Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Include Page
LIB:_VersionVersion68
LIB:_VersionVersion68

( WHM >> Home >> Server Configuration >> Tweak Settings )

Table of Contents
stylenone

...

Excerpt

Allow autocomplete in login screens.

This setting specifies whether users can save their cPanel, WHM, and Webmail passwords in the browser's cache.

This setting defaults to On.

CGIEmail and CGIEcho

This setting controls controls whether CGIEmail and CGIEcho exist on the system. These two legacy cgi-sys scripts interpret files in a user's public_html directory directory as potential input templates if they contain square bracket ([   ]) characters.

Include Page
LIB:_CGIx3only
LIB:_CGIx3only

This setting defaults to On for backward compatibility.

 

Hide login password from cgi scripts

This setting hides the REMOTE_PASSWORD variable from scripts that the cpsrvd daemon's CGI handler executes. Set this value to On to hide the REMOTE_PASSWORD variable.

Include Page
LIB:_CGIx3only
LIB:_CGIx3only

This setting defaults to Off.

Note
titleNote:

This setting does not hide the REMOTE_PASSWORD variable from phpMyAdmin.

 

Cookie IP validation

Warning
titleImportant:

We strongly recommend that you do not rely on cookie-based IP validation.

This setting validates IP addresses for cookie-based logins. Enable this setting to deny This denies attackers the ability to capture cPanel session cookies in order to gain access to your server's cPanel and & WHM interfaces.

Select You can select one of the following options:

  • disabled — Does The system does not validate IP addresses.
  • loose — The system requires that the access IP address and the cookie IP address must address must be in the same class C subnet.
  • strict — The system requires that the access IP address and the cookie IP address must match address match exactly. 

This setting defaults to strict.

Note
titleNote:

If When you enable this setting, we recommend that you also disable the the Proxy subdomain settings settings in the Domains section of the Tweak Settings interface (Home WHM >> Home  >> Server Configuration >> Tweak Settings).

 

Generate core dumps

This setting specifies whether cPanel & WHM’s services create core dumps. Use You can use core dumps to debug a service.

This setting defaults to Off.

Warning
titleWarning:

Core dumps contain sensitive information. Make certain that you keep them secure.

 

Send passwords when creating a new account

This setting allows you to send new users their passwords in plaintext over email when you create a new account.

This setting defaults to Off.

Warning
titleWarning:

We strongly recommend that you do not enable this setting

. It is

to avoid a security risk.

Enable File Protect

This option setting enables EasyApache's FileProtect module, which improves the security of each user’s public_html directory.

This setting defaults to On.

Blank referrer safety check

This setting only permits cPanel & WHM to perform functions when the browser provides a referral URL. Each attempt to submit data to cPanel & WHM must have a referral URL. This helps the system to prevent cross-site request forgery (XSRF) attacks.

This setting defaults to Off.

Warning
titleWarning:

Exercise caution when you enable this setting. It may This setting can break the system's integration with other systems, login applications, and billing software.


Note
titleNote:

The visitor or application that queries the server must enable cookies for this setting to take effectfunction.

 

Referrer safety check

This setting only permits cPanel & WHM to perform functions when the browser provides a referral URL that exactly that exactly matches the destination URL. Each attempt to submit data to cPanel & WHM must have a referral URL for which the domain or IP address and port number exactly match those of the destination URL. This helps the system to prevent cross-site request forgery (XSRF) attacks.

This setting defaults to Off.

Warning
titleWarning:

Exercise caution when you enable this setting. It may This setting can break the system's integration with other systems, login applications, and billing software.


Note
titleNote:

The visitor or querying application must enable cookies for this setting to take effectfunction.

 

Require SSL for cPanel Services

This setting requires that passwords and other sensitive information use SSL encryption.

This setting defaults to On.

Note
titleNote:

We strongly recommend that you enable this setting.

 

Allow PHP to be run when logged in as a reseller to WHM

This setting allows you to specify whether resellers can enables resellers to run PHP code in WHM. WHM's PHP code runs as the root user.

This setting defaults to Off.

Warning
titleWarning:

Exercise caution when you enable this setting. WHM's PHP code runs as the root user. 

 

Allow apps that have not registered with AppConfig to be run when logged in as a reseller in WHM.

This setting allows you to specify whether unregistered allows unregistered AppConfig applications can to run when you log in to WHM as a reseller. If When you disable this setting, resellers can only run registered AppConfig applications.

This setting defaults to Off.

 

Allow apps that have not registered with AppConfig to be run when logged in as root or a reseller with the "all" ACL in WHM.

This setting allows you to specify whether unregistered AppConfig applications can to run when you log in as a root user. If When you disable this setting, a root users user can only run registered AppConfig applications.

This setting defaults to Off.

 

This setting allows WHM applications and addons to execute even if an ACL list has not been defined.

This setting allows

you to control whether

registered AppConfig applications and addons to run

if

without a

required

defined ACL

is not defined

list.

If

When you disable this setting, cPanel & WHM forces registered AppConfig applications and addons to set an ACL list

before they run

.

This setting defaults to Off.

 

This setting allows cPanel and Webmail applications and addons to execute even if a feature list has not been defined.

This setting allows

you to control whether

registered AppConfig cPanel and Webmail apps

can

to run

if

without a defined required features list

is not defined

.

If

 When you disable this setting, cPanel & WHM forces registered AppConfig cPanel and Webmail apps to set a Required Features list

before they run

.

This setting defaults to Off.

 

Use MD5 passwords with Apache

This setting specifies whether the system uses MD5 hashing for new passwords in Apache .htpasswd files. When you disable this option, Apache uses crypt hashing. Because Apache .htpasswd files can contain a mix of crypt- encoded and MD5-encoded passwords without issue, this setting does not change the encoding of any existing passwords.  

