- Plesk for Linux
Question
What ports need to be opened for all Plesk Services to work with a firewall?
Answer
Note: On OSes with enabled firewalld (CentOS/RHEL/CL 7, Debian 8/9, Ubuntu 16) all the required ports are opened automatically on Plesk Onyx 17.8 right after installation.
Generally, the ports that need to be opened depend on the services running on a server.
General Plesk access port is 8443 for https connection and 8880 for HTTP connection.
The possible ports that can be used by Plesk and its related services are listed below:
CONFIG_TEXT: #20 ftp-data (TCP)
#21 ftp (TCP)
#22 ssh (TCP)
#25 smtp (TCP)
#53 dns (TCP and UDP)
#80 http (Web server and Plesk updater) (TCP)
#106 poppassd (for localhost only) (TCP)
#110 pop3 (TCP)
#113 auth (TCP)
#143 imap (TCP)
#443 https (TCP)
#465 smtps (TCP)
#587 mail message submission (TCP)
#953 rndc (TCP)
#990 ftps (TCP)
#993 imaps (TCP)
#995 pop3s (TCP)
#1433 mssql (TCP) - Windows Only
#3306 mysql (TCP)
#3389 rdp (TCP) - Windows Only
#5224 (outgoing connections only) plesk-license-update (TCP)
#5432 postgres (TCP) - Linux Only
#8401 sqladmin (TCP) - Windows Only
#8443 plesk-https (TCP)
#8447 autoinstaller (TCP)
#8880 plesk-http (TCP)
#12768 psa-pc-remote (for localhost only) (TCP) - Linux only, Postfix
#135, 139, 445 (TCP) ports for migration - Windows Only
#137, 138 (UPD) ports for migration - Windows Only
#10155 (TCP) for a custom Plesk Migrator service performing miscellaneous tasks - Windows Only
#10156 (TCP) for rsync server(migration) - Windows Only
In legacy Plesk versions, the following ports should be opened additionally:
-
Plesk 12.5.30 for migration purposes
CONFIG_TEXT: #1434 (TCP) and all (or manually selected) TCP ports for MS SQL, if it is used as a named instance
-
Plesk 12.0
CONFIG_TEXT: #4190 dovecot (TCP)
#6308 sw-cp-server (TCP) -
From Plesk 9.0 up to Plesk 10.2
CONFIG_TEXT: #11443 sw-cp-serverd (TCP)- Linux Only
#11444 sw-cp-serverd (TCP) - Linux Only
Additional Information
-
iptables command can be used to open ports while being connected via SSH . For example:
# iptables -A INPUT -p tcp --dport 21 -j ACCEPT
firewalld command:
# firewall-cmd --permanent --add-port=21/tcp
# firewall-cmd --reload
-
It may be required to open and configure
PassivePortsfor FTP:
How to configure Passive FTP port range on Linux Server
How to configure Passive FTP port range on Windows Server -
Access to none of these ports should be denied in
/etc/hosts.deny. If/etc/hosts.denyincludes general access rules, then explicit allowing rules should be put to/etc/hosts.allowfor all the ports mentioned (only the ports that accept incoming connections). -
The same rules also should be applied on any intermediate firewall/router that is between the Plesk server and an external network.
Comments
10 comments
Nginx needs 7080 and 7081. 953 needs to be opened for the DNS server (named). 12443 may also be needed, "Parallels Customer and Business Manager payment gateways".
Hi @feralfruitfreak, Nginx does not use 7080,7081 ports in Plesk, Apache uses it internally. Customer and Business Manager is not longer supported by Plesk.
I made a script to open all required ports on Centos firewall fast:
https://github.com/Reiser89/plesk-centos-firewall-opener
@Reiser
Hi!
Thank you for the script!
Other Pleskians may find it useful =)
./fwplesk.sh: ligne7: Erreur de syntaxe près du symbole inattendu « newline »
./fwplesk.sh: ligne7: `<!DOCTYPE html>'
syntax error signalized
Hello @GravuTrad,
Please contact the script developer as it is not created by Plesk:
https://github.com/Reiser89/plesk-centos-firewall-opener
Hi,
The Plesk Firewall extension does not show port numbers:
Any possibilities of adding a column with the port number?
Regards
Hello @Mario,
Thank you for your input!
The feature that you have reported is yet to be implemented in Plesk, thus I can suggest you take part in our product improvement by referring to the following link: Feature Suggestions
The top-ranked suggestions are likely to be included in the next versions of Plesk.
When setting up a firewall on Digital Ocean, for my Plesk droplet, should I include these ports for Inbound Rules? The default is to only accept inbound connections on port 22 for SSH. Otherwise, should I deny access to all of these ports from everyone but my own IP on my Plesk firewall?
Hello,
The ports should be opened in any internal/external firewalls. If DigitalOcean filters these ports, they are required to be configured on their side also.
Please sign in to leave a comment.