Security

In the control panel, in the ‘System’ tab, you will find the ‘Security’ section. Here you will be able to configure different options to reinforce the security of your server.

SSH

In the ‘SSH’ section you can configure the port for SSH connections. Choose from the drop-down list the port you want between 2001 and 2010 (by default, you will have port 22). Once changed, SSH connections will have to include the parameter with the new designated port, for example:

ssh -p 2001 user@myserver.maadix.org

Changing the SSH connection port strengthens your security because most attackers make connection attempts to port 22 (the default port for SSH).

In addition, you can check the ‘Disable SSH password authentication’ box so that connections to the server can only be made using SSH keys, not passwords.

This option will protect against any attempt to connect over SSH by unknown accounts trying to test different passwords.

After disabling SSH password access only the accounts to which you have added their public key (Usuarixs > Ordinary accounts > SSH key) will be able to connect to the server. This applies to both SSH and SFTP connections.

Remember that you can add an account’s public key both when creating or editing it. You can also add SSH key to the Superuser account. From MaadiX, we recommend it especially for this account.

If you do not disable password access, you will be able to access the server using both password and SSH key. This can be convenient so that users don’t have to type their password but it won’t add security to the system.

If you have doubts about how to generate and use SSH keys you can check this tutorial.

Security section for SSH.

TLS

TLS (Transport Layer Security) is a cryptographic protocol that provides secure communications on the Internet. There are different versions of this protocol (TLS 1.0, TLS 1.1, TLS 1.2) and it is currently recommended to use TLS 1.2. Previous versions are considered insecure as they contain security vulnerabilities, which have been corrected in TLS 1.2.

In the Email section you can configure which versions of TLS you want your mail server to support.

Security section on TLS versions (e-mail).

Although it is recommended to use only TLS 1.2, the option is given to also support older versions. This gives the possibility to receive or send mail to servers that use these versions (for example, older mail servers that don’t have TLS 1.2 enabled yet).

You can change the supported TLS versions whenever you want.

In the same way, in the Web Server section you will be able to establish which versions of TLS you want your web server to support. Likewise, only TLS 1.2 is the recommended option.

Security section on TLS versions (web server).

In this case, the web browsers will have to support TLS 1.2 in order to be able to consult the web pages hosted on your server. This will be the case in most browsers, only in the case of old browsers that only support older versions could cause problems.

You have the option of choosing between the supported versions to adapt to all needs. You will be able to change this configuration whenever you want.

Until you click on the ‘Save’ button, no changes will be made.