This setting defaults to On.

Note
titleNoteNotes:
  • When you disable this setting, Apache uses crypt hashing.
  • MD5-encoded passwords
are
  • provide more
secure
  • security than crypt-encoded passwords. Crypt only uses the first eight characters of the password for authentication, but the system allows MD5 passwords of length.

 

EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell.

Multiexcerpt
MultiExcerptNameExperimental


Warning
titleWarning:

This feature is unstable and can result in unintended consequences. Exercise extreme caution if you enable an EXPERIMENTAL feature or setting.

  • These features may not function with other features or settings.
  • These features do not provide current and effective security controls.
  • EXPERIMENTAL features do not qualify for our security bounty.

 For information about an EXPERIMENTAL feature’s compatibility, read our Change Logs documentation.


This setting enables the JailManager TailWatch Driver module. JailManager keeps each VirtFS filesystem jail shell in sync with the root filesystem. JailManager also returns the VirtFS filesystem jailed shells to a usable state when the system reboots. You do not need to enable or disable JailManager in the Service Manager interface because this setting controls the module's state.

When you enable this setting, the The mod_ruid2 module uses the chroot command on Apache virtual hosts when you enable this setting. This action runs Apache virtual hosts in an environment with an altered root directory.

This setting defaults to Off.

Note
titleNotes:
  • This option is only available if you compile Apache through EasyApache and installed 

    You can use this setting when you compile Apache through EasyApache and you have installed mod_ruid2

     version

    version 0.9.4a or later.

  • You can use this

    option

    setting with CentOS

    or

    , RHEL 6 or 7, or

    Amazon

    Amazon® Linux.

    The

  • CloudLinux™ does not support the mod_ruid2 module is not compatible with CloudLinux™.

After When you enable this option, each user who with a configured jailshell or noshell as the shell experiences  experiences the following changes:

  • The chroot command jails the user's Apache Virtual Hosts into the /home/virtfs directory.
  • The system adds the RDocumentChRoot directive to the user's Virtual Host. For example:

Code Block
languagetext
linenumberstrue
 <IfModule mod_ruid2.c>
        RMode config
        RUidGid kellypusername kellypusername
 ==>    RDocumentChRoot /home/virtfs/kellypusername /home/kellypusername/public_html <==
 </IfModule>
  • The system limits the user's filesystem view to their /home/virtfs/$USERusername filesystem. Various jail shell-related options in the Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings) control the /home/virtfs/$USERusername filesystem configuration.

Signature validation on assets downloaded from cPanel & WHM mirrors.

This setting specifies the type of GnuPG (GPG) key signature file (keyring) that the system uses to verify and sign files that you download from cPanel & WHM httpupdate mirrors.

For more information about these GPG keys, read our cPanel & WHM Download Security documentation.

Select You can select one of the following options:

  • Off — The system does not validate any digital signatures.
  • Release Keyring OnlyUse The system uses the Release GPG keyring to validate downloads. The system uses Release keyrings to validate official releases official release downloads from cPanel & WHM httpupdate mirrors.
  • Release and Development KeyringsUse The system uses the Release and Development GPG keyrings to validate downloads. The system uses Development keyrings to validate test and development releases release downloads from cPanel & WHM httpupdate mirrors.

This setting defaults to Release Keyring Only.

 

Warning
titleWarning:

This setting does not provide effective security control.

Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains.

When you create a new domain, cPanel will automatically enable SSL for that domain if an SSL certificate exists. If no SSL certificate exists, this functionality will generate a self-signed certificate.

Note
titleNote:

If you have not enabled a CA signed certificate or AutoSSL, Google search results may point to the SSL site version with a self-signed certificate. Self-signed certificates generate browser warnings.

This setting defaults to On.

Warning
titleWarning:
  • We strongly recommend that you enable AutoSSL.
  • If you disable this option, and a CA signed certificate is not available, when a user attempts to visit the newly created domain over https, the user will see the first SSL certificate installed on that IP address.

Verify Signatures of 3rdparty cPAddons.

This setting verifies all 3rdparty cPAddons' GPG keys.  This setting is only available if you enable You can enable this setting with the Signature validation on assets downloaded from cPanel & WM WHM mirrors setting.

This setting defaults to Off.

Warning
titleWarning:

This experimental setting is experimental and is does not provide effective for security control.

Allow weak checksum schemes.

This setting configures the system to allow MD5 hashings when it performs integrity cheks on cPanel updates that you download.

This setting defaults to Off.

Warning
titleWarning:
  • This setting is only required if You must enable this setting when you configure your system to download custom RPMs, cPADDONs, or EasyApache updates from non-cPanel sources.
  • If you enable this setting, the The overall security of your system decreases when you enable this setting.

Allow deprecated WHM accesshash authentication

This setting configures the system to allow users to authenticate with WHM via an accesshash key.

Warning
titleWarning:

We deprecated accesshash keys in cPanel & WHM version 64. We strongly recommend that you use API tokens to authenticate with WHM.

This setting defaults to Off.

 

Additional documentation

Localtab Group


Localtab
activetrue
titleSuggested documentation

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("authentication","passwords","security") and label = "whm" and space = currentSpace()


Localtab
titleFor cPanel users

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("authentication","passwords","security") and label = "cpanel" and space = currentSpace()


Localtab
titleFor WHM users

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("authentication","passwords","security") and label = "whm" and space in (currentSpace(),"CKB")


Localtab
titleFor developers

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("authentication","passwords","security") and space = "SDK"


...