The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

add-on domain, 2 questions

Discussion in 'Workarounds and Optimization' started by ozzieonline, Dec 24, 2012.

  1. ozzieonline

    ozzieonline Well-Known Member

    Joined:
    Dec 20, 2012
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hi guys,

    I've got 2 questions about add-on domains.

    1) When I create an add-on domain I have to fill in a password. What is this password used for? Is it only used for FTP access? Here is the deal. After I create an add-on domain I delete the corresponding FTP-account (that was also automatically created) because my customers don't get FTP access. But now I wonder if the password is only used for FTP-access. If so, I don't need to put much effort in setting the password, since I'll be deleting the FTP-account anyhow. But maybe there is something else that requires this password, and therefore a simple "12345" might not be the best solution... :eek:
    Any advice on this one?

    2) When I create an add-on domain, a subdomain is created as well. Is there a way to disable this behaviour?

    Any help would be appreciated. I'm already happy if you can answer 1 of these 2 questions!
     
    #1 ozzieonline, Dec 24, 2012
    Last edited: Dec 24, 2012
  2. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    An addon domain is a special type of subdomain that can also be accessed by a domain name. The password is for the FTP account for that subdomain. There is no way to disable the creation of the subdomain, because that would defeat the purpose of the addon domain.

    If you do not want to have a subdomain or an FTP account, use a parked domain instead. A parked domain is just an alias to a domain, nothing more.

    Parked and addon domains are explained in more detail in our documentation here:

    cPanel Domains
     
  3. ozzieonline

    ozzieonline Well-Known Member

    Joined:
    Dec 20, 2012
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Thanks for your reply. However a parked domain is definitely not what I'm looking for. Your documentation says "Parked domains are domains that you own that do not contain any content. Parked domains do not have any email address or web pages associated with them."

    I want to set an add-on domain with it's own content and e-mail addresses. I want it to be accessible like this "www.myaddondomain.com" but not like this "myaddondomain.mymainwebsite.com". You understand what I mean? I can fix this with some rewrite rules, but for me it would be easier if a subdomain wasn't even created in the first place.

    Are you sure the password is only used for FTP access? So I don't have to set a complex password because I will delete the FTP account immediately after creating it. Is this 100% correct?
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    There is no need to delete anything, but there is a good reason to use a strong hard to guess password. Whether you use this functionality or not, its there, for example, if I wanted to give my Mom her on webspace. She could login with those addon domain details and update her webpage.

    If your users won't be uploading anything, set a strong password and you're done. Only you still have access to all files as you are root user for that cPanel account, your user has no way to login, you never gave him the password.

    No. Well... when creating an addon domain, IIRC, you could try and set the path to this: .
    (thats a dot, or period)

    That creates the addon directory outside the public_html
     
  5. ozzieonline

    ozzieonline Well-Known Member

    Joined:
    Dec 20, 2012
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Sorry, I don't get this:

    "There is no need to delete anything, but there is a good reason to use a strong hard to guess password. Whether you use this functionality or not, its there, for example, if I wanted to give my Mom her on webspace. She could login with those addon domain details and update her webpage."

    I do not want to give anyone FTP access. Since I use add-on domains, ginving someone FTP access would mean he/she would have not only access to his/her own domain, but to all domains! That is a no go. So, that is why I want to delete all FTP accounts except the FTP account fot the cPanel root user.

    My question is: when I create an add-on domain I have to set a password. Will this password be used for anything else then the (automatically generated) FTP account? If so, I can type a simple password like "12345" because I will delete the FTP account immediately after creation. However, I need to be sure that the password is only being used for the FTP account (and not for example for SSH access!). Do you understand what I mean?
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    The only way they can login via FTP is if you give them that password. So, don't give it to them if that's what you want. But there is no reason to delete anything.

    That's also, not correct. Logging in via an Addon domain's login details, give the user access to the addon domain, only.


    Addon domains will not have SSH access.
     
  7. ozzieonline

    ozzieonline Well-Known Member

    Joined:
    Dec 20, 2012
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    But what is wrong about deleting FTP access? Can you clarify, because I don't see the problem. A customer can not have FTP access, so then why shouldn't I delete the FTP account? If I get 100 customers, then why should I have 100 extra FTP-accounts which are not being used, while being 100 more extra options for a hacker to get into my system? Please share your vision because I don't understand it.

    Besides the question whether I should or should not delete the FTP-account... can you confirm that the password I enter when creating an add-on domain is used for the FTP-account only and for nothing else?

    Allright, I didn't know that... but still I don't want customers to have FTP access.
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You don't want to have 100 customers all on 1 account, setup with addon domains. It's not that you couldn't do that, but managing them can be problematic, as you've stated yourself:
    If a hacker gets into one compromised wordpress blog in an addon domain on that one account, he would have access to all addon domain directories, or, the entire account. That one cPanel account.

    A more appropriate way to go would be to setup your Packages and Features for those Packages properly, and then create individual cPanel accounts.

    Yes the login details for the addon domain are only for login to the addon domain.

    Customers need access to their files. If you don't provide that and all your customers websites are addon domains, you'll be managing those 100 addon websites yourself. Is that what you're looking to do?

    Good luck with that.
     
  9. ozzieonline

    ozzieonline Well-Known Member

    Joined:
    Dec 20, 2012
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Yes, actually that is what I'm looking for. Trust me, I thought this over very well. I make a website for a customer and he/she can edit the website through a custom control panel.

    Why I want to work with addon domains is because I want the websites to be able to share the same files (images) and control panel. If they would be seperate cPanel accounts, they could not have access to the "general" files which would mean that I have to copy all the necessary files for the control panel and templates to each individual cPanel account. That is why I choose to use addon domains.

    I will not be using WordPress, but please do explain what you mean by this. If there is no FTP-account, then how can it be hacked?If you have good arguments that could be a reason for me NOT to delete the FTP-account, but please clarify what you mean exactly.

    (By the way, I really do appreciate your help!)
     
  10. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You're certainly welcome. Not sure how helpful I'm being here though.

    To answer your question in a nutshell: all files, in all addon accounts, are all owned, by the same user. You.
    Not the addon account owner.

    Many folks before you have started out by offering addon domains as you're planning to do. Management becomes a problem in time, trust me on this. Every time a user needs a file added to the account, you'll be contacted. Every time a user needs to add a new email account, you'll be contacted. Every time someone wants to upload a new image to be displayed on the website, you'll be contacted.

    That's fine short term, but trust me when I say this, that's going to make you nuts. That's not added security.
     
  11. ozzieonline

    ozzieonline Well-Known Member

    Joined:
    Dec 20, 2012
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Thanks Infopro. I understand your concerns. But for now I would still like to do it this way. It's a personal choice.

    My main question is: if I delete the FTP-account of an addom domain, does or does not this raise a security issue, and if so... how?
     
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Deleting the login details for the Addon domain does not decrease or increase any security concerns. There is no need to delete it though. Give it a strong hard to guess password. Set it and forget it. It's there when you want to change the password later.
     
  13. ozzieonline

    ozzieonline Well-Known Member

    Joined:
    Dec 20, 2012
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Why would I want to change the password?

    Let's say in time my VPS contains 500 websites. Customers do NOT get FTP access. If I don't delete the FTP-acoounts for these 500 sites, it would mean there are 500 FTP acconts. This means there are 500 possible entries to my VPS. Do you agree?

    So why shouldn't I delete these 500 entries and this way strengthen my security?
     
Loading...

Share This Page