Understanding Mod_userdir Module
By Jithin on August 4th, 2016
Mod_userdir module permits getting to a client’s landing page utilizing the provisional URL with the/~user/punctuation, similar to http://ipaddress/~user where “IP address” might be supplanted with the server’s hostname or any space name that is made plans to the server you wish to check the substance on.
Having mod_userdir empowered stances extensive security dangers and weaknesses:
1) Usernames are uncovered – It is conceivable to get to various sites facilitated on the server by means of the same area name (server`s IP address or server`s hostname) supplanting the/~user/part just (e.g., http://ipaddress/~user1, http://ipaddress/~user2, http://ipaddress/~user3, and so on.) what makes facilitated accounts more helpless against hacking assaults.
2) At the point when the mod_userdir module is utilized for getting to a site, the activity is added to the aggregate of the clients through which guests get to the site. Not to the data transfer capacity utilization of the client who is a genuine site proprietor.
3) Mod_userdir ought to be impaired for root access with a specific end goal to make the server shielded from change by non-root clients, subsequently, you have to incorporate a “UserDir incapacitated root” into your setup.
As you may know, we have a tendency to present the most recent innovation with a specific end goal to ensure your record and information constantly. The mod_userdir module is right now incapacitated on our mutual servers that permits us to build the security level and lessening odds of your record and also server from being hacked. This is in accordance with our most noteworthy security gauges and gives us a chance to give you the level of security you anticipate from us. Obviously, it is conceivable to incapacitate/empower Apache mod_userdir the different records having root get to that is accessible on our VPS and dedicated servers as it were. Keeping in mind the end goal to do it, get to your WHM with the root points of interest > go to Security Center > pick Apache mod_userdir Change: Keeping in mind the end goal to permit/keep the site access utilizing the mod_userdir module, you have to do the accompanying:
1) Check/uncheck the Empower mod_userdir Insurance checkbox.
2) At the point when mod_userdir Insurance is debilitated. However, some particular clients still might want to utilize it, so select the suitable Reject Security check-boxes keeping in mind the end goal to make mod_userdir accessible for these clients.
3) On the off chance that you have chosen the Reject Security checkbox, it is conceivable to permit extra clients to get to these hosts utilizing the mod_userdir module. To do this, embed their usernames in the Extra Clients content box (for entering numerous clients, isolate every record username with a space).
4) You can permit clients to get to their records through the mod_userdir module and to not take any data transfer capacity by selecting the Reject Security checkbox for Default Host (no one).
5) Click Save keeping in mind the end goal to spare your progressions.
mod_userdir security Enabled:
Before you empower the mod_userdir module, know about the accompanying data; Java servlets don’t work with mod_userdir-based URLs. This is on the grounds that Tomcat requires that you add extra mandates to the virtual host. Open_basedir security confines PHP’s entrance to the home catalog of the client who claims the base space, not the home registry of the client account that a guest gets to. On the off chance that you empower open_basedirprotection in WHM’s Apache mod_userdir Change interface (Home >> Security Center >> PHP open_basedir Change), guests can’t get to a few destinations by means of the mod_userdir module.
Under specific conditions, a client can assault another client’s record on the off chance that they get to a malignant script through a mod_userdir URL. Sites that utilization the mod_rewrite or different orders in there .htaccess documents won’t work accurately when guests view them through mod_userdir URLs. On the off chance that you empower Apache’s mod_ruid2 module, then the mod_userdir module won’t work effectively.
mod_userdir security Disabled:
Before you cripple mod_userdir security, know about the accompanying data: While this WHM highlight permits you to limit mod_userdir usefulness, it doesn’t evacuate the module itself. Some PCI consistence outputs may even now identify it. This component does not list IP addresses in light of the fact that the mod_userdir module utilizes virtual hosts. You can’t utilize IP locations to design this element. On the off chance that you don’t secure the default host, you can get to the server’s primary IP address through the mod_userdir module much of the time.
If you need any further assistance please reach our support department.