This guide covers all security features in Panelica --- firewall rules, IP blocking and whitelisting, ModSecurity WAF, country blocking, and the Security Advisor automated scanner.
Panelica provides five security modules, all accessible from the Security menu:
- Firewall Rules --- Manage inbound/outbound network rules (nftables/UFW)
- IP Blocking --- Block, whitelist, and monitor IPs with Fail2ban integration
- ModSecurity WAF --- Per-domain web application firewall with OWASP CRS
- Country Blocking --- Block or log traffic from entire countries using GeoIP
- Security Advisor --- Automated security scanner with auto-fix capability
---
Go to Security > Firewall Rules.
Dashboard Statistics:
Four cards at the top show: Total Rules, Firewall Status, Inbound/Outbound count, and Active/Inactive count.
Quick Action Buttons:
- Block All Incoming --- Blocks all inbound traffic (requires typing confirmation text)
- Allow SSH --- Creates an allow rule for port 22
- Allow HTTP/HTTPS --- Creates allow rules for ports 80 and 443
- Allow MySQL --- Creates an allow rule for port 3306
- Allow FTP --- Creates an allow rule for port 21
Creating a Firewall Rule:
Click Add New Rule and fill in:
| Field | Options | Description |
|---|---|---|
| Direction | Inbound / Outbound | Traffic direction |
| Protocol | TCP / UDP / ICMP / Any | Network protocol |
| Action | Allow / Deny / Reject | Allow passes traffic, Deny drops silently, Reject sends ICMP response |
| Port | 1--65535 | Leave empty for all ports |
| Source IP/CIDR | e.g., 192.168.1.0/24 | Source address (0.0.0.0/0 for any) |
| Destination IP | Optional | Destination address |
| Description | Text | What this rule is for |
Rules execute by position (lowest first). Each rule can be enabled/disabled without deleting.
---
Go to Security > IP Blocking.
The page has four tabs:
Blocked IPs Tab
Shows all blocked IP addresses with:
- IP address with country flag (GeoIP)
- Reason for blocking
- Blocked By --- Manual, Fail2ban, or ModSecurity (color-coded badge)
- Blocked At / Expires At (or "Permanent")
- Unblock button
Blocking an IP:
Click Block IP and fill in:
- IP Address --- The IP to block
- Reason --- Why you're blocking it (e.g., "SSH Brute Force Attack")
- Duration --- Block time in seconds (0 = permanent). Presets: SSH=24h, FTP=12h, Panel=1h, SMTP=permanent
- Notes --- Optional admin notes
Whitelist Tab
Whitelisted IPs are never blocked, even by Fail2ban. Use this for trusted IPs like backup servers or monitoring systems.
- Add IP with CIDR support (e.g., 10.0.0.0/8)
- Add description
- Delete when no longer needed
Failed Attempts Tab
Shows failed login attempts across all services:
- Filter by service: SSH, FTP, Panel, SMTP
- Filter by IP address
- Shows: IP, Service, Username, Timestamp, Attempt count
Fail2ban Jails Tab
Displays the status of each Fail2ban jail:
- Jail name (sshd, proftpd, panel-login, etc.)
- Current banned count
- Total banned (all-time)
- Currently failed count
- Manually unban individual IPs
- Sync Fail2ban bans to database
---
ModSecurity is a web application firewall that protects domains from common attacks like SQL injection, XSS, and remote code execution. It's configured per-domain.
Note: ModSecurity requires Apache. Domains must use nginx+Apache or Apache only web server type. nginx-only domains cannot use ModSecurity.
Accessing ModSecurity:
- Per-Domain: Domain Edit > Security tab > ModSecurity section
- Global Overview: Security > ModSecurity (shows all domains, events, statistics)
Per-Domain Settings:
Enable/Disable Toggle --- Turn ModSecurity on or off for this domain.
Operation Mode:
- Detection Only --- Log attacks but don't block them. Good for testing.
- On (Block) --- Actively block malicious requests.
Paranoia Level (1--4):
- Level 1 --- Default OWASP CRS rules. Minimal false positives.
- Level 2 --- Additional stricter rules.
- Level 3 --- Experimental rules. More false positives.
