Security¶
enconf provides multiple security layers to protect the panel and hosted websites.
Two-Factor Authentication (2FA)¶
2FA protects panel access through an additional authentication factor beyond the password.
Enable 2FA¶
- Navigate to Settings > Security (or Settings > Password)
- Click Set Up 2FA
- Scan the QR code with an authenticator app:
- Google Authenticator
- Authy
- Microsoft Authenticator
- FreeOTP
- Enter the displayed 6-digit code
- Click Confirm
Backup Codes
Note the secret key displayed below the QR code. You can use it to restore access if you lose your device.
Disable 2FA¶
- Navigate to Settings > Security
- Click Disable 2FA
- Enter your current password for confirmation
- Click Disable
Login with 2FA¶
- Enter email and password
- Enter the 6-digit code from your authenticator app
- Click Sign In
TOTP Protocol
WebPanel uses the TOTP protocol (Time-based One-Time Password) as per RFC 6238.
Enforce 2FA Policy¶
As an administrator, you can require specific user groups to set up two-factor authentication.
Configuration¶
- Navigate to Settings > Security
- Select the desired policy under Enforce 2FA:
| Option | Description |
|---|---|
| Disabled | 2FA is optional for all users |
| Admins | Admins must set up 2FA |
| Admins & Resellers | Admins and resellers must set up 2FA |
| All Users | All users (including customers) must set up 2FA |
- Click Save
Behavior for Affected Users¶
Users subject to the policy who have not yet set up 2FA:
- See a yellow warning banner in the panel after login
- Can continue to use the panel normally
- Are prompted to set up 2FA under Settings
Recommendation
Enable the policy at minimum for admins to protect panel accounts with elevated privileges.
Brute-Force Protection¶
The built-in brute-force protection locks IP addresses after too many failed login attempts.
Configuration¶
Navigate to Settings > Security > Login Protection:
| Setting | Default | Description |
|---|---|---|
| Enabled | Yes | Enable/disable brute-force protection |
| Max. Failed Attempts | 5 | Number of allowed attempts |
| Lockout Duration (Minutes) | 15 | Duration of the lockout |
IP Whitelist¶
IPs that are never locked out:
- Navigate to Settings > Security > Login Protection
- Enter trusted IP addresses
- These IPs will not be locked out even after failed attempts
Whitelist Your Own IP
Add your own static IP address to the whitelist to prevent accidentally locking yourself out.
Password Policy¶
The password policy applies to all users (admin, reseller, customers):
| Setting | Default | Description |
|---|---|---|
| Minimum Length | 8 | Minimum number of characters |
| Uppercase | Yes | At least one uppercase letter |
| Lowercase | Yes | At least one lowercase letter |
| Digits | Yes | At least one digit |
| Special Characters | Yes | At least one special character |
Configuration¶
- Navigate to Settings > Security > Password Policy
- Adjust the desired rules
- Click Save
Audit Log¶
The audit log records all security-relevant actions in the panel.
Logged Events¶
| Event | Description |
|---|---|
| Login | Successful and failed logins |
| Logout | Logouts |
| Password Change | Password changes for all users |
| 2FA Change | Activation/deactivation of 2FA |
| Impersonation | Admin logs in as customer/reseller |
| Customer Created/Deleted | Customer management actions |
| Subscription Created/Deleted | Subscription actions |
| Settings Changed | Changes to panel settings |
| API Key Created/Deleted | API key management |
| Firewall Rule Changed | Firewall changes |
View Audit Log¶
- Navigate to Audit Log
- The table shows all logged events:
| Column | Description |
|---|---|
| Timestamp | Date and time |
| User | Executing user |
| Action | Type of action |
| Details | Additional information |
| IP Address | Source IP of the user |
Filters¶
- Time Range — Filter by date
- User — Filter by user
- Action — Filter by action type
Security Advisor¶
The Security Advisor checks the security configuration and provides recommendations:
Checked Areas¶
| Area | Check |
|---|---|
| Firewall | Is the firewall active? |
| fail2ban | Is fail2ban active and configured? |
| 2FA | Is 2FA enabled for the admin? |
| SSL | Do all domains have valid SSL certificates? |
| Password Policy | Is the policy sufficiently strong? |
| PHP Versions | Are outdated PHP versions in use? |
| Updates | Are system updates available? |
| SSH | Is the SSH configuration secure? |
| open_basedir | Configured for all sites? |
| disable_functions | Dangerous functions disabled? |
Ratings¶
Each check receives a rating:
- Passed (Green) — Securely configured
- Warning (Yellow) — Improvement recommended
- Critical (Red) — Immediate action required
Customer Isolation¶
Every hosting account is fully isolated:
Linux Level¶
- Dedicated Linux user per subscription
- PHP-FPM pool runs under the customer's user
- open_basedir restricts PHP to the customer's directory
- disable_functions disables dangerous PHP functions
- systemd slice limits CPU, RAM and processes
Network Level¶
- nftables blocks outgoing SMTP connections from customer processes
- Customers cannot send emails directly (only through the mail server)
Web Server Level¶
- Nginx blocks PHP execution in upload directories
- Each site has its own vhost configuration
- Access restrictions per directory are possible
SSH Hardening¶
Recommended SSH settings (in /etc/ssh/sshd_config):
| Setting | Recommendation | Description |
|---|---|---|
| PermitRootLogin | no |
Disable root login |
| PasswordAuthentication | no |
Key-based authentication only |
| Port | Non-standard | SSH on a port other than 22 |
| MaxAuthTries | 3 |
Max. login attempts |
| AllowUsers | Specific | Allow only specific users |
Ensure Access
Before making changes to the SSH configuration, ensure you have alternative access methods (e.g. console at your hosting provider).