Skip to content

Powered by Grav

Security & isolation

Security & isolation

BOA's multi-tenant threat model and every layer that enforces it — SYNPROXY, CSF, the Nginx edge, AppArmor, restricted shells, SSH and admin-path hardening.

BOA's foundational threat model: multiple Octopus tenants share one host but cannot affect each other or escape their boundaries. This area is the operator reference for every layer that enforces that model — the trust hierarchy, the per-tenant restricted shell, the network edge (SYNPROXY → CSF/LFD → Nginx), per-binary AppArmor confinement, SSH/SFTP hardening, password policy, the default /admin* and mailing restrictions, and the backend Drush extension deny-filter.

The defence is layered. A request crosses, in order: kernel SYNPROXY → CSF/LFD → the Nginx Abuse Guard → PHP-FPM (function-restricted, AppArmor-confined) → Drupal. Each layer filters more, so by the time traffic reaches application code it has already survived several independent gates.

The pages below take each layer in turn — the trust model and its built-in protections, the per-tenant restricted shell, the CSF and SYNPROXY network edge, AppArmor confinement, SSH and SFTP hardening, password hashing, the default admin-path and mailing restrictions, and the backend Drush extension deny-filter.

Adjacent operating topics

  • Abuse Guard (nginx IDS) — the deep scan_nginx scoring, ban pipeline and request guards that CSF and the security model reference.
  • Nginx internals — the vhost generator and the config-template maps that emit the /admin* block, AI policy and realip.
  • Migration & cloning — the xmass/xoct flow that the migration-proxy trust on the CSF page supports.
  • Troubleshooting — blocked-IP recovery and SSH host-key-changed recovery.

BOA security model — multi-Ægir architecture

The three-tier root, aegir and tenant trust model, the built-in protections that isolate Octopus tenants, plus the PHP function and binary hardening knobs.

lshell + manage_ltd_users

The per-tenant restricted shell that isolates Octopus tenants: the oN and oN.ftp two-account model, what lshell blocks, and the manage_ltd_users orchestrator.

CSF + LFD firewall lifecycle

CSF and the LFD login-failure daemon as BOA's host firewall: the install and upgrade lifecycle, the Abuse Guard ban loop, migration-proxy trust, and blocked-IP recovery.

SYNPROXY iptables-based DDoS protection

Linux kernel SYN-flood mitigation as the lowest DDoS layer beneath CSF: the synproxy command family, live counters, reassert after reboot, and snapshot rollback.

AppArmor confinement profiles

The 46 Mandatory Access Control profiles BOA ships for PHP and its daemons — off by default, opt-in via a control file and reboot in complain or enforce mode.

SSH server + SFTP hardening

What BOA enforces in sshd_config, how the strip-and-append upgrade reconciliation decides which edits survive, and the MySecureShell and Pure-FTPd SFTP and FTPS chroot.

Password hashing — SHA512 → Bcrypt/Blowfish

The default SHA512 account hashing and the optional pam_unix2 migration to Bcrypt, including the PAM transition and the failure mode that can lock out every account.

Extra SSH/SFTP/FTPS accounts per client

How BOA provisions one extra SSH, SFTP and FTPS subaccount per Ægir Client, scoped to that Client's own sites, and its provisioning, key and removal lifecycle.

`/admin*` URL protection + ip_access

The default block on anonymous /admin access, its per-site opt-out, and the ip_access and user_admin_access generators that lock a site or its admin surface to an IP list.

Mailing policy — no bulk mail from BOA hosts

Why BOA hosts send transactional mail only and not bulk, what to route through an external provider instead, and how to configure an SMTP relay for outbound mail.

Drush extension deny-filter (*.drush.inc)

The default-deny filter that stops tenant .drush.inc command files from running as a privileged backend identity, its backend-only gate, per-instance opt-ins and kill switch.

© 2026 BOA Documentation. All rights reserved.