What ports do I need to open in my firewall?

A table of all ports and services.

PortService NameComment
20,21FTPFTP will use a "random high port number" if the client is in PORT mode, so you may need to add a port range into your /etc/proftpd.conf file to allow FTP connections, e.g., PassivePorts 35000 35999, and then open that same port range as well in your firewall
22SSHdefault port for SSH access
25,587EximSMTP for Exim to receive email
53NamedTCP and UDP, so your sites resolve
80,443Apacha/NGINXApache or Nginx traffic, HTTP and HTTPS
110,143,993,995Dovecotclient Pop and Imap email access
2222DirectAdminAccessing panel
2703RazorOptional: RAZOR check for SpamAssassin
3306MySQLYou don't need to open this port if you don't want to allow remote MySQL access, as most MySQL scripts are all accessed locally.

I need a firewall. What are my options?

You should be running a firewall!

The firewalls that come with your system don't usually have the required ports open, nor do they have the ability to automatically block attacking IPs.

Starting from DirectAdmin version 1.61.0open in new window the direct CSF integration were implemented. Strongly recommend using it with Brute Force Monitor, check this howto article.


For FTP with TLS, you must explicitly tell iptables to open ports 35000-35999 because ip_conntrack_ftp cannot decrypt the FTP data port, so it can't open it on the fly.

For CSF: in new window

For block_ip/iptables: in new window

Last Updated: