Security — Defense in Depth
Not one firewall, but 16 interlocking security layers. Each one must be breached before an attacker gains access to other customers. Security at OS level, not just file level.
Every customer fully isolated
Dedicated Linux user, dedicated PHP pool, dedicated temp directory, path restriction and function lock per customer. Security at operating system level.
Linux User per Customer
Each customer gets a dedicated UID/GID. Files belong to the customer, not www-data. Standard Unix DAC prevents cross-tenant access.
PHP-FPM Pool per Customer
Dedicated PHP process with own settings per customer. PHP runs under customer identity, no shared www-data. One site crashing does not affect others.
open_basedir & disable_functions
PHP requests confined to docroot and temp. exec, shell_exec, system, proc_open and all pcntl_* functions disabled. No escaping the customer directory.
Isolated /tmp per Customer
Dedicated temp path per customer (mode 0700). Session files, uploads and temp data are isolated. No cross-tenant session hijacking via /tmp possible.
ModSecurity WAF (OWASP CRS)
Web Application Firewall in front of every website. OWASP Core Rule Set blocks SQL injection, XSS, RCE and known attack vectors. Log viewer and rule exceptions directly in the panel.
nftables Firewall & fail2ban
Automatic IP banning after failed attempts for SSH, mail, FTP, panel login and webmail. Recidive ban for repeat offenders. SMTP egress block prevents spam sending via PHP.
ProFTPD Chroot
FTP/SFTP users are jailed in their home directory (chroot). No navigating to other customers or system paths via FTP possible.
Panel Secrets Protected
JWT secret, DB passwords and agent token stored in /etc/netcell-webpanel/ with mode 0600 root:root. PHP pools cannot read these files.
Upload Path PHP Block
PHP execution in upload directories is blocked at web server level. Closes the most common WordPress hack pattern: shell upload to /wp-content/uploads/.
2FA, Security Advisor & Audit Log
In addition to OS isolation: two-factor authentication, automatic security auditing, and comprehensive logging of all security-relevant actions.
2FA / Two-Factor Authentication
TOTP-based with QR code and backup codes. Compatible with Google Authenticator, Authy and Microsoft Authenticator. Optionally enforceable for all users.
Security Advisor
Automatic security audit: firewall, fail2ban, 2FA, SSL, PHP versions, SSH configuration, password policies. Green/yellow/red rating with actionable recommendations.
Audit Log
Comprehensive logging: logins, password changes, 2FA events, impersonation access, firewall changes, API key management. Filter by time range, user and action.
Security as standard — not as a surcharge
All 16 security layers are included in every enconf package. 7-day free trial — no credit card required.
$ curl -fsSL https://get.enconf.com | sudo bash
Copy
Copied!