The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Addon Domain Security

Discussion in 'Security' started by bigdavep, Mar 30, 2010.

  1. bigdavep

    bigdavep Registered

    Joined:
    Mar 30, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    I am thinking about getting hosting from a company that run cPanel as they do unlimited domains, unlimited mysql db's, unlimited disk space and unlimited bandwidth.

    I need to know before I proceed, cPanel puts the addon domains into the public_html folder of the controlling domain. My concern is can different addon domains see the files of other addon domains within the main account? I do not want DomainB.com or DomainC.com to see any of my controlling DomainA.com files or each others files at all which happened with my second from last host called Streamline.net, which I thought was a significant security breach.

    Also, can each addon domain run independent SSL certificates if any need to have ecommerce features?

    I appreciate any help anyone can give.

    BigDaveP
     
  2. Cleverhosting

    Cleverhosting Member

    Joined:
    Mar 30, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Hi Bigdavep,

    I have a client who has similar requirements to yourself.

    He has his main site setup, then has add-on domains which reside within the main public_html directory. If the FTP account details are setup correctly for the new add-on domains directory (which cPanel does do) it locks the user into that directory.

    I would advise you test this yourself before issuing the new details to the user in question, but in my experience this has worked well, and they shouldn't be able to see other users / the main domains files.

    If you have any other questions, I'd be happy to help. I could even offer a free account on my hosting box for you to play around with and see if it suitable for your requirements.

    Kind Regards,

    Keith.
     
  3. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    This is a very bad idea and I would personally recommend that you think twice about getting an account at that company based on the last part of that statement "unlimited disk space" and "unlimited bandwidth".

    There is physically no such think as "unlimited" disk space or bandwidth and when hosts tells you this, they really mean that they don't give you any preset and pre-defined limits on your usage up front in advance. However, they are not by any means "unlimited" or anywhere close.

    Hosts who market themselves this way tend to be heavily overcrowded mainly because a lot of people like yourself are often misled by this false belief they will get infinite resources --- they do not.

    Also by the very definition of the word "unlimited" you would have to be "overselling" because there is no such thing as "unlimited" drives (I wish! :) ) and for those who don't know what that term means, basically it is where a host allocates the same resources between multiple clients and is only really available to the first one who uses it or allocates resources that they don't really have in the first place as you can set the limits shown in Cpanel quite literally to anything you wish to show as your limits so this practice is very common in the hosting industry.

    Hosting providers that advertise "unlimited" space usually are the worse offenders at overselling. Ironically, you are likely to get a fraction of the space, capacity, and resources on a host advertising "unlimited" as one that tells you straight up front what your actual real usage limits are.

    This is something you should probably consider when deciding on that.

    Sounds to me like you don't want to use "addon" domains on a single hosting account but rather put each domain in it's own hosting account which allows you to do what you asked in your next question about having separate SSL certificates for each domain.

    Instead of a single Cpanel account, I would recommend either getting a reseller account someplace or setting up your own server such as a cloud vps or dedicated server and then putting each domain on it's own Cpanel account with it's own IP address and own SSL certificate.

    Doing things this way, each domain will be isolated all it's own and not have any cross access problems and you can keep everything very tidy and distinctly separate from one another yet at the same time still be able to manage all your accounts under a single common WHM login.

    See last paragraph above ...
     
  4. bigdavep

    bigdavep Registered

    Joined:
    Mar 30, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hi Keith,

    thanks for the quick reply.

    I am happy the ftp for it would tie itself down to the domain, my issue is when I worked with someone who had a similar setup (not cpanel, something else) with Streamline.org, the Joomla sites being installed were (and custom tools i made to confirm this) were able to browse outside of the addon domain where they could then browse into other addon domains (this is on the web side, not backend) which was the reason we switched hosts as our clients (and we) saw this as a major security issue.

    I need to be absolutely sure that if I had DomainB.com installed at /public_htm/domainb.com/ that any web files (php or any other tools) can browse back from there to see the contents of /public_html/ or /public_html/domainc.com

    I have also see some threads on here that mention when they goto DomainB.com the url shows DomainA.com/DomainB.com, is this true?

    Cheer for any help you can give me

    BigDave
     
  5. Cleverhosting

    Cleverhosting Member

    Joined:
    Mar 30, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Hi Bigdave,

    You're welcome.

    I now fully understand your predicament, yes; this is quite a security flaw really. I couldn't give you an in depth answer about this particular problem without further testing and analysis myself, but I do believe this could be resolved with a good configuration! With cPanel being used on Linux, naturally it's very secure from the outset due to Linux' permissions.

