---
title: "Close Open Ports for PCI Compliance"
description: "If you've read our previous article on how to pass PCI compliance scans, you might have recently failed a PCI scan and are curious about what needs to be done to pass. One of the most common PCI..."
url: https://www.inmotionhosting.com/support/security/close-open-ports-for-pci-compliance/
date: 2012-11-05
modified: 2025-04-08
author: "InMotion Hosting Contributor"
categories: ["Security"]
type: post
lang: en
---

# Close Open Ports for PCI Compliance

If you’ve read our previous article on [how to pass PCI compliance scans](/support/security/how-to-pass-pci-scans/), you might have recently failed a PCI scan and are curious about what needs to be done to pass. One of the most common PCI compliance requirements for passing a PCI scan that fails is the use of [open ports](https://www.inmotionhosting.com/support/server/ssh/port-scan-with-nmap/) on the server that have been deemed insecure by your PCI scanning vendor.

In this article we’ll discuss how to use your [root access](/support/server/ssh/root-access-faq/) on your server to [login with SSH](/support/server/ssh/how-to-login-ssh/) to disable specific open ports on the server that could be causing you to fail a PCI compliance scan. It’s also important to mention that just because your PCI compliance vendor fails your website for an open port, it might not necessarily be an actual security risk, and most will allow you to challenge their initial findings as a false positive.

## Common False Positives

The following common ports might show up in a failed PCI scan:

- **2082** – cPanel
- **2083** – cPanel SSL
- **2086** – WHM – Web Host Manager
- **2087** – WHM – Web Host Manager SSL
- **2095** – Webmail
- **2096** – Webmail SSL
- **3306** – MySQL Remote Connections

These ports are used to access the cPanel, WHM, and webmail interfaces from a web-browser. With the last one being for remote MySQL connections. Sometimes leaving the MySQL port open is fine, since you still have to provide a valid user to login to any databases, but it’s up to your PCI vendor’s discretion on if they’ll allow it to be left open.

## Closing a Port in APF (Advanced Policy Firewall)

Using the steps below we’ll walk you through logging into your server and disabling the remote MySQL port 3306 in your firewall.

1. [Login to your server via SSH](/support/server/ssh/how-to-login-ssh/) as the root user.
2. First make a copy of your **apf** firewall configration file with the following command:cp -frp /etc/apf/conf.apf{,.backup}This will create a [**/etc/apf/conf.apf.backup**] file for you.
3. You’ll want to edit the **apf** firewall configuration file, which can be done with the following command which will use the **vim** text editor:vim /etc/apf/conf.apfWhen **vim** is first loaded you’ll be in edit mode, meaning if you type something it doesn’t get inserted into the document.[![vim-editing-firewall-edit-mode](https://www.inmotionhosting.com/support/wp-content/uploads/2012/11/website_website-troubleshooting_pci-compliance_vim-editing-firewall-edit-mode.png)](/support/wp-content/uploads/2012/11/website_website-troubleshooting_pci-compliance_vim-editing-firewall-edit-mode.png)We know that we want to find port **3306** so we type in a forward slash **/** which is the **vim** command for find and you’ll notice it drops your cursor to the bottom of the screen and now it allows you to type.[![vim-editing-firewall-find-mode](https://www.inmotionhosting.com/support/wp-content/uploads/2012/11/website_website-troubleshooting_pci-compliance_vim-editing-firewall-find-mode.png)](/support/wp-content/uploads/2012/11/website_website-troubleshooting_pci-compliance_vim-editing-firewall-find-mode.png)Go ahead and enter **3306** and press **Enter** and you’ll get dropped to the first instance of **3306** in the file with it highlighted. This is on the **IG_TCP_CPORTS** line of the firewall configuration which are the common allowed inbound TCP ports.[![vim-editing-firewall-find-results](https://www.inmotionhosting.com/support/wp-content/uploads/2012/11/website_website-troubleshooting_pci-compliance_vim-editing-firewall-find-results.png)](/support/wp-content/uploads/2012/11/website_website-troubleshooting_pci-compliance_vim-editing-firewall-find-results.png)Now because your cursor is right at where **3306** begins you can simply hit the **Delete** key on your keyboard **5** times, 4 of those will get rid of **3306** and the 5th will get rid of the extra comma left over.[![vim-editing-firewall-find-delete](https://www.inmotionhosting.com/support/wp-content/uploads/2012/11/website_website-troubleshooting_pci-compliance_vim-editing-firewall-find-delete.png)](/support/wp-content/uploads/2012/11/website_website-troubleshooting_pci-compliance_vim-editing-firewall-find-delete.png)Now hit the colon **:** key to enter command mode, and type in **wq** to (w)rite the file and (q)uit the vim editor.[![vim-editing-firewall-find-save-and-quit](https://www.inmotionhosting.com/support/wp-content/uploads/2012/11/website_website-troubleshooting_pci-compliance_vim-editing-firewall-find-save-and-quit.png)](/support/wp-content/uploads/2012/11/website_website-troubleshooting_pci-compliance_vim-editing-firewall-find-save-and-quit.png)
4. Now restart the **apf** firewall service with the following command:service apf restartYou’ll see a long list of information scroll by and at the end of it you should see:apf(1734): {glob} default (egress) output acceptapf(1734): {glob} default (ingress) input dropapf(1673): {glob} firewall initializedapf(1673): {glob} fast load snapshot savedPort **3306** should now be blocked to the outside world.

You should now know how to disable ports on your server’s firewall to help pass PCI compliance scans. It’s important to note that changing your firewall settings could potentially lock you out of your server if done incorrectly, so please take caution when doing these edits yourself and contact us if you run into any problems.
