Panelica includes a comprehensive security stack with multiple layers of protection: ModSecurity WAF, IP blocking, nftables firewall, ClamAV antivirus, Security Advisor, and fail2ban integration.
Web Application Firewall powered by ModSecurity with OWASP Core Rule Set (CRS):
- Per-domain control — Enable or disable WAF for individual domains
- OWASP CRS — Industry-standard rule set protecting against SQL injection, XSS, RCE, LFI, and more
- Rule management — View, enable, disable, or whitelist specific rules
- Event log — Detailed log of blocked requests with rule ID, URI, IP, and matched pattern
- False positive handling — Whitelist rules per domain to prevent blocking legitimate traffic
- Anomaly scoring — Configurable threshold before blocking
Granular IP-based access control:
- Block single IPs — Instantly block an IP address with optional expiration
- Block IP ranges — CIDR notation support (e.g., 192.168.1.0/24)
- Country blocking — Block entire countries using GeoIP database (MaxMind)
- Whitelist — Permanently allow trusted IPs
- Auto-expiry — Set temporary blocks that expire after a defined period
- Block reasons — Log why each IP was blocked for audit
Server-level firewall management:
- Rule management — Create, edit, delete firewall rules
- Port control — Allow or deny specific ports (TCP/UDP)
- Protocol filtering — Per-protocol rules
- Default policies — Configure default accept/drop behavior
- Rule ordering — Priority-based rule evaluation
- IPv4 and IPv6 — Dual-stack support
Real-time and on-demand virus scanning:
- On-demand scan — Scan specific directories or entire user home directories
- Scheduled scans — Configure automatic periodic scanning
- Quarantine — Infected files are moved to quarantine (/opt/panelica/var/quarantine/)
- Scan reports — Detailed results with file paths, threat names, and actions taken
- Virus database — Auto-updated via freshclam
Automated security assessment with actionable recommendations:
- 50+ security checks — Comprehensive server audit covering SSH configuration, file permissions, service hardening, PHP settings, database security, and more
- Score system — Overall security score with breakdown by category
- Auto-fix — One-click fix for common issues (disable root SSH password, set proper permissions, etc.)
- Categories — SSH, Firewall, Web Server, Database, PHP, Email, DNS, System
- Severity levels — Critical, Warning, Info classifications
- Periodic re-scan — Schedule regular security audits
Automated brute-force protection:
- SSH login protection
- Panel login protection
- FTP login protection
- Custom jail configurations
- Ban time and retry limits
- Email notifications on ban events
- Let's Encrypt — Automatic certificate provisioning and renewal
- Self-signed — Generate self-signed certificates for testing
- Custom certificates — Upload your own SSL certificates
- Force HTTPS — Redirect all HTTP traffic to HTTPS
- Certificate monitoring — Track expiry dates with alerts
TOTP-based two-factor authentication:
- Per-user 2FA enable/disable
- Enforce 2FA for admin accounts
- QR code setup with any authenticator app
- Backup codes for account recovery
Every user is isolated through 5 independent security layers:
- Cgroups v2 — CPU, RAM, I/O, and process count limits per user
- Linux Namespaces — PID and mount namespace isolation
- SSH Chroot Jail — Users confined to their home directory
- PHP-FPM Isolation — Per-user, per-domain PHP pools with open_basedir
- Unix Permissions — Proper UID/GID separation between users
If you encounter any issues with this feature, please open a report in the Bug Reports forum.
- Page Permissions & RBAC
- SSH & Remote Access
- Files & FTP Management
- Backup & Restore
- Cloudflare Integration
---
For issues with this feature, please report in the Bug Reports forum.
Last edited: