Security & isolation
BOA's multi-tenant threat model and every layer that enforces it — SYNPROXY, CSF, the Nginx edge, AppArmor, restricted shells, SSH and admin-path hardening.
BOA's foundational threat model: multiple Octopus tenants share one host but
cannot affect each other or escape their boundaries. This area is the operator
reference for every layer that enforces that model — the trust hierarchy, the
per-tenant restricted shell, the network edge (SYNPROXY → CSF/LFD → Nginx),
per-binary AppArmor confinement, SSH/SFTP hardening, password policy, the
default /admin* and mailing restrictions, and the backend Drush extension
deny-filter.
The defence is layered. A request crosses, in order: kernel SYNPROXY → CSF/LFD → the Nginx Abuse Guard → PHP-FPM (function-restricted, AppArmor-confined) → Drupal. Each layer filters more, so by the time traffic reaches application code it has already survived several independent gates.
The pages below take each layer in turn — the trust model and its built-in protections, the per-tenant restricted shell, the CSF and SYNPROXY network edge, AppArmor confinement, SSH and SFTP hardening, password hashing, the default admin-path and mailing restrictions, and the backend Drush extension deny-filter.
Adjacent operating topics
- Abuse Guard (nginx IDS) — the deep scan_nginx scoring, ban pipeline and request guards that CSF and the security model reference.
- Nginx internals — the vhost generator and the
config-template maps that emit the
/admin*block, AI policy and realip. - Migration & cloning — the
xmass/xoctflow that the migration-proxy trust on the CSF page supports. - Troubleshooting — blocked-IP recovery and SSH host-key-changed recovery.
BOA security model — multi-Ægir architecture
The three-tier root, aegir and tenant trust model, the built-in protections that isolate Octopus tenants, plus the PHP function and binary hardening knobs.
lshell + manage_ltd_users
The per-tenant restricted shell that isolates Octopus tenants: the oN and oN.ftp two-account model, what lshell blocks, and the manage_ltd_users orchestrator.
CSF + LFD firewall lifecycle
CSF and the LFD login-failure daemon as BOA's host firewall: the install and upgrade lifecycle, the Abuse Guard ban loop, migration-proxy trust, and blocked-IP recovery.
SYNPROXY iptables-based DDoS protection
Linux kernel SYN-flood mitigation as the lowest DDoS layer beneath CSF: the synproxy command family, live counters, reassert after reboot, and snapshot rollback.
AppArmor confinement profiles
The 46 Mandatory Access Control profiles BOA ships for PHP and its daemons — off by default, opt-in via a control file and reboot in complain or enforce mode.
SSH server + SFTP hardening
What BOA enforces in sshd_config, how the strip-and-append upgrade reconciliation decides which edits survive, and the MySecureShell and Pure-FTPd SFTP and FTPS chroot.
Password hashing — SHA512 → Bcrypt/Blowfish
The default SHA512 account hashing and the optional pam_unix2 migration to Bcrypt, including the PAM transition and the failure mode that can lock out every account.
Extra SSH/SFTP/FTPS accounts per client
How BOA provisions one extra SSH, SFTP and FTPS subaccount per Ægir Client, scoped to that Client's own sites, and its provisioning, key and removal lifecycle.
`/admin*` URL protection + ip_access
The default block on anonymous /admin access, its per-site opt-out, and the ip_access and user_admin_access generators that lock a site or its admin surface to an IP list.
Mailing policy — no bulk mail from BOA hosts
Why BOA hosts send transactional mail only and not bulk, what to route through an external provider instead, and how to configure an SMTP relay for outbound mail.
Drush extension deny-filter (*.drush.inc)
The default-deny filter that stops tenant .drush.inc command files from running as a privileged backend identity, its backend-only gate, per-instance opt-ins and kill switch.