- Level 4 --- Maximum paranoia. High false positive rate.
Anomaly Scoring Thresholds:
- Inbound Threshold (default: 5) --- Score threshold for request anomalies
- Outbound Threshold (default: 4) --- Score threshold for response anomalies
OWASP CRS Rule Sets:
Toggle individual rule categories on/off:
- Protocol Enforcement
- Scanner Detection
- LFI (Local File Inclusion)
- RFI (Remote File Inclusion)
- RCE (Remote Code Execution)
- PHP Application Attacks
- XSS (Cross-Site Scripting)
- SQL Injection
- Session Fixation
- Data Leakage Detection
IP Blocking (Domain-level): Block specific IPs for this domain only.
Custom Rules: Add custom SecRule directives via the code editor.
Audit Logging: Enable verbose logging of all requests (may impact performance).
---
Go to Security > Country Blocking.
Block or log traffic from entire countries using GeoIP databases.
Global Configuration:
- Enable Country Blocking --- Main on/off toggle
- Mode --- Block (deny access) or Log (allow but log)
- Log Only --- Log requests without blocking
- Whitelist Panel IPs --- Panel access IPs always allowed
Adding a Country Block:
- Click Add Country
- Search and select from the country dropdown (all 195 countries)
- Add optional notes
- Click Add
Each blocked country appears in the table with a toggle to enable/disable and a delete button.
---
Go to Security > Security Advisor.
The Security Advisor runs automated security scans and provides recommendations with auto-fix capability.
Running a Scan:
Click Run Security Scan. The system checks multiple categories:
- SSH --- Root login, key-based auth, password auth
- Panel --- ROOT 2FA, password strength, custom port
- Firewall --- UFW/iptables enabled and active
- Services --- Unused services running
- Authentication --- Account security
- Database --- Default credentials, remote access
- SSL --- Certificate validity, TLS protocols
Understanding Results:
Each check shows:
- Status --- Passed (green), Warning (yellow), Failed (red)
- Severity --- Critical, High, Medium, Low, Info
- Current Value --- What your server currently has
- Recommended Value --- What it should be
- Recommendation --- What to do
Security Score: A 0--100 score based on all checks. Summary cards show total checks, critical/high/medium issues.
Auto-Fix:
Some checks offer an Auto-Fix button. Before applying:
- A confirmation modal shows exactly what will change
- A backup is created automatically
- The fix is applied
- You can rollback from the Fix History tab
Fix History:
The Fix History tab shows all auto-fixes applied, with the ability to rollback each one.
---
Go to Security > SSH Access.
The SSH Access page has multiple tabs:
SSH Keys Tab:
- View all SSH public keys
- Add new keys (paste public key)
- Delete keys
- Key details: name, type, fingerprint, user, status
Active Sessions Tab:
- View currently connected SSH sessions
- Username, client IP, connection time, duration
SSHD Configuration Tab (ROOT only):
- View and edit sshd_config
- Test configuration before applying
- Restart SSH daemon
- Backup and restore SSHD config
---
| Feature | ROOT | ADMIN | RESELLER | USER |
|---|---|---|---|---|
| Firewall Rules | Full | Full | View | No |
| IP Blocking | Full | Full | View | No |
| ModSecurity | All domains | Own domains | Own domains | Own domains (view) |
| Country Blocking | Full | Full | No | No |
| Security Advisor | Full + Auto-fix | Full + Auto-fix | No | No |
| SSH Key Mgmt | All users | Own users | Own users | Own only |
---
- Run Security Advisor monthly --- Apply recommended fixes and review the score
- Enable ModSecurity in Detection Only first --- Monitor for false positives before switching to Block mode
- Whitelist trusted IPs --- Add backup servers, monitoring systems, and your office IP to the whitelist
- Review Fail2ban jails weekly --- Check for patterns in failed attempts
- Use key-based SSH authentication --- Disable password auth for maximum security
- Keep paranoia level at 1-2 --- Higher levels cause excessive false positives
- Test firewall rules carefully --- Don't lock yourself out with "Block All Incoming"
- Enable HSTS after confirming HTTPS works --- Browsers cache HSTS settings