Brief intro about mod_userdir | open_basedir

mod_userdir

It is an Apache module that allows you to create a separate website for each user on a server. These sites can all be accessed by going to,

http://servername.com/~username

Eg:- http://example.com/~user/

The module is installed on most Apache setups by default, but isnt necessarily always enabled. Most mass-hosted cPanel servers make extensive use of it for a variety of reasons.

Apaches mod_userdir allows users to view their sites by entering a tilde(~) and their username as the URL on a specific host. For example http://test.cpanel.net/~test will bring up the user Tests domain

How To Enable

1. To access the Server Setup Menu, click on Server Setup, on the main screen of your WebHost Manager interface. Then, click on Tweak Security.

2. Click on Configure in the mod_userdir Tweak section.

3. Click on the Checkbox next to Enable mod_userdir Protection to enable mod_userdir Protection.

4. Click on a checkbox next to a domains name to allow them to access their domain using ~username, if necessary.

5. Enter the name of any user you wish to be able access the domain using ~username, other than the domains owner, in the blank field next to the domains name, if necessary.

6. Click on Save.

Disadvantage

The disadvantage of this feature is that any bandwidth usage used by the site will be put on the domain it is accessed under .

Mod_userdir protection prevents access to a domain through domain.com/~user. You may however want to disable it on specific virtual hosts (generally shared SSL hosts).

open_basedir

Enable open_basedir

Set open_basedir to only allow access to required portions of the filesystem, like your web sites documents and any shared libraries.

You can set open_basedir in the php.ini file:

; Set open_basedir to the

open_basedir = /var/www/foo.bar/:/usr/local/php/

The setting can also be applied in apaches httpd.conf file, or an .htaccess file:

# Set open_basedir to a safe location

php_value open_basedir /var/www/foo.bar/:/usr/local/php

WHM

Steps :

1. To access the PHP open_basedir Tweak feature, click on Security, on the main screen of your WebHost Manager interface.

2. Then click on Security Center.

3. Then click on PHP open_basedir Tweak.

4. Click on Configure in the PHPs open_basedir section.

5. Click on the check box next to Enable PHP open_basedir Protection to enable Enable PHP open_basedir Protection.

6. Click on a check box next to a domain name to allow them to open files outside of their home directory with PHP, if necessary.

7. Click on Save.
Plesk : If you’re using Plesk hosting control panel, you may need to manually edit Apache configuration file of vhost.conf and vhost_ssl.conf, and add in or edit the following php_admin_value open_basedir lines to the following:

<Directory /full/path/to/the/directory/httpdocs>

php_admin_value open_basedir none

</Directory>

<Directory /full/path/to/the/directory/httpdocs>

php_admin_value open_basedir /full/path/to/dir:/full/path/to/directory/httpdocs:/tmp

</Directory>
Note: For SSL hosts in the vhost_ssl.conf file, the Directory path will end with httpsdocs instead of httpdocs

Disable Manually

Open up the httpd.conf file, and search for the lines that starts with the following characters:

php_admin_value open_basedir ..

Replace the whole line under the virtual host for the domain user account

php_admin_value open_basedir none.

Add Additional Directories
You can also opt to allow your PHP scripts to access additional directory instead without disabling the protection.For example, to add /new_directory to the allow list.

php_admin_value open_basedir /home/user_account/:/usr/lib/php:/usr/local/lib/php:/tmp

php_admin_value open_basedir /home/user_account/:/usr/lib/php:/usr/local/lib/php:/tmp:/new_directory

Restart the Apache after finished editing

Article Authored by Ajith KK

Author, Ajith KK, is a Systems Engineer with SupportPRO. Ajith specializes in L1 and L2 Linux/Windows administration. SupportPRO offers 24X7 technical support services to Web hosting companies and service providers.

If you require help, contact SupportPRO Server Admin

Server not running properly? Get A FREE Server Checkup By Expert Server Admins - $125 Value

SuPHP, a brief Intro

suPHP

suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter.

Main Features of SuPHP

suPHP provides an additional layer of protection on servers. It causes php scripts to run under the account username instead of the user nobody which is the user that apache/php would run under on a server that is not running suPHP.

This feature allows us to more easily track any potential security breaches that come in via insecure php script(s) that a user is running.

suPHP also does away with the requirement of using 777 permissions on directories/files that need write permission. In fact if a directory and/or file has the permission set to (CHMOD) 777 and it is access via a browser, then an internal server error 500 will be generated. The highest level of permissions that a user can use on a suPHP enabled server is 755. This permission setting is sufficient enough for any directories/files that needs to be written to.

Continue reading…

Fantastico De Luxe .. An Overview !!

Fantastico De Luxe

Fantastico De Luxe is the leading autoinstaller for cPanel servers.

With more than 10.000 installations, it provides more than one million end users the ability to quickly install dozens of the leading open source content management systems into their web space.It integrates with your cPanel and gives you the ability to install multiple instances (*) of any of these scripts.The scripts are listed below:

Continue reading…

SSH Securing and Keygen ..

 

SSH Securing

What is SSH.. ?

  • Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. Used primarily on Linux and Unix based systems to access shell accounts,
  • SSH was designed as a replacement for Telnet and other insecure remote shells, which send information, notably passwords, in plaintext, leaving them open for interception. The encryption used by SSH provides confidentiality and integrity of data over an insecure network, such as the Internet.
  • SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.
  • SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding TCP ports and X11 connections; it can transfer files using the associated SFTP or SCP protocols.
  • SSH uses the client-server model.

Continue reading…