Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
Which ports should be opened in the firewall on a Plesk server?
Answer
The list of ports that need to be opened in the firewall depend on the services that are running on a Plesk server.
Plesk interface uses port 8443 for HTTPS connections and 8880 for HTTP connections.
Other ports that are used by Plesk and related services:
-
20 - FTP data transfer for active mode (TCP)
-
21 - FTP (TCP)
-
22 - SSH (TCP) - Linux only
-
25 - SMTP (TCP)
-
53 - DNS (TCP and UDP)
-
80 - HTTP (TCP)
-
110 - POP3 (TCP)
-
123 - NTP (UDP)
-
143 - IMAP (TCP)
-
443 - HTTPS (TCP)
-
465 - SMTPS (TCP)
-
587 - SMTP (Submission) (TCP)
-
953 - RNDC (TCP)
-
990 - FTPS (TCP)
-
993 - IMAPS (TCP)
-
995 - POP3S (TCP)
-
1433 - Microsoft SQL (for remote connections) (TCP) - Windows only
-
3306 - MySQL (for remote connections) (TCP)
-
3389 - RDP (TCP) - Windows only
-
5432 - PostgreSQL (TCP) - Linux only
-
8401 - SQL Admin (TCP) - Windows only
-
8443 - Plesk HTTPS (TCP)
-
8447 - Plesk Installer (TCP)
-
8880 - Plesk HTTP (TCP)
- 49152-65535 - (TCP) for FTP passive mode - incoming connections only
Additional ports
-
135, 139, 445 - (TCP) for migration - Windows only
-
137, 138 - (UPD) for migration - Windows only
-
10155 - (TCP) for a custom Plesk Migrator service performing miscellaneous tasks - Windows only
-
10156 - (TCP) for rsync server (migration) - Windows only
-
49152-65535 - (TCP) for FTP passive mode - incoming connections only
Comments
27 comments
Nginx needs 7080 and 7081. 953 needs to be opened for the DNS server (named). 12443 may also be needed, "Parallels Customer and Business Manager payment gateways".
Hi @feralfruitfreak, Nginx does not use 7080,7081 ports in Plesk, Apache uses it internally. Customer and Business Manager is not longer supported by Plesk.
I made a script to open all required ports on Centos firewall fast:
https://github.com/Reiser89/plesk-centos-firewall-opener
@Reiser
Hi!
Thank you for the script!
Other Pleskians may find it useful =)
./fwplesk.sh: ligne7: Erreur de syntaxe près du symbole inattendu « newline »
./fwplesk.sh: ligne7: `<!DOCTYPE html>'
syntax error signalized
Hello @GravuTrad,
Please contact the script developer as it is not created by Plesk:
https://github.com/Reiser89/plesk-centos-firewall-opener
Hi,
The Plesk Firewall extension does not show port numbers:
Any possibilities of adding a column with the port number?
Regards
Hello @Mario,
Thank you for your input!
The feature that you have reported is yet to be implemented in Plesk, thus I can suggest you take part in our product improvement by referring to the following link: Feature Suggestions
The top-ranked suggestions are likely to be included in the next versions of Plesk.
When setting up a firewall on Digital Ocean, for my Plesk droplet, should I include these ports for Inbound Rules? The default is to only accept inbound connections on port 22 for SSH. Otherwise, should I deny access to all of these ports from everyone but my own IP on my Plesk firewall?
Hello,
The ports should be opened in any internal/external firewalls. If DigitalOcean filters these ports, they are required to be configured on their side also.
Hi. We close all unnecessary ports for security reasons. We then have the CSF firewall to only allow access to 80 and 443 for websites. We would then need to allow any necessary ports Plesk uses, for example, does it connect through another port for updates? I assume #5224 is necessary for license updates, so any others needed? Most of the list above are not necessary ports, as Plesk on its own does not need FTP, Email etc etc. to operate.
So does anyone know what the actual necessary ports are for Plesk to work? So assume you only have Plesk and no other service... are there any other necessary ports?
Thanks
You should also add port 8080 for node applications
Hi Laurence Cope,
If you only have Plesk, then you must have at least the next ports:
#8443 plesk-https (TCP)
#8447 autoinstaller (TCP)
#8880 plesk-http (TCP)
Other ports are for services (SSH, FTP, DNS, Mail, DB, etc...), or to run a Plesk Migration as stated in after the port number.
Hi infra,
Such port is not listed since the Node Application runs through web service (80, 443), thus if the app you're running works on a specific port (due to programming) it is an application-specific port that has to be open by the administrator of the server. Like for example direct access to Apache (when Proxy Mode enabled) on port 7080 or 7081, not required because by default works through Nginx on 80/443 ports.
Thanks Francisco, exactly what's needed to know!
Plesk firewall block smtp and imap from connecting, when I turn off the firewall it works. and this seems to be unpredictable it will connect some user accounts but not others. As soon as the firewall is turned off it works. This also seems to be an issue if I try and add the rules manually. There seems to be some kind of bug in the firewall.
Hello Christopher Graham
We haven't received such a complaint about Plesk firewall functionality yet. There's a possibility that some custom rules is leading to the issue.
Could you submit a request for Plesk Support to have this investigated in details:https://support.plesk.com/hc/en-us/articles/213608509
6308 sw-cp-server, 11443 sw-cp-server, 11444 sw-cp-server ports are still needed?
Hi Ioan Suceveanu for 12.x versions and above these ports are not required.
I can not open port 20/tcp help me!
Hello Nguyen Minh Tuan
The way how the port should be opened depends on where the server is hosted. I would suggest contacting your server provider or search in their documentation portal.
Hi Plesk Team,
I'm hosting a simple web server on a Vultr Plesk container and using Cloudflare for a CDN. No FTP, mail, or other services.
We have IPv4 and IPv6, both working well, and using the pre-Plesk firewall Vultr provides to filter incoming traffic.
Question 1: Do I need to allow ports 8443, 8447, and 8880 on the IPv6 side as well? Or is IPv4 sufficient?
Question 2: The Vultr firewall allows you to define the incoming packet sources as Anywhere, Cloudflare, or Custom. For the 3 ports that Plesk requires for it's own use, could I use Cloudflare for that? Or perhaps Plesk has an IP address that it has dedicated for those purposes? Currently those 3 ports are set to Anywhere and working as expected.
Many thanks!
Hi Jens Brewer,
Q1: Depends, would you connect to Plesk over IPv6? If so, then you need to allow the ports.
Q2: I would say you should leave it set to Anywhere.
If it works, don't touch it :)
Francisco,
Thanks for the quick reply.
I'm connecting over IPv4 (8443), so I can probably delete the IPv6 rules then.
The Plesk auto-updater on port 8447, that's only IPv4? or will it use IPv6 as well, given the chance?
Cheers.
Can I block 8443 and allow just for my IP address?
Hi Dinara Tsydenova,
May I ask, on what part/rule of the Plesk Fire Wall would the Plesk Update be white listed to access the server?
And, what Plesk IP should be white listed on such rule, for the Plesk update to properly function?
And, if it uses 8447, what grants it access to the server, or on the other hand, may block its access?
Hello, @Zk Jelf!
Yes, you can allow access only for your IP. In this case, the access to Plesk via 8443 (HTTPS) will be able only from your IP. Note that Plesk also works on n port 8880(HTTP).
Hello, @Ehud Ziegelman
Please contact Plesk Support directly to consider your question in greater depth.
Please sign in to leave a comment.