    As for the redirects you mention, if the add-on domains are setup correctly, then this won't be an issue. One of my clients has a setup where he has:

    maindomain.co.uk, then has an add-on domain of seconddomain.co.uk

    This would create a sub-folder underneath the main 'maindomain.co.uk' folder, e.g. /public_html/

    Upon going to seconddomain.co.uk, it shows that as it's own domain, without the redirection you describe, I believe that redirection would occur because of a configuration error.

    On a second note, I would have to agree with Spiral that providers offering unlimited everything are overselling, as bandwidth and disk space (but especially bandwidth) is very very expensive. And you're opening yourself up for problems if you choose to go with someone who offers unlimited everything.

    You generally find once websites are setup / you're selling packages to people, they use a lot less than they realise, and most people tend to forget how little space is needed for their site.

    I really hope this helps. As I say, I'm happy to offer you a test account on one of my hosting boxes for you to play with and see if you can reproduce any such issues, I'd be happy to investigate with you.

    Kind Regards,

    Keith.
     
  6. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Your "addon" domains you spoke of are actually for clients? :rolleyes:

    Are you completely insane?

    Knowing that even more reinforces the things I spoke of in my previous post above and I would even more deeply recommend that you either move to either a reseller account or your own server.

    The "addon" domains feature in Cpanel was really designed for someone who has a few personal domains of their own who might want to save a bit on getting multiple hosting accounts and just share the resources from their own personal hosting account. It was never meant to be used as hosting space for clients or client sites under you!

    That's definitely not what you want to be doing by any means!

    If you can afford to go to your own server, even a VPS server then that would probably be much more ideal for you all around.

    If you are on a very limited budget or just starting out then I would recommend looking into a reseller program

    Either way though, you really should look at getting away from what you are doing because that is definitely not the way to be doing things.
     
  7. Cleverhosting

    Cleverhosting Member

    Joined:
    Mar 30, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Hi Bigdave,

    I was trying to accommodate specifically for your request, but Spiral is right in what he is saying, having a proper reseller account in cPanel will mean all users are completely separate.

    I don't have any reseller accounts on my site, but I do custom packages, and could offer you a reseller account to play around with free of charge for a month to get you head around and see if it's good for you.

    Let me know if I can help further.

    Cheers,

    Keith.
     
  8. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Just a side semi-off topic to the above comment and reflecting back to my earlier comments on the subject of "over selling" as these tie together ...

    Not all over selling is "bad" as if hosts didn't do that to a certain degree, they would end up with tons of wasted hard drive space allocating drive space to users who never use the space causing more costs and overhead to the hosts so up to a certain point, over selling is actually a good thing and helps to conserve resource waste.

    However, the flip side of that coin is what I spoke about previously and that would be the blatant over use and abuse of over selling which all too common place in this industry and even more so among "unlimited" advertising providers in particular.
     
  9. Cleverhosting

    Cleverhosting Member

    Joined:
    Mar 30, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Spiral,

    I partly agree with you and partly don't.

    If hosts didn't oversell, they could still have tons of space but end up with a lot more users occupying the smaller accounts, rather than fewer large spaces being occupied by people who could end up using 3% of that space.

    Blatant overselling is a problem though, I agree. I guess it depends how it's done, and the resources the host has available to them.

    For average users running blogs / personal picture sites etc, a few hundred meg to a few gig is more than adequate.
     
  10. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Cleverhosting ....

    Uhm .... Dude ..... I think you may need some coffee ...

    You just agreed with me 100% entirely

    You said you "partly agree" and "partly don't" and then went on to say exactly the same thing I said almost verbatim.

    ** SLAP *** I just said the same thing! LMAO ;)
     
  11. Cleverhosting

    Cleverhosting Member

    Joined:
    Mar 30, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Haha.

    Sorry Spiral, we must have just had the same ideas with different ways of saying it! I admit though, I am tired, and do need coffee!! :)
     
  12. handsonhosting

    handsonhosting Well-Known Member

    Joined:
    Feb 17, 2002
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Omaha, NE
    cPanel Access Level:
    Root Administrator
    Just chiming in here with the others that you really should have them on separate accounts rather than mixing them into one central account.

    Also, if you're doing the separate accounts, they would then have access to their own control panel, access to create their own email addresses, view their own stats and also isolated for incidents of spamming etc making that part a little easier too.

    Putting everything under one account while it might save you a buck or two in the beginning, it will cause great headache down the road. Should one of your customers sites have an IFRAME injection, and your host decides to shut you off due to a malware vulnerability, then ALL your sites for your customers would be offline. That creates for some angry phone calls and emails.

    Definitely going to a Reseller or VPS etc is the step that I'd suggest.
     
Loading...

Share This Page