Skip to content

Web Application Firewall (WAF)

Not currently available

An integrated Web Application Firewall (WAF) is currently not part of enconf Webpanel. An earlier ModSecurity/OWASP-CRS integration was removed because it did not work reliably on real servers (packages not installed dependably, nginx -t could break, and Debian's default would not block anyway) — a WAF that only appears to protect is more dangerous than none.

The WAF is planned for a later version (Phase 2). It will only be re-enabled once installation and the rule engine are robust and actually blocking.

What protects in the meantime?

Protection comes from several active layers — see Security:

Layer Effect
Linux user + pool per website Each site runs with its own identity — compromised PHP cannot read other sites
open_basedir + disable_functions PHP is jailed to its own docroot, dangerous functions disabled
Nginx upload-path block .php in upload directories is not executed (the most common WordPress hack pattern)
fail2ban Brute-force protection for SSH, FTP, mail, panel login
Per-customer AppArmor profiles Additional confinement of PHP-FPM (complain mode)
Malware scanner Detects malicious code in customer directories

For application-specific rules (e.g. rate-limiting individual paths), the Firewall or the Nginx configuration can be used until then.