Web Application Firewall (WAF)¶
Not currently available
An integrated Web Application Firewall (WAF) is currently not part of enconf Webpanel. An earlier ModSecurity/OWASP-CRS integration was removed because it did not work reliably on real servers (packages not installed dependably, nginx -t could break, and Debian's default would not block anyway) — a WAF that only appears to protect is more dangerous than none.
The WAF is planned for a later version (Phase 2). It will only be re-enabled once installation and the rule engine are robust and actually blocking.
What protects in the meantime?¶
Protection comes from several active layers — see Security:
| Layer | Effect |
|---|---|
| Linux user + pool per website | Each site runs with its own identity — compromised PHP cannot read other sites |
open_basedir + disable_functions |
PHP is jailed to its own docroot, dangerous functions disabled |
| Nginx upload-path block | .php in upload directories is not executed (the most common WordPress hack pattern) |
| fail2ban | Brute-force protection for SSH, FTP, mail, panel login |
| Per-customer AppArmor profiles | Additional confinement of PHP-FPM (complain mode) |
| Malware scanner | Detects malicious code in customer directories |
For application-specific rules (e.g. rate-limiting individual paths), the Firewall or the Nginx configuration can be used